Irdinmo para Inmovilla Security & Risk Analysis

The "irdinmo-para-inmovilla" v1.4.3 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by exclusively using prepared statements for all SQL queries and properly escaping all its output, which significantly reduces the risk of SQL injection and cross-site scripting (XSS) vulnerabilities. The absence of known CVEs and a clean vulnerability history are also strong indicators of a well-maintained and secure plugin to date. The attack surface is relatively small with only two shortcodes identified as entry points and no unprotected AJAX handlers or REST API routes. However, the presence of the `unserialize` function is a notable concern. Without proper validation of the serialized data, this function can be exploited to achieve remote code execution if an attacker can control the input being unserialized. Furthermore, the complete lack of nonce checks and capability checks for its entry points means that actions performed by these shortcodes could potentially be triggered by unauthenticated users or users without the necessary permissions, leading to unintended operations if the unserialized data is malicious or if the shortcode functionality itself can be abused.