Shortcode for Current Date Security & Risk Analysis

The "shortcode-for-current-date" plugin version 2.2.2 presents a mixed security posture. While it demonstrates good practices by not utilizing dangerous functions, performing all SQL queries with prepared statements, and avoiding file operations and external HTTP requests, several areas raise concern. The presence of an unprotected AJAX handler represents a significant entry point that could be exploited without proper authentication. Furthermore, the plugin exhibits a 50% rate of unescaped output, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities, which aligns with its vulnerability history. The plugin has a history of two medium-severity CVEs, both related to XSS, with the last vulnerability discovered in July 2022. The absence of any unpatched vulnerabilities is positive, but the recurring XSS pattern combined with the unprotected AJAX handler suggests that inputs are not being handled with sufficient rigor. In conclusion, while the plugin has some strengths in its code handling, the unprotected entry point and unescaped outputs create tangible risks that need to be addressed.