SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) Security & Risk Analysis

The static analysis of slingblocks v1.7.0 reveals a generally good security posture regarding common web application vulnerabilities. The absence of exposed AJAX handlers, REST API routes, shortcodes, and cron events without authentication checks significantly limits the plugin's attack surface. The code also demonstrates strong practices by using prepared statements for all SQL queries and properly escaping a high percentage of its outputs. Furthermore, the lack of file operations, external HTTP requests, and identified taint flows with unsanitized paths are positive indicators.

However, the vulnerability history presents a notable concern. With a total of 3 known CVEs, all of which are medium severity and related to Cross-site Scripting (XSS), this indicates a recurring pattern of input sanitization issues. The fact that the last vulnerability was reported in the future (2025-08-20) is likely a data anomaly, but the historical trend of XSS vulnerabilities is a significant weakness. While the current version has no unpatched CVEs, this history suggests a potential for similar vulnerabilities to be introduced if input handling is not meticulously reviewed.

In conclusion, slingblocks v1.7.0 benefits from a small attack surface and good coding practices in areas like SQL and output escaping. The primary area of concern lies in its past vulnerability history, specifically the recurring XSS issues. While the current version appears clean, the historical pattern warrants vigilance regarding input validation and sanitization in future development or updates.