Aviation Weather from NOAA Security & Risk Analysis

The aviation-weather-from-noaa plugin exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and output escaping, significant concerns arise from its attack surface and vulnerability history. The presence of three unprotected AJAX handlers presents a notable risk, as these can be exploited by unauthenticated users. The plugin's vulnerability history, specifically a high-severity path traversal vulnerability discovered in the recent past and still unpatched, is a critical red flag. This indicates a potential for attackers to manipulate file paths, leading to unauthorized access to sensitive data or even system compromise. Although taint analysis shows no unsanitized paths in the current version, the recurring nature of path-related vulnerabilities is concerning and suggests potential for reintroduction. The plugin has a moderate attack surface with several entry points, a portion of which lack proper authorization. The strengths lie in its use of prepared statements for SQL and generally good output escaping, which mitigate some common web vulnerabilities. However, the unpatched high-severity vulnerability and the unprotected AJAX endpoints create a clear and present danger.