Ultimate Maps by Supsystic Security & Risk Analysis

The 'ultimate-maps-by-supsystic' plugin, version 1.2.23, presents a mixed security posture. While the static analysis shows a remarkably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events accessible without authentication, there are underlying concerns. The presence of the `unserialize` function is a significant red flag, as it can lead to critical vulnerabilities if not handled with extreme care and robust sanitization. Additionally, while a substantial portion of SQL queries use prepared statements, a remaining percentage does not, posing a potential SQL injection risk. The output escaping is also only moderately effective, with over a third of outputs not being properly escaped, indicating a cross-site scripting (XSS) risk.

The vulnerability history reveals a pattern of past security issues, including CSRF, XSS, and SQL injection. The fact that there are no currently unpatched vulnerabilities is positive, suggesting that developers are addressing reported issues. However, the existence of past high and medium severity vulnerabilities, particularly those related to injection and XSS, indicates a history of security weaknesses that warrant continued vigilance. The most recent vulnerability being only a few months ago also suggests ongoing discovery of issues.

In conclusion, the plugin benefits from a well-controlled attack surface, which is a strong security positive. However, the reliance on potentially dangerous functions like `unserialize`, a history of significant vulnerabilities, and less than ideal output escaping practices introduce notable risks. Users should ensure they are on the latest version if available and be aware of the potential for newly discovered vulnerabilities, despite the current lack of unpatched CVEs.