Occupancy Plan Security & Risk Analysis

The "occupancy-plan" v1.4.18 plugin exhibits a mixed security posture. While it has a clean vulnerability history with no known CVEs, the static analysis reveals several areas of concern. The plugin has a significant attack surface with 4 entry points, and alarmingly, 3 of these (all AJAX handlers) lack authentication checks. This presents a direct avenue for unauthenticated users to interact with sensitive plugin functionalities.

Taint analysis further highlights risks, with 12 out of 21 analyzed flows containing unsanitized paths, and 7 of these classified as high severity. This indicates potential vulnerabilities where user-supplied input could be manipulated to affect file operations or other sensitive actions. The SQL query analysis shows that nearly half of queries are not using prepared statements, and over half of output operations are not properly escaped, further contributing to the potential for vulnerabilities like SQL injection and Cross-Site Scripting (XSS).

Despite the absence of past vulnerabilities, the current code analysis suggests a need for improvement. The high number of unprotected AJAX handlers and high-severity unsanitized flows are significant risks. The plugin's strengths lie in its lack of bundled libraries and zero external HTTP requests, which reduces certain attack vectors. However, the overall security posture is weakened by the identified weaknesses in input validation and authentication.