BookingDaddy – Booking & Appointment Made Bold, Easy, and Smart Security & Risk Analysis

The "bookingdaddy" v1.0.0 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL queries, with 100% using prepared statements, and a very high percentage (98%) of output being properly escaped, significantly reducing the risk of common cross-site scripting (XSS) vulnerabilities. The absence of known CVEs and vulnerabilities in its history is also a strong indicator of a relatively secure development lifecycle so far. However, the plugin presents a notable concern with its attack surface. It has two AJAX handlers, both of which lack authentication checks. This is a significant security weakness that could allow unauthenticated users to trigger potentially harmful actions within the plugin.

The taint analysis shows no critical or high severity flows with unsanitized paths, which is reassuring. Similarly, the lack of dangerous functions and the presence of nonce checks on some actions are positive signs. Despite the strong internal code hygiene regarding SQL and output, the unprotected AJAX endpoints represent a clear and present risk. The absence of capability checks on these endpoints further exacerbates this issue, meaning any user, even a subscriber or guest, could potentially interact with these handlers. Therefore, while many aspects of the plugin's code are well-secured, the unprotected AJAX endpoints are a critical vulnerability that needs immediate attention.