Plugin inspection:

AVH Extended Categories Widgets

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 3.7.1 of this plugin, but the most recent version is 4.0.1. These findings may no longer be correct.


  • Generates¬†error messages
  • SQL is not escaped at the point of use in some instances
  • 2.8/class/avh-ec.admin.php contains several potential SQL injections, but files within 2.8 only seem to be required if the WordPress¬†version is less than 3.3
  • Uses unserialize() which is generally inadvisable, it’s unclear if it’s possible to unserialize user-provided strings

Reason for the 'Use with caution' result

The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:

Using this plugin with versions of WP less than 3.3 will cause it to be vulnerable to multiple SQL injections.

Failure criteria

  • Execution of unprepared SQL statements

Read more about our failure criteria.