WPFAQBlock– FAQ & Accordion Plugin For Gutenberg Security & Risk Analysis

The wpfaqblock plugin, version 1.2.0, exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to secure coding practices, with 100% of SQL queries using prepared statements and 100% of output properly escaped. The attack surface is also relatively small, with only one shortcode identified as an entry point, and importantly, no unprotected entry points were found in this scan.

However, several significant concerns are raised by the provided data. The plugin has a history of vulnerabilities, with one currently unpatched medium severity Cross-Site Scripting (XSS) vulnerability. The fact that this vulnerability was discovered relatively recently (March 2026) and remains unpatched is a major red flag. Furthermore, the static analysis indicates a complete absence of nonce checks and capability checks. While the current scan didn't find any exploitable taint flows, the lack of these fundamental WordPress security mechanisms creates a significant risk that future vulnerabilities could be introduced or existing ones exploited more easily.

In conclusion, while wpfaqblock 1.2.0 demonstrates good practices in SQL handling and output escaping, the presence of an unpatched medium XSS vulnerability and the complete lack of nonce and capability checks significantly undermine its overall security. Users should exercise caution and prioritize patching or updating the plugin to address the known vulnerability. The absence of basic security checks suggests potential for future security weaknesses.