WP-Safety

OwnerRez Security & Risk Analysis

wordpress.org/plugins/ownerrez

The official WordPress plugin for the OwnerRez API.

700 active installs v1.2.6 PHP + WP 5.4+ Updated Feb 23, 2026
airbnbbookingproperty-managementvacation-rentalvrbo
98
A · Safe
CVEs total2
Unpatched0
Last CVEJul 4, 2025
Plugin page Download
Safety Verdict

Is OwnerRez Safe to Use in 2026?

Generally Safe

Score 98/100

OwnerRez has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jul 4, 2025Updated 1mo ago
Risk Assessment

The ownerrez plugin v1.2.6 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and includes nonce and capability checks for its entry points, significant concerns remain. The presence of two AJAX handlers without authentication checks represents a substantial attack surface, making it vulnerable to unauthorized actions if these endpoints can be triggered externally. Furthermore, the taint analysis revealing two flows with unsanitized paths, though not classified as critical or high severity, suggests potential for subtle vulnerabilities in how input is processed. The plugin's vulnerability history, with two past medium-severity CVEs for Cross-site Scripting and Cross-Site Request Forgery, indicates a pattern of past security weaknesses, even though there are no currently unpatched vulnerabilities. This history, coupled with the identified unprotected AJAX handlers, suggests a need for continued vigilance and thorough code review.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths
  • Past medium severity CVEs
Vulnerabilities
2

OwnerRez Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-28957medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OwnerRez <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 4, 2025 Patched in 1.2.2 (18d)
CVE-2025-31814medium · 4.3Cross-Site Request Forgery (CSRF)

OwnerRez <= 1.2.0 - Cross-Site Request Forgery

Apr 1, 2025 Patched in 1.2.1 (53d)
Code Analysis
Analyzed Mar 16, 2026

OwnerRez Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
10
14 escaped
Nonce Checks
2
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

58% escaped24 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
menu_settings (admin\class-ownerrez-admin.php:78)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

OwnerRez Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_ownerrezincludes\class-ownerrez.php:151
noprivwp_ajax_ownerrezincludes\class-ownerrez.php:152

Shortcodes 1

[ownerrez] public\class-ownerrez-shortcodes.php:86
WordPress Hooks 12
actionplugins_loadedincludes\class-ownerrez.php:127
actionadmin_enqueue_scriptsincludes\class-ownerrez.php:141
actionadmin_enqueue_scriptsincludes\class-ownerrez.php:142
filteradmin_menuincludes\class-ownerrez.php:143
actionadmin_post_save_ownerrez_settingsincludes\class-ownerrez.php:144
actionadmin_post_clear_ownerrez_transientsincludes\class-ownerrez.php:145
filterplugin_action_links_ownerrez/ownerrez.phpincludes\class-ownerrez.php:146
actionwp_enqueue_scriptsincludes\class-ownerrez.php:167
actionwp_enqueue_scriptsincludes\class-ownerrez.php:168
actionparse_requestincludes\class-ownerrez.php:169
actioninitincludes\class-ownerrez.php:173
actionactivated_pluginownerrez.php:73
Maintenance & Trust

OwnerRez Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version
Downloads13K

Community Trust

Rating0/100
Number of ratings0
Active installs700
Alternatives

OwnerRez Alternatives

Booking Engine by Lodgify

Booking Engine by Lodgify

lodgify-booking-engine

A
92

Easy to use booking engine for your vacation rental website. List your rentals on your site and save on commissions (from big OTA's).

700 No CVEs
Domilocus

Domilocus

domilocus

A
100

Complete booking and property management solution for vacation rentals, apartments, and accommodations with backend administration.

0 No CVEs
Simple rental system

Simple rental system

single-page-booking-system

A
100

This WordPress plugin integrates the simple rental booking system from i-rent.net into a selected page on the user’s website.

0 No CVEs
WP Airbnb Review Slider

WP Airbnb Review Slider

wp-airbnb-review-slider

A
93

Download and display your Airbnb business reviews in your Posts, Pages, and Widget areas with a review slider!

1K 4 CVEs
iGMS Direct Booking

iGMS Direct Booking

igms-direct-booking

A
85

iGMS is introducing the Direct Booking Widget. It allows your guests to select and book dates with you right via your website.

100 No CVEs
Developer Profile

OwnerRez Developer Profile

OwnerRez

1 plugin · 700 total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
36 days
View full developer profile
Detection Fingerprints

How We Detect OwnerRez

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ownerrez/admin/css/ownerrez-admin.css/wp-content/plugins/ownerrez/admin/js/ownerrez-admin.js
Version Parameters
ownerrez/admin/css/ownerrez-admin.css?ver=ownerrez/admin/js/ownerrez-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
ownerrez-settings
HTML Comments
<!-- OwnerRez Settings --><!-- This is the main section for ownerrez settings -->
Data Attributes
data-ownerrez-api-rootdata-ownerrez-usernamedata-ownerrez-token
JS Globals
ownerrezApiRootownerrezUsernameownerrezToken
REST Endpoints
/wp-json/ownerrez/v1/settings
Shortcode Output
[ownerrez_booking_widget]
FAQ

Frequently Asked Questions about OwnerRez