Findings
- Triggers errors
- Uses create_function(), but the variable is passed through absint() first
- TimThumb 2.8.10 is included in this plugin
- The __destruct() method of the timthumb class deletes files, which could be used as part of a PHP serialized object injection, however the file appears not to be included by the plugin and it doesn’t appear to use unserialize() itself
- It being meant to be executed directly could be a compatibility issue for hardened environments
- It appears to use the directory timthumb/cache within the plugin instead of a directory in wp-content/uploads, which could also cause compatibility issues
- Uses “ (equivalent to exec()), only if one of three options is set, but the use of “ seems dodgy (which requires adding a file at timthumb/timthumb-config.php – the options are not set by default)
No issues were found, but I think more time should be devoted to investigating TimThumb if you are considering using this plugin.
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
This plugin seems safe, but uses TimThumb, which has a poor history and does not look so safe.