Bonaire Security & Risk Analysis

wordpress.org/plugins/bonaire

Send replies to messages you received trough a default Contact Form 7 contact form and you store with Flamingo.

10 active installs v0.1.1 PHP 5.6+ WP 5.5+ Updated Mar 16, 2023
contact-form-7emailflamingomessagereply
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Bonaire Safe to Use in 2026?

Generally Safe

Score 85/100

Bonaire has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The "bonaire" plugin v0.1.1 exhibits a generally good security posture with several strong practices in place. The absence of any known CVEs or past vulnerabilities is a significant positive, suggesting a history of secure development or a very new, untested plugin. The plugin also demonstrates a strong commitment to input validation and data integrity by utilizing prepared statements for all SQL queries and implementing nonce checks for all identified AJAX handlers. The lack of external HTTP requests and file operations further reduces the potential attack surface.

However, the static analysis does reveal areas for improvement. A notable concern is the 56% rate of properly escaped output. This indicates that a significant portion of the plugin's output is not being properly escaped, creating a potential for Cross-Site Scripting (XSS) vulnerabilities. While no critical or high severity taint flows were found, the presence of two unsanitized path flows, even at lower severities, warrants attention as they could be exploited in specific scenarios to manipulate file paths.

In conclusion, "bonaire" v0.1.1 is a plugin with a promising security foundation, particularly in its handling of SQL and AJAX requests. The primary risk lies in the unescaped output, which requires immediate attention to prevent XSS attacks. The unsanitized path flows, while not currently critical, should also be reviewed and remediated. The plugin's clean vulnerability history is a positive indicator, but ongoing vigilance and addressing the identified output escaping issues are crucial for maintaining a secure application.

Key Concerns

  • Insufficient output escaping
  • Unsanitized paths in taint flows
Vulnerabilities
None known

Bonaire Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Bonaire Release Timeline

v0.1.1Current
Code Analysis
Analyzed Apr 16, 2026

Bonaire Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
68
87 escaped
Nonce Checks
11
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

56% escaped155 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
display_reply_form_meta_box (admin/includes/class-meta-box.php:239)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Bonaire Attack Surface

Entry Points11
Unprotected0

AJAX Handlers 11

authwp_ajax_bonaire_mark_as_readadmin/includes/class-ajax.php:129
authwp_ajax_bonaire_mark_as_spamadmin/includes/class-ajax.php:130
authwp_ajax_bonaire_move_to_trashadmin/includes/class-ajax.php:131
authwp_ajax_bonaire_submit_replyadmin/includes/class-ajax.php:133
authwp_ajax_bonaire_save_optionsadmin/includes/class-ajax.php:135
authwp_ajax_bonaire_reset_optionsadmin/includes/class-ajax.php:136
authwp_ajax_bonaire_send_testmailadmin/includes/class-ajax.php:137
authwp_ajax_bonaire_test_contact_formadmin/includes/class-ajax.php:138
authwp_ajax_bonaire_test_smtp_settingsadmin/includes/class-ajax.php:139
authwp_ajax_bonaire_test_imap_settingsadmin/includes/class-ajax.php:140
authwp_ajax_bonaire_get_settings_statusadmin/includes/class-ajax.php:141
WordPress Hooks 24
actioninitadmin/class-admin.php:226
actionadmin_enqueue_scriptsadmin/class-admin.php:227
actionadmin_enqueue_scriptsadmin/class-admin.php:228
actionadmin_enqueue_scriptsadmin/class-admin.php:229
filterplugin_row_metaadmin/class-admin.php:230
actionin_admin_headeradmin/includes/class-contextual-help.php:65
actionload-post.phpadmin/includes/class-contextual-help.php:67
actionload-post-new.phpadmin/includes/class-contextual-help.php:68
actionadmin_enqueue_scriptsadmin/includes/class-dashboard-widget.php:150
actionwp_dashboard_setupadmin/includes/class-dashboard-widget.php:151
actionadmin_enqueue_scriptsadmin/includes/class-meta-box.php:108
actionadmin_enqueue_scriptsadmin/includes/class-meta-box.php:109
actionload-flamingo_page_flamingo_inboundadmin/includes/class-meta-box.php:112
actionload-flamingo_page_flamingo_inboundadmin/includes/class-meta-box.php:119
actionadmin_enqueue_scriptsadmin/includes/class-options.php:438
actionadmin_noticesadmin/includes/class-post-views.php:53
actionadmin_enqueue_scriptsadmin/includes/class-settings-page.php:85
actionadmin_menuadmin/includes/class-settings-page.php:86
actionadmin_enqueue_scriptsadmin/includes/class-tooltips.php:93
actionadmin_enqueue_scriptsadmin/partials/class-settings-page-display.php:86
actionplugins_loadedbonaire.php:166
actioninitincludes/class-i18n.php:51
filterwpcf7_posted_datapublic/class-public.php:31
actionwpcf7_mail_sentpublic/class-public.php:32
Maintenance & Trust

Bonaire Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedMar 16, 2023
PHP min version5.6
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Bonaire Developer Profile

Demis Patti

4 plugins · 150 total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Bonaire

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bonaire/admin/css/bonaire-admin.css/wp-content/plugins/bonaire/admin/js/bonaire-admin.js
Script Paths
/wp-content/plugins/bonaire/admin/js/bonaire-admin.js
Version Parameters
bonaire/admin/css/bonaire-admin.css?ver=bonaire/admin/js/bonaire-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
bonaire-settings-pagebonaire-admin-settingsbonaire-main-wrapbonaire-containerbonaire-dashboard-widgetbonaire-dashboard-widget-contentbonaire-post-views-columnbonaire-contextual-help+8 more
HTML Comments
If this file is called directly, abort.The plugin bootstrap fileInclude dependencies.The class that launches the plugin.+2 more
Data Attributes
data-bonairedata-bonaire-account-iddata-bonaire-account-type
JS Globals
bonaire_ajaxbonaire_admin_options
FAQ

Frequently Asked Questions about Bonaire