- Generates error messages
- SQL is not escaped at the point of use in some instances
- 2.8/class/avh-ec.admin.php contains several potential SQL injections, but files within 2.8 only seem to be required if the WordPress version is less than 3.3
- Uses unserialize() which is generally inadvisable, it’s unclear if it’s possible to unserialize user-provided strings
Reason for the 'Use with caution' result
The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:
Using this plugin with versions of WP less than 3.3 will cause it to be vulnerable to multiple SQL injections.