SuperSaaS – online appointment scheduling Security & Risk Analysis

The supersaas-appointment-scheduling plugin v2.1.15 exhibits a mixed security posture. On the positive side, the static analysis reveals a limited attack surface with no unprotected entry points, no dangerous functions, and all SQL queries utilizing prepared statements. Furthermore, the plugin demonstrates a capability check, indicating some level of access control is in place.

However, significant concerns arise from the output escaping. The analysis shows that 100% of the 6 identified outputs are not properly escaped, representing a clear Cross-Site Scripting (XSS) risk. Despite the absence of critical or high-severity taint flows in this specific analysis, the historical vulnerability data reveals a pattern of medium-severity XSS vulnerabilities. The fact that the last recorded vulnerability was in February 2025, and there are no currently unpatched CVEs, suggests the developers are addressing issues, but the recurring nature of XSS is a persistent concern.

In conclusion, while the plugin has strengths in its SQL handling and limited attack surface, the lack of output escaping and the historical prevalence of XSS vulnerabilities present a notable risk. Users should be aware of the potential for XSS attacks, especially if the plugin is used in conjunction with other less secure components or if user-supplied data is directly reflected in the output.