Plugin inspection:

CMS Tree Page View

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 1.2.21 of this plugin, but the most recent version is 1.6.8. These findings may no longer be correct.


  • Uses create_function() on a value provided by admin users (functions.php line 552), though it’s not exploitable (admin users can set the values without resorting to using SQL because the settings page doesn’t check its inputs are valid)
  • SQL is not escaped in many places, though no exploitable vulnerabilities were found – functions.php line 793 appears vulnerable but further investigation reveals the $post_type variable ultimately comes from $_GET[‘post_type’], which is also passed to get_post_type_object(), and so the vulnerable-looking code does not actually get executed

Reason for the 'Use with caution' result

The plugin meets a large number of failure criteria and is of poor quality, leading the tester to fear that subsequent versions of the plugin are likely to introduce vulnerabilities:

The plugin almost contains an ACE and it almost contains an SQLi, therefore caution should be taken when using this plugin.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code

Read more about our failure criteria.