YaMaps for WordPress Plugin Security & Risk Analysis

The "yamaps" plugin v0.6.41 exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to secure coding practices. There are no identified dangerous functions, all SQL queries are properly prepared, and a high percentage (91%) of output is correctly escaped. Furthermore, the plugin includes nonce and capability checks, which are essential for preventing common WordPress attacks. The absence of file operations and external HTTP requests also reduces the attack surface.

However, a significant concern arises from the plugin's vulnerability history, which shows a total of 5 known CVEs, all classified as medium severity and primarily related to Cross-Site Scripting (XSS). Although there are currently no unpatched CVEs for this version, the pattern of past vulnerabilities, particularly XSS, suggests that input sanitization might be an area that requires ongoing vigilance and robust testing. The last recorded vulnerability was in February 2026, which is in the future, indicating a potential data anomaly or that this information is for a future release. The static analysis doesn't reveal any taint flows with unsanitized paths, but the historical XSS issues warrant careful consideration.

In conclusion, while the current code version demonstrates good practices in many areas, the historical prevalence of XSS vulnerabilities is a notable weakness. Users should ensure they are always running the latest patched version of this plugin and be aware of the potential for similar issues to arise if input handling is not consistently strict. The plugin's limited attack surface and good static analysis results provide a solid foundation, but the historical context demands attention.