WP-Safety

Rezgo Online Booking Security & Risk Analysis

wordpress.org/plugins/rezgo

Sell your tours, activities, and events on your WordPress website using Rezgo.

200 active installs v4.22 PHP 5.2+ WP 3.3.0+ Updated Mar 4, 2026
activitiesbookingreservationsticketingtours
96
A · Safe
CVEs total4
Unpatched0
Last CVEJan 6, 2025
Plugin page Download
Safety Verdict

Is Rezgo Online Booking Safe to Use in 2026?

Generally Safe

Score 96/100

Rezgo Online Booking has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 6, 2025Updated 1mo ago
Risk Assessment

The "rezgo" v4.22 plugin exhibits a mixed security posture, with some positive security practices alongside significant areas of concern. While the plugin demonstrates a high rate of output escaping (92%) and a reasonable number of nonce checks, the presence of unprotected AJAX handlers and a lack of preparedness for SQL queries are notable weaknesses. The static analysis reveals critical risks related to unsanitized paths in taint flows, indicating potential for attackers to manipulate file operations or inject malicious code. The 4 identified dangerous functions, specifically "unserialize," further amplify these risks, as unserialized data from untrusted sources can lead to arbitrary code execution.

The plugin's vulnerability history shows a pattern of past security flaws, particularly concerning Remote File Inclusion and Cross-site Scripting. Although there are currently no unpatched CVEs, the existence of a high-severity unpatched vulnerability in the past, along with past medium-severity issues, suggests a recurring need for diligent security patching and code review. The fact that the last vulnerability was in 2025-01-06, despite it being a past vulnerability, is a curious detail but doesn't negate the historical pattern. Overall, the plugin has strengths in output handling but requires immediate attention to its insecure entry points, data sanitization, and historical vulnerability trends.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries without prepared statements
  • High severity taint flows
  • Use of unserialize function
  • Past high severity unpatched vulnerability
  • Past medium severity vulnerabilities
  • Unsanitized paths in taint analysis
Vulnerabilities
4

Rezgo Online Booking Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2024-53800high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Rezgo Online Booking <= 4.17 - Unauthenticated Local File Inclusion

Jan 6, 2025 Patched in 4.17.1 (120d)
CVE-2022-1932medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Rezgo Online Booking <= 4.1.7 - Reflected Cross-Site-Scripting

Jul 26, 2022 Patched in 4.1.8 (546d)
CVE-2014-4547medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Rezgo Online Booking < 1.8.2 - Cross-Site Scripting

May 28, 2014 Patched in 1.8.2 (3527d)
CVE-2014-4546medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Rezgo Online Booking < 1.4.3 - Cross-Site Scripting

May 28, 2014 Patched in 1.4.3 (3527d)
Code Analysis
Analyzed Mar 16, 2026

Rezgo Online Booking Code Analysis

Dangerous Functions
4
Raw SQL Queries
2
0 prepared
Unescaped Output
1249
14616 escaped
Nonce Checks
9
Capability Checks
1
File Operations
10
External Requests
4
Bundled Libraries
2

Dangerous Functions Found

unserialize$this->cart = unserialize(stripslashes($array));rezgo\include\class.rezgo.php:1574
unserializeif($_COOKIE['rezgo_cart_'.REZGO_CID]) { $cart = unserialize(stripslashes($_COOKIE['rezgo_cart_'.REZGrezgo\include\class.rezgo.php:3512
unserializeif($_COOKIE['rezgo_cart_'.REZGO_CID]) { $cart = unserialize(stripslashes($_COOKIE['rezgo_cart_'.REZGrezgo\include\class.rezgo.php:3560
unserializeif($_COOKIE['rezgo_cart_'.REZGO_CID]) { $cart = unserialize(stripslashes($_COOKIE['rezgo_cart_'.REZGrezgo\include\class.rezgo.php:3594

Bundled Libraries

Stripe PHPjQuery

SQL Query Safety

0% prepared2 total queries

Output Escaping

92% escaped15865 total outputs
Data Flows
74 unsanitized

Data Flow Analysis

25 flows74 with unsanitized paths
<book_ajax> (book_ajax.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Rezgo Online Booking Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

noprivwp_ajax_rezgosettings\rezgo_settings.php:617
authwp_ajax_rezgosettings\rezgo_settings.php:618

Shortcodes 1

[rezgo_shortcode] rezgo.php:79
WordPress Hooks 23
actiongenerate_rewrite_rulesrezgo.php:70
actionwp_loadedrezgo.php:75
actiongenerate_rewrite_rulesrezgo.php:76
actionrezgo_tpl_displayrezgo.php:80
filtertemplate_includerezgo_plugin_logic.php:337
filterpre_get_document_titlerezgo_plugin_logic.php:345
filterwpseo_titlerezgo_plugin_logic.php:353
filterwpseo_canonicalrezgo_plugin_logic.php:355
actionwp_headrezgo_plugin_logic.php:356
filterrank_math/frontend/titlerezgo_plugin_logic.php:365
filterrank_math/frontend/canonicalrezgo_plugin_logic.php:367
actionwp_headrezgo_plugin_logic.php:368
filteraioseo_titlerezgo_plugin_logic.php:377
filteraioseo_canonical_urlrezgo_plugin_logic.php:379
actionwp_headrezgo_plugin_logic.php:380
actionwp_headrezgo_plugin_logic.php:394
filterkses_allowed_protocolsrezgo_plugin_logic.php:398
actionadmin_initsettings\rezgo_settings.php:613
actionadmin_menusettings\rezgo_settings.php:614
filterquery_varssettings\rezgo_settings.php:615
actionparse_requestsettings\rezgo_settings.php:616
actionwp_enqueue_scriptssettings\rezgo_settings.php:619
filterplugin_action_links_rezgo/rezgo.phpsettings\rezgo_settings.php:620
Maintenance & Trust

Rezgo Online Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version5.2
Downloads37K

Community Trust

Rating66/100
Number of ratings6
Active installs200
Alternatives

Rezgo Online Booking Alternatives

Understory

Understory

understory

A
100

Connect your Understory account with WordPress, to easily add Booking and Experience Widgets to your pages!

90 No CVEs
indexic aReservation

indexic aReservation

indexic-areservation

A
85

Easily integrate Indexic's aReservation Tour Booking and Rental Reservation Software into your WordPress website. You can add booking buttons wi &hellip;

60 No CVEs
SimplyBook.me – Booking and reservations calendar

SimplyBook.me – Booking and reservations calendar

simplybook

A
100

Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.

20K No CVEs
BA Book Everything

BA Book Everything

ba-book-everything

A
86

The really fast and powerful Booking engine for theme/site developers to create any booking or rental sites (tours, cars, events, apartments, yachts)

10K 9 CVEs
FareHarbor for WordPress

FareHarbor for WordPress

fareharbor

A
99

Easily add FareHarbor reservation calendars, booking embeds, and buttons to your site.

9K 2 CVEs
Developer Profile

Rezgo Online Booking Developer Profile

rezgo

1 plugin · 200 total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
1930 days
View full developer profile
Detection Fingerprints

How We Detect Rezgo Online Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Rezgo Online Booking