Planyo online reservations – WooCommerce integration Security & Risk Analysis

The "planyo-woocommerce-integration" v1.0 plugin exhibits a concerning security posture primarily due to a significant lack of authentication checks on its entry points. With two unprotected AJAX handlers and no capability checks, these entry points represent a direct attack surface. While the plugin avoids dangerous functions and uses prepared statements for SQL queries, the absence of proper output escaping for most of its outputs (only 11% properly escaped) suggests a high risk of cross-site scripting (XSS) vulnerabilities. The lack of nonces on AJAX handlers further exacerbates this risk, making it easier for attackers to trigger actions. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive sign. However, this historical data is limited, and the current code analysis reveals significant weaknesses that could easily lead to future vulnerabilities. Overall, while the plugin demonstrates some good practices like avoiding dangerous functions and using prepared SQL, the unprotected entry points and poor output escaping are critical concerns that significantly outweigh these strengths, demanding immediate attention.