Known Limitations And Open Risks

This document captures limitations and open operational risks of the ADP Car Market Hub plugin that customers and integrators should be aware of when planning a production deployment.

When to use this document

Read this document if you need to:

• Decide whether the plugin is a fit for a specific deployment scenario.
• Plan operational safeguards (monitoring, backups, external cron) around the plugin.
• Communicate trade-offs to internal stakeholders.

Overview

The ADP Car Market Hub plugin is a WordPress importer and front-end layer for AutoScout24 vehicle data. It is built on standard WordPress mechanisms (custom post types, taxonomies, custom tables, WP-Cron, REST and AJAX). The limitations below follow from those design choices and from the optional third-party integrations the plugin supports.

The information in this document is descriptive, not prescriptive. Use it as input to your own risk assessment; verify each item against the current plugin version before publishing customer-facing copy.

Operational limitations

• WP-Cron reliance: scheduled imports, the image queue, the AI Assistant queue and the analytics retention cleanup all depend on WP-Cron firing. WP-Cron requires regular site traffic. Low-traffic sites should disable WP-Cron and run wp-cron.php (or call the cron-import REST endpoint) from a reliable system scheduler. See Cron Events And Scheduler.
• Concurrent execution locks: import and image-queue runs use transient-based locks. If a worker dies hard (for example PHP fatal error or hosting timeout), the lock can outlive the process. Plugin upgrades and the uninstall routine clear these transients explicitly, but operators should be ready to delete as24ci_cron_import_running or as24ci_image_queue_running manually if a job appears stuck.
• Single source of truth is the importer: vehicle posts reflect the imported AutoScout24 data. Manual edits to importer-managed fields can be overwritten on the next import. Use the manual fields and manual gallery images documented elsewhere if you need stable per-vehicle content.
• Memory and runtime budgets: very large imports (several thousand vehicles per run, or vehicles with many images) can exceed PHP memory or max_execution_time limits on shared hosts. Tune the cron mode and per-run vehicle / image caps accordingly.

Security and access risks

• API credentials live in wp_options: the AutoScout24 client credentials, the cron token and webhook shared secrets are stored unencrypted in the database. Treat database backups as containing secrets, restrict database access and rotate credentials after any suspected compromise. The managed Gemini API key used by the AI assistant is configured by AD Promotion in AS24CI\Ai_Config and is not stored as a WordPress option.
• manage_as24_imports is granted to administrators only: any user-management plugin that strips this capability from administrators will lock them out of the importer admin surfaces. See Security And Capabilities.
• Public REST endpoints are off by default and should only be enabled if their consumers are known. The favorites and analytics endpoints are public by design and apply input validation, but they remain exposed to anonymous traffic when the relevant features are enabled.

Privacy and compliance considerations

• Analytics is opt-in but, once enabled, records visitor interactions in a custom table. The require-consent mode is available, but defaults to allow when no consent integration is wired into the as24ci_analytics_consent_check filter. Verify consent handling in your jurisdiction before enabling analytics.
• Search-agent subscriptions store personal data (email and search criteria). The table is dropped on uninstall, but customers must still meet their own deletion-on-request obligations during normal operation.
• **AI Assistant transmits vehicle data to the managed Gemini endpoint**: when enabled, prompts and listing context are sent to the managed Google Gemini configuration in ADP Car Market Hub. Review the applicable data processing and contractual terms for the managed AI setup before enabling AI features in production.
• PDF datasheets and QR codes: the default QR provider is a third-party service. Replace it with a self-hosted generator (via the as24ci_pdf_qr_image_url filter) if external requests in printable documents are not acceptable for your privacy policy.
• Email delivery uses wp_mail(): whether a notification reaches the recipient depends on the configured mailer and on external deliverability factors. The plugin records a best-effort _as24ci_lead_email_sent flag but does not guarantee delivery.

External dependencies

• AutoScout24 API availability is required for imports. Network errors and provider outages are surfaced as failed runs in the import logs; no inbound data means no new vehicles, even with WP-Cron firing on schedule.
• Browser-driven PDF generation: there is no server-side PDF library. Layout precision depends on the visitor's browser print engine. See PDF Generation Technical Notes.
• Managed Gemini endpoint: subject to Google rate limits, model deprecations and pricing changes outside the plugin's control.
• Webhook receivers: the plugin retries failed deliveries a bounded number of times. Persistent receiver outages may cause events to be lost; design receivers to be idempotent and to acknowledge quickly.

Documentation and verification caveats

• This documentation describes behaviour observed in the current source. Where the codebase did not allow a conclusive answer the text uses cautious wording such as "verify against the current plugin version before publishing". Treat such statements as a prompt to check the source again before quoting them in customer contracts.
• Default model identifiers, supported locales and option defaults can change between releases. When publishing customer-facing material, copy the values from the current plugin source rather than from this document verbatim.

Mitigations

• Schedule an external cron call to wp-cron.php or to the cron-import REST endpoint to insulate scheduled work from low traffic.
• Configure off-site database backups with appropriate encryption.
• Pair the plugin with an SMTP / transactional-mail integration for reliable lead notifications.
• Use staging environments to validate AI Assistant prompt templates and PDF Manager settings before applying changes to production.
• Document and audit which roles hold manage_as24_imports and which third-party services are connected.

Related documents

• Architecture Overview
• Cron Events And Scheduler
• REST API Endpoints
• Webhooks
• Security And Capabilities
• Analytics Tracking
• Ai Assistant Technical Notes
• Pdf Generation Technical Notes
• Uninstall And Cleanup Behavior