Tockify Events Calendar Security & Risk Analysis

The 'tockify-events-calendar' plugin version 2.3.1 exhibits a mixed security posture. On the positive side, the static analysis reveals no critical code signals such as dangerous functions, raw SQL queries, or file operations. Furthermore, the plugin has no external HTTP requests and no bundled libraries, which generally reduces the attack surface from dependencies. However, several significant concerns are present. The output escaping is notably poor, with only 33% of outputs properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The complete absence of nonce checks and capability checks, particularly given the presence of a shortcode, is alarming as it means user actions initiated via the shortcode might not be properly authorized or validated. The vulnerability history, while showing no currently unpatched vulnerabilities, reveals a past medium-severity CVE related to XSS, confirming the susceptibility to this type of attack. The fact that a medium severity XSS vulnerability was present in the past and the current code has such poor output escaping suggests a persistent weakness in handling user-provided data safely.