SiteNarrator Text-to-Speech Widget Security & Risk Analysis

The 'sitespeaker-widget' v1.9 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and crucially, none of these entry points are unprotected. The plugin also exclusively uses prepared statements for its SQL queries, which is a strong security practice. However, a significant concern is the complete lack of output escaping. With 5 total outputs identified and 0% properly escaped, this presents a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into web pages. The plugin also makes external HTTP requests without apparent security checks, which could be exploited if the target endpoint is compromised or manipulated.

The vulnerability history for this plugin is a major red flag. With one currently unpatched medium severity CVE, and a history of Cross-Site Scripting vulnerabilities, it indicates a recurring pattern of insecure input handling. The fact that the last vulnerability was recorded in the near future (2025-09-22) also suggests potential issues with the maintenance or security patching process. While the plugin has strengths in its limited attack surface and SQL practices, the prevalent output escaping issues and the unpatched XSS vulnerability create a considerable risk for WordPress sites using this plugin.