Philantro – Donations and Donor Management Security & Risk Analysis

The "philantro" plugin version 5.4.1 exhibits a mixed security posture. On the positive side, the static analysis reveals a lack of dangerous functions, no file operations, no external HTTP requests, and all SQL queries are properly prepared, indicating good practices in these areas. However, there are significant concerns regarding output escaping, with only 60% of outputs being properly escaped, leaving the remaining 40% potentially vulnerable to Cross-Site Scripting (XSS) attacks. Furthermore, the plugin has a history of two medium-severity Cross-Site Scripting vulnerabilities, with the most recent occurring in early 2025. Although currently patched, this history suggests a recurring weakness in input sanitization and output encoding practices, which aligns with the observed partial output escaping.

The plugin's attack surface is primarily driven by 14 shortcodes, none of which are explicitly flagged as unprotected in the static analysis. However, the absence of explicit nonce and capability checks for these entry points is a significant concern, as it implies that any user, regardless of their role or authentication status, could potentially trigger actions via these shortcodes. This lack of access control, combined with the potential for unescaped output, creates a notable risk profile. While the absence of critical taint flows is reassuring, the documented history of XSS vulnerabilities and the observed lack of comprehensive output escaping and access control on shortcodes indicate that the plugin requires further security hardening to mitigate these risks effectively.