Progress Planner Security & Risk Analysis

The progress-planner plugin, version 1.9.0, presents a mixed security posture. On the positive side, the static analysis reveals a seemingly small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication or permission checks. This suggests a conscious effort to limit entry points. However, the code signals raise significant concerns. A striking 100% of output operations are not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data can be injected into web pages. While most SQL queries use prepared statements, the lack of any capability checks or nonce checks on the limited entry points is a critical oversight. The plugin's vulnerability history, with three known CVEs including one high-severity issue related to missing authorization and XSS, reinforces these concerns. The last known vulnerability occurred recently, suggesting ongoing security challenges.

While the absence of critical taint analysis findings and the high percentage of prepared SQL statements are positive indicators, the prevalence of unescaped output and the absence of essential security checks like nonces and capability checks are serious weaknesses. The historical pattern of missing authorization and XSS vulnerabilities, combined with the recent discovery of such issues, implies that developers may struggle with secure coding practices. Therefore, despite a small apparent attack surface, the plugin's internal code quality regarding output sanitization and authorization is a significant concern. Users should exercise caution and consider alternatives if these vulnerabilities are not promptly addressed.