WP Airbnb Review Slider Security & Risk Analysis

The wp-airbnb-review-slider plugin v4.4 exhibits a mixed security posture. While it demonstrates some good practices such as a decent number of nonce and capability checks, and a notable percentage of SQL queries using prepared statements, significant concerns remain regarding its attack surface and output sanitization.

The static analysis reveals a considerable attack surface with 4 total entry points, 3 of which are unprotected. This means that these entry points are accessible without proper authentication or authorization, potentially allowing malicious actors to exploit them. The taint analysis, while showing no critical or high severity flows, did identify one flow with an unsanitized path, which is a clear indicator of potential vulnerabilities, though its severity is not detailed.

The plugin's vulnerability history is a significant red flag. With 4 known CVEs, including one high severity vulnerability, and common vulnerability types like Cross-site Scripting and SQL Injection, it suggests a pattern of insecure coding practices. The fact that the last vulnerability was recent (2025-11-06) and there are currently no unpatched vulnerabilities is a positive, but the historical trend warrants caution. The plugin also suffers from a notable lack of proper output escaping, with less than half of outputs being properly sanitized, increasing the risk of XSS attacks.

In conclusion, while the plugin has strengths like a reasonable percentage of prepared SQL statements and some security checks, the unprotected entry points, history of vulnerabilities, and poor output escaping significantly elevate its risk profile. Users should exercise caution and ensure they are running the latest patched version, though the historical pattern suggests ongoing vigilance is necessary.