Travel & Tours Meta Search Security & Risk Analysis

The adiaha-hotel plugin v3.1 exhibits several concerning security weaknesses, particularly in its handling of user input and authorization. The static analysis reveals a significant attack surface with 15 entry points, of which 4 are unprotected AJAX handlers. This lack of authorization checks on a substantial portion of its entry points is a major red flag. Furthermore, the plugin fails to implement any capability checks or nonce verification for these handlers, making them susceptible to unauthorized access and potential exploitation. The absence of prepared statements for its single SQL query and the complete lack of output escaping for its two identified outputs are also serious concerns, potentially leading to SQL injection and cross-site scripting vulnerabilities, respectively. The vulnerability history shows one known medium-severity CVE, which remains unpatched. This historical pattern, combined with the current code analysis findings, suggests a recurring issue with missing authorization and a general disregard for secure coding practices. While the absence of dangerous functions, file operations, and critical taint flows is positive, these strengths are overshadowed by the numerous critical weaknesses in authorization, input sanitization, and output escaping. The overall security posture is poor, and immediate attention is required to address these vulnerabilities.