WP Google Street View (with 360° virtual tour) & Google maps + Local SEO Security & Risk Analysis

The wp-google-street-view plugin version 1.1.9 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by exclusively using prepared statements for SQL queries and performing nonce and capability checks on its identified entry points, which are limited to two shortcodes. The absence of AJAX handlers, REST API routes, and cron events, as well as zero file operations and external HTTP requests, significantly reduces the attack surface. However, a notable concern is the low percentage of properly escaped output (32%), suggesting a potential for Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of such issues.

The plugin's vulnerability history reveals a pattern of medium-severity XSS vulnerabilities, with the last recorded vulnerability in 2026. While there are currently no unpatched CVEs, the recurring nature of XSS issues indicates a need for more rigorous output sanitization and validation in the codebase. The presence of a bundled Freemius library at version 1.0, while not explicitly stated as vulnerable, could also pose a risk if it contains known security flaws that have not been updated.

In conclusion, while the plugin has made strides in securing its entry points and database interactions, the significant amount of unescaped output remains a critical weakness. The historical trend of XSS vulnerabilities further amplifies this concern. Users should be aware of the potential for XSS attacks and monitor for future updates that address output sanitization more thoroughly.