• At over 29,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
• vendor/timthumb/timthumb.php contains a __destruct() method which deletes arbitrary files. However there appear to be no instances of timthumb.php being included so this is unlikely to be of use to an attacker
• Inserts values into SQL without escaping them
• Uses variables in create_function()

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Does not escape SQL consistently, and uses create_function().