ERE Recently Viewed – Essential Real Estate Add-On Security & Risk Analysis

The ere-recently-viewed plugin v2.1 exhibits a mixed security posture. On one hand, the static analysis reveals a small attack surface with only one shortcode and no AJAX handlers or REST API routes. Furthermore, the code demonstrates good practices by using prepared statements for all SQL queries and having a high percentage of properly escaped output. There are no indications of dangerous functions, file operations, or external HTTP requests, which are positive signs.

However, significant concerns arise from the vulnerability history. The presence of a past critical vulnerability, specifically deserialization of untrusted data, is a major red flag. While this vulnerability is currently patched, it highlights a historical weakness in handling serialized data, which can be a complex and dangerous area if not managed meticulously. The lack of nonce checks and capability checks in the static analysis, although on a limited attack surface, means that any new vulnerabilities introduced in future versions could be more easily exploited if they involve actions that should be protected.

In conclusion, while the current version of the plugin shows some good coding practices, the history of a critical deserialization vulnerability warrants caution. The absence of nonce and capability checks on the identified entry points is a potential oversight that could be exploited if new vulnerabilities emerge. Users should remain vigilant for future updates and advisories.