igumbi Online Booking Security & Risk Analysis

The igumbi-online-booking plugin exhibits a mixed security posture. On the positive side, the plugin uses prepared statements for all its SQL queries, demonstrates no critical or high-severity taint flows, and has no unpatched CVEs. The static analysis also shows a limited attack surface consisting of shortcodes, with no unprotected AJAX handlers or REST API routes. This suggests some good development practices in terms of preventing common injection vulnerabilities and unauthorized access to core functionalities.

However, several areas raise concerns. A significant portion of output (73%) is not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The lack of any nonce checks and capability checks across its entry points is a major security oversight, potentially allowing unauthorized users to trigger plugin functionalities or manipulate data. The single external HTTP request is also a potential vector for further attacks if not handled securely. The plugin's vulnerability history, while currently clear of unpatched issues, shows a past XSS vulnerability, which, combined with the current lack of output escaping, suggests a recurring weakness in handling user-provided data safely.

In conclusion, while igumbi-online-booking has strengths in database interaction and a limited attack surface, the pervasive lack of output escaping and absence of nonces and capability checks represent substantial security risks. These issues could lead to XSS attacks and unauthorized actions, despite the absence of unpatched critical vulnerabilities.