Property Hive Stamp Duty Calculator Security & Risk Analysis

The property-hive-stamp-duty-calculator plugin version 1.0.28 exhibits a mixed security posture. On the positive side, the code does not utilize dangerous functions, all SQL queries are properly prepared, and there are no direct file operations or external HTTP requests, which are good security practices. The absence of taint analysis findings and zero unprotected entry points also suggest a level of diligence in sanitizing inputs and controlling access.

However, significant concerns arise from the lack of any capability checks or nonce checks. This means that even though the entry points are not exposed without authentication, the internal handling of these entry points might be vulnerable if an attacker can bypass or manipulate the user's session. The low percentage of properly escaped output (20%) is a critical weakness, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities, which aligns with its vulnerability history.

The plugin has a history of a known CVE, specifically related to Cross-Site Scripting, although it is currently patched. The presence of past XSS vulnerabilities, coupled with the low output escaping rate in static analysis, strongly suggests that XSS remains a persistent risk. While the current version may have fixed past CVEs, the underlying code practices regarding output sanitization are a major concern, leaving it susceptible to new XSS exploits.