• Uses create_function() on a value provided by admin users (functions.php line 552), though it’s not exploitable (admin users can set the values without resorting to using SQL because the settings page doesn’t check its inputs are valid)
• SQL is not escaped in many places, though no exploitable vulnerabilities were found – functions.php line 793 appears vulnerable but further investigation reveals the $post_type variable ultimately comes from $_GET[‘post_type’], which is also passed to get_post_type_object(), and so the vulnerable-looking code does not actually get executed

The plugin meets a large number of failure criteria and is of poor quality, leading the tester to fear that subsequent versions of the plugin are likely to introduce vulnerabilities:

The plugin almost contains an ACE and it almost contains an SQLi, therefore caution should be taken when using this plugin.