Vertical scroll slideshow gallery v2 Security & Risk Analysis

The plugin 'vertical-scroll-slideshow-gallery-v2' v9.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of SQL queries using prepared statements and a limited attack surface with only one shortcode entry point. The absence of file operations and external HTTP requests further mitigates certain attack vectors. However, concerns arise from the low percentage of properly escaped output (39%), which can leave the application vulnerable to cross-site scripting (XSS) attacks. The presence of one unpatched medium severity CVE related to SQL injection, despite the general use of prepared statements, is a significant concern and indicates a historical weakness in sanitizing inputs for SQL queries. This suggests that while the developers may be using prepared statements for most queries, there's a specific instance or type of input that still allows for injection, and this has not been addressed.

Overall, while the plugin has strengths in its limited attack surface and proper SQL handling in most cases, the persistent SQL injection vulnerability and the high rate of unescaped output represent significant risks. The vulnerability history, particularly the single medium CVE which remains unpatched, suggests a potential lack of rigorous security testing or a delay in addressing reported issues. Users should be cautious due to the unpatched SQL injection vulnerability and the potential for XSS due to insufficient output escaping.