OpenCabs – Taxi and private hire bookings Security & Risk Analysis

The "opencabs-taxi-and-private-hire-bookings" v1.2 plugin exhibits a generally good security posture based on the provided static analysis. The absence of detected AJAX handlers, REST API routes, and cron events without authentication, along with no critical or high severity taint flows, is commendable. The plugin also demonstrates good practices by exclusively using prepared statements for SQL queries. However, a significant concern lies in the output escaping, where 52% of outputs are not properly escaped, potentially exposing the application to Cross-Site Scripting (XSS) vulnerabilities. While the vulnerability history is clean, indicating a lack of publicly known exploits, this should not be a sole reason for complacency, especially given the output escaping issues.

The limited attack surface is a strength, with only one shortcode identified as an entry point, and it appears to have an implicit or explicit protection mechanism. The presence of nonce checks and capability checks, though limited in number, suggests an awareness of security best practices. The four external HTTP requests are noted, but without further context, their security implications are unknown. The lack of dangerous functions and file operations is a positive indicator. Overall, the plugin is relatively secure, but the significant percentage of unescaped output represents a notable risk that requires immediate attention and remediation.