• Contains functions which put values straight into SQL queries without preparing them (application/control/object/term.php line 165, application/control/subject/role.php lines 222 and 225, application/control/subject/user.php line 316, application/view/post.php lines 159 and 240 and 345)
• Downloads zip files over non-HTTPS connection and then extracts them within the plugin’s directory, exposing users to a risk of man-in-the-middle attacks which could place malicious PHP files on their server. On systems where the WordPress user is not permitted to write to the filesystem, this plugin may not function correctly
• Allows admin users to arbitrary content to arbitrary files (see AAM > ConfigPress – the file appears at ‘/wp-content/aam/’.get_option(‘aam_configpress’)). Among other things this could lead to arbitrary code execution if the server is misconfigured to execute files which don’t end with .php (see the linked advisory for more details)

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

• SQL escaping is not generally performed and so there is a likelihood that there are SQL injection vulnerabilities leading to the possible exfiltration of sensitive data
• If the server is misconfigured admin users may be able to run arbitrary code