- The code appears to call a remote API with a configurable URL, but the default URL does not use HTTPS, and even if the URL was overridden by defining a constant, the wp_remote_get() call sets ‘sslverify’ => false. A value from the JSON returned by the API is stored in the database and displayed to the user without escaping. This means that anybody able to take control of plugins.twinpictures.de (or intercept the network connection between the WordPress server and the world) would be able to put arbitrary HTML into an area visible to admin users.
- However, I don’t see how to make the plugin make a request to that URL – perhaps it requires another plugin to be present, or perhaps the code is merely vestigial?
- The values in the form are not escaped and thus in the situation where an admin user has the manage_options capability but not the unfiltered_html capability, they would be allowed by this plugin to exceed their privileges
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
Communicating with a third-party service and displaying arbitrary HTML from it will to result in a lowered recommendation, but communicating without encryption will.