Andreadb Google Maps Security & Risk Analysis

The andreadb-google-maps plugin v1.0.0 exhibits a concerning security posture due to a significant number of unprotected entry points. While the plugin demonstrates good practices in handling SQL queries with prepared statements and avoids file operations or external HTTP requests, the presence of three AJAX handlers without authentication checks is a major vulnerability. This lack of authorization could allow unauthorized users to trigger these handlers, potentially leading to unintended actions or data manipulation within the WordPress site. The plugin also uses the dangerous `create_function` construct, which can be a vector for code injection if not handled with extreme care. The taint analysis reveals one flow with unsanitized paths, indicating a potential for path traversal or manipulation, although it is not classified as critical or high severity in this analysis. Fortunately, the plugin has no recorded vulnerability history, which is a positive sign, but it does not negate the immediate risks identified in the current code. Overall, the plugin's strengths in SQL handling are overshadowed by critical weaknesses in access control for its AJAX endpoints and the use of a risky function, requiring immediate attention.