Surbma | Booking.com Shortcode Security & Risk Analysis

The surbma-bookingcom-shortcode plugin v2.1.1 presents a mixed security posture. On the positive side, the static analysis reveals strong adherence to secure coding practices. There are no dangerous functions used, all SQL queries utilize prepared statements, and all identified output is properly escaped. Furthermore, the absence of file operations and external HTTP requests reduces potential attack vectors. However, a significant concern is the complete lack of nonce checks and capability checks across all entry points. While the current static analysis reports zero unprotected entry points, this is likely due to the limited scope of entry points identified (only one shortcode) and doesn't negate the inherent risk of unprotected functionality if new entry points were added or if the single shortcode's execution context could be manipulated without authentication.

The vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability. Although there are no currently unpatched CVEs, the existence of a past XSS issue, even if resolved, suggests potential weaknesses in input sanitization or output escaping that could resurface if not carefully maintained. The fact that the last vulnerability was dated 2026-04-13 also raises a red flag, implying the data might be from a future perspective or contain an error, making it difficult to assess the current state of ongoing maintenance. The current version appears to be patched concerning past vulnerabilities, but the lack of robust authentication and authorization checks for its single entry point remains a notable weakness.