RunPress Security & Risk Analysis

The runpress plugin v1.4.2 exhibits a mixed security posture. On the positive side, the plugin has no known historical vulnerabilities (CVEs), which suggests a history of responsible development and maintenance. Furthermore, the static analysis indicates a small attack surface with no unprotected AJAX handlers or REST API routes, and a limited number of shortcodes and cron events. Taint analysis also shows no critical or high severity flows with unsanitized paths, and no dangerous functions are used.

However, there are significant concerns within the code's implementation. The plugin heavily relies on SQL queries without utilizing prepared statements, a practice that exposes it to a high risk of SQL injection vulnerabilities. Compounding this, the output escaping is exceptionally poor, with only 3% of outputs being properly escaped, indicating a severe risk of Cross-Site Scripting (XSS) vulnerabilities. The complete absence of nonce checks and capability checks for its entry points is also a major security weakness, allowing unauthorized users to potentially trigger plugin functionalities. The presence of the DataTables library, if not managed and updated diligently, could also introduce risks if it's an outdated version.

In conclusion, while the plugin benefits from a clean vulnerability history and a controlled attack surface, the lack of prepared statements for SQL queries and the pervasive lack of output escaping create substantial security risks. The absence of nonce and capability checks further exacerbates these issues. The plugin requires immediate attention to address these fundamental security flaws to mitigate the significant XSS and SQL injection potential.