VietQR Security & Risk Analysis

The VietQR plugin v3.5.3 demonstrates a strong security posture based on the provided static analysis. The absence of identified AJAX handlers, REST API routes, shortcodes, and cron events with or without authentication significantly limits its attack surface. The code further strengthens this by avoiding dangerous functions and exclusively using prepared statements for SQL queries, which is excellent practice. File operations and external HTTP requests are also minimal, and there are no recorded vulnerabilities in its history, indicating a well-maintained and secure plugin.

However, there are a few areas that warrant attention. The fact that 25% of the 36 output escapes are not properly sanitized presents a potential risk for cross-site scripting (XSS) vulnerabilities, especially if these outputs are user-controllable. Furthermore, the lack of nonce checks and capability checks across all entry points, combined with 0 unprotected entry points, suggests that either the plugin has no interactive entry points that would require such checks, or these checks are entirely missing. If there are any, even hidden, interactive components, this absence could be a significant oversight. The bundled Select2 library, while common, should ideally be kept up-to-date to mitigate any potential vulnerabilities within it.

In conclusion, the VietQR plugin v3.5.3 exhibits many positive security attributes, particularly in its handling of database queries and overall attack surface. The main concerns lie in the potential for XSS due to imperfect output escaping and the complete absence of nonce and capability checks. The lack of historical vulnerabilities is a strong positive, but the static analysis reveals areas where further hardening would be beneficial.