WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor Security & Risk Analysis

The "wte-elementor-widgets" plugin v1.5.0 presents a mixed security posture. While it demonstrates good practices in output escaping with 89% properly handled, and a lack of dangerous functions or file operations is positive, significant concerns remain. The presence of 4 AJAX handlers, with 2 lacking authentication checks, creates a substantial attack surface that could be exploited by unauthenticated users. Furthermore, the history of 2 known CVEs, including a high-severity Cross-site Scripting and a medium-severity PHP Remote File Inclusion vulnerability, indicates past weaknesses that require careful attention. Although no CVEs are currently unpatched, the nature of past vulnerabilities suggests potential for input validation and authorization flaws. The taint analysis shows 3 flows with unsanitized paths, which, while not critically severe in this analysis, could become exploitable if combined with other weaknesses. The absence of nonce checks on the unprotected AJAX endpoints is a critical oversight, leaving them vulnerable to CSRF attacks.

Overall, while the plugin has some strengths in code hygiene, the unprotected AJAX endpoints and historical vulnerabilities are significant risk factors. The lack of nonce checks on these entry points is a direct invitation for attacks. The plugin's development history with high and medium severity vulnerabilities suggests a need for more rigorous security testing and code review. Users should exercise caution and ensure that the plugin is kept up-to-date with any future security patches, and ideally, that the identified unprotected AJAX handlers are secured.