Simple Price Calculator Security & Risk Analysis

The plugin exhibits a mixed security posture. On the positive side, the static analysis shows no dangerous functions, no raw SQL queries, no file operations, and no external HTTP requests. This indicates a good effort to avoid common web vulnerabilities. However, there are significant concerns regarding output escaping, with only 33% of outputs properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the complete absence of nonce checks and capability checks across all entry points, including the single shortcode, is a major weakness, leaving the plugin highly susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability history reveals a past medium-severity vulnerability of "Missing Authorization", which aligns with the current lack of capability checks. The presence of a currently unpatched medium-severity CVE from September 2025 is a critical concern, highlighting an ongoing risk. While some code practices are strong, the lack of authorization and nonce checks, coupled with unpatched vulnerabilities and poor output escaping, present a substantial security risk.