Events Manager – Ongoing Events Security & Risk Analysis

The plugin "stonehenge-em-ongoing-events" v1.6.2 presents a mixed security posture. While the absence of known CVEs and critical taint flows is positive, the static analysis reveals significant areas of concern. A substantial portion of its attack surface, specifically all 6 AJAX handlers, lacks proper authentication checks. This opens the door for potential unauthorized actions or information disclosure if these handlers are accessible to unauthenticated users. Furthermore, while there are capability checks present, their coverage across all entry points is not guaranteed, especially with the unprotected AJAX handlers.

The code analysis also indicates that only 20% of SQL queries are prepared, suggesting a risk of SQL injection vulnerabilities if input is not meticulously sanitized before being used in these queries. The moderate rate of proper output escaping (63%) means there's a chance of cross-site scripting (XSS) vulnerabilities if dynamically generated content is not consistently escaped. The plugin's history of zero vulnerabilities, while a good sign, could also be a reflection of limited security auditing or testing rather than inherent robustness, especially given the identified code weaknesses.

In conclusion, the plugin has strengths in its lack of documented vulnerabilities and absence of critical taint flows. However, the unprotected AJAX endpoints and the high proportion of unprepared SQL queries represent serious potential risks that need to be addressed. The moderate output escaping also warrants attention. A proactive approach to securing these entry points and improving SQL query practices is recommended.