Per Post Language Security & Risk Analysis

The "per-post-language" v1.3 plugin exhibits a generally good security posture based on the provided static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the plugin's attack surface. The code signals also indicate a positive trend, with all SQL queries utilizing prepared statements and a substantial number of capability checks in place. The presence of a nonce check further strengthens its security by helping to prevent cross-site request forgery attacks.

However, the most significant concern lies in the output escaping. With only 13% of the 16 total outputs properly escaped, there is a high risk of cross-site scripting (XSS) vulnerabilities. Unsanitized user input that is later displayed to other users without proper encoding can lead to malicious scripts being injected into the website. The vulnerability history being clean is a positive indicator, but it does not negate the immediate risk posed by the inadequate output escaping.

In conclusion, while the plugin has a small attack surface and implements some good security practices like prepared statements and capability checks, the widespread lack of output escaping is a critical weakness that needs immediate attention. The clean vulnerability history is a positive sign, suggesting responsible development, but the current code presents a clear and present danger of XSS vulnerabilities.