WoW Armory Security & Risk Analysis

The "wow-armory" plugin v8.4.3 exhibits a mixed security posture. On the positive side, it has no known historical vulnerabilities (CVEs) and its single SQL query is properly prepared. The attack surface is minimal, with no AJAX handlers or REST API routes, and the sole shortcode appears to have no direct unauthenticated entry points based on the provided data. However, significant concerns arise from the static code analysis. A critical finding is that 100% of its output is not properly escaped, posing a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the plugin lacks nonce checks and capability checks entirely, which are fundamental security mechanisms for protecting against various attacks, especially if any hidden or unintended entry points exist or are introduced in future updates. The presence of a flow with unsanitized paths, even if not flagged as critical or high severity, warrants attention due to its inherent risk. The absence of any recorded vulnerabilities in its history might suggest a lack of rigorous security testing or that potential vulnerabilities have not yet been discovered or exploited.