Plugin inspection:

Advanced Access Manager

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

This recommendation applies to version 2.8.2 of this plugin, but the most recent version is 2.8.7. These findings may no longer be correct.

Findings

  • Contains functions which put values straight into SQL queries without preparing them (application/control/object/term.php line 165, application/control/subject/role.php lines 222 and 225, application/control/subject/user.php line 316, application/view/post.php lines 159 and 240 and 345)
  • Downloads zip files over non-HTTPS connection and then extracts them within the plugin’s directory, exposing users to a risk of man-in-the-middle attacks which could place malicious PHP files on their server. On systems where the WordPress user is not permitted to write to the filesystem, this plugin may not function correctly
  • Allows admin users to arbitrary content to arbitrary files (see AAM > ConfigPress – the file appears at ‘/wp-content/aam/’.get_option(‘aam_configpress’)). Among other things this could lead to arbitrary code execution if the server is misconfigured to execute files which don’t end with .php (see the linked advisory for more details)

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • SQL escaping is not generally performed and so there is a likelihood that there are SQL injection vulnerabilities leading to the possible exfiltration of sensitive data
  • If the server is misconfigured admin users may be able to run arbitrary code

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe file or network IO

Read more about our failure criteria.