Sanitisation and escaping are present but are not applied systematically. Much improved over the last version, but the lack of a systematic approach is a concern given the size of the plugin (over 11,000 lines of PHP). Queries containing variables all appear to be prepared.
There are several instances of unsanitised data being passed into filters and abstract functions. This should not affect users intending to use the plugin in isolation, but anyone intending to write code that interacts with it should be aware that arguments coming into their filters are unlikely to be trustworthy.
This plugin is intended to function with add-ons which can be purchased separately. No add-ons were included in this inspection. However, we are confident that this plugin does contain a Cross Site Scripting vulnerability which would be exploitable if an add-on were used.
Therefore, we recommend that this plugin should not be used if you are also using a ticketing add-on, and have given it a use with caution rating as a result.
Reason for the 'Use with caution' result
The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:
XSS in code which functions with ticketing add-on.