Plugin inspection:

Collapse-O-Matic

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.7.1 of this plugin, but the most recent version is 1.7.13. These findings may no longer be correct.

Findings

  • The code appears to call a remote API with a configurable URL, but the default URL does not use HTTPS, and even if the URL was overridden by defining a constant, the wp_remote_get() call sets ‘sslverify’ => false. A value from the JSON returned by the API is stored in the database and displayed to the user without escaping. This means that anybody able to take control of plugins.twinpictures.de (or intercept the network connection between the WordPress server and the world) would be able to put arbitrary HTML into an area visible to admin users.
  • However, I don’t see how to make the plugin make a request to that URL – perhaps it requires another plugin to be present, or perhaps the code is merely vestigial?
  • The values in the form are not escaped and thus in the situation where an admin user has the manage_options capability but not the unfiltered_html capability, they would be allowed by this plugin to exceed their privileges

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Communicating with a third-party service and displaying arbitrary HTML from it will to result in a lowered recommendation, but communicating without encryption will.

Failure criteria

  • Unsafe file or network IO
  • Lack of proper output escaping

Read more about our failure criteria.