Appointment Bookings for Zoom GoogleMeet and more – Wappointment Security & Risk Analysis

The "wappointment" plugin, version 2.7.5, exhibits a mixed security posture. On the positive side, the static analysis shows a commendable use of prepared statements for all SQL queries and a reasonably good rate of output escaping. The plugin also implements a healthy number of capability checks. However, a significant concern is the complete absence of nonce checks, which, coupled with the presence of shortcodes, could create opportunities for Cross-Site Request Forgery (CSRF) if user input is not handled with extreme care. The plugin also relies on the Guzzle library, and without information on its version, potential vulnerabilities within this bundled component cannot be ruled out.

The plugin's vulnerability history is a major red flag. With four known CVEs, including one currently unpatched high-severity vulnerability, the plugin has demonstrated a pattern of introducing security flaws. The historical vulnerability types, such as Missing Authorization, Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF), are serious and indicate recurring issues in secure coding practices. The recency of the last vulnerability (2025-12-21) suggests that these issues are not historical but recent, making the unpatched high-severity vulnerability particularly alarming.

In conclusion, while "wappointment" v2.7.5 demonstrates some good practices like prepared SQL statements, its significant vulnerability history, the presence of an unpatched high-severity CVE, and the lack of nonce checks pose considerable risks. The potential for CSRF and the history of common web vulnerabilities suggest a need for immediate attention and remediation.