Contact Info Widget Security & Risk Analysis

The "simple-contact-info-widget" plugin v2.6.2 presents a mixed security posture. While the static analysis shows a zero attack surface with no direct entry points like AJAX handlers, REST API routes, or shortcodes without authentication, and all SQL queries utilize prepared statements, there are significant concerns. The presence of the dangerous `create_function` and a very low percentage of properly escaped output (16%) are major red flags, indicating potential for cross-site scripting (XSS) vulnerabilities. The absence of nonce checks and capability checks further exacerbates these risks, as it implies that even if data is processed, it might not be adequately protected against unauthorized or malicious manipulation.

The plugin's vulnerability history, specifically one known medium-severity CVE related to cross-site scripting, reinforces the concerns raised by the code analysis. The fact that this vulnerability is currently unpatched and the last reported vulnerability was in the future (2025-08-17, likely a typo in the provided data, but it still indicates a recent or ongoing issue) suggests a pattern of security weaknesses that may not be actively addressed. Despite the positive aspects of secure SQL handling and no file operations or external HTTP requests, the identified code signals and historical vulnerabilities point to a plugin that requires careful attention and remediation to mitigate risks to users.