Hi.
After another exploit with the extension (December 2020), wouldn't be better to classify the extension under "Unstable extensions"? Miraheze and probably other wikifarms and some independent wikis removed the extension because of this.
Topic on Extension talk:Widgets
I personally do not think so. There are more extensions with frequents exploits around. In the end this is a matter of updating what you have in due time.
I agree that the last two exploits were quite bad and obvious as well. However, they were fixed in no time – this extension is indeed actively maintained.
This is why I think we should warn about the fact that this very type of extension is naturally susceptible to security flaws with respect to unsanitized input etc., but still designate it as stable.
In the long run, there should probably some kind of tutorial about how to use this extension securely, as well as a security review.
I just want to point out, that ShoutWiki und Fandom still have these extension deployed.
Although Miraheze undeployed the extension as a reaction to the security issues.
Sure, and I think this is no too far-fetched decision and understandable. But recommending an undeployment everywhere else does not really follow as a consequence thereof in my opinion.