Display custom fields in the frontend – Post and User Profile Fields Security & Risk Analysis

The plugin "shortcode-to-display-post-and-user-data" version 1.3.0 exhibits a mixed security posture. On the positive side, static analysis shows no dangerous functions, all SQL queries use prepared statements, and output escaping is robust with 88% properly handled. The attack surface is limited to a single shortcode, with no unprotected entry points identified. Taint analysis also shows no critical or high-severity vulnerabilities, indicating a lack of immediately exploitable code injection or path traversal flaws in the analyzed flows.

However, significant concerns arise from the plugin's vulnerability history. Four known CVEs have been recorded, with a prevalence of medium-severity issues and a history including authorization bypass, cross-site scripting, code injection, and missing authorization. While there are currently no unpatched CVEs, this pattern suggests a history of recurring security weaknesses. The absence of nonce checks, despite the presence of capability checks, is another point of concern, as it could potentially be leveraged in conjunction with other vulnerabilities or in specific attack scenarios, particularly if the shortcode's functionality is complex or handles sensitive data without proper session validation.