Plugin inspection:

Connections Business Directory

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 8.1.2 of this plugin, but the most recent version is 9.17. These findings may no longer be correct.

Findings

  • At over 29,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • vendor/timthumb/timthumb.php contains a __destruct() method which deletes arbitrary files. However there appear to be no instances of timthumb.php being included so this is unlikely to be of use to an attacker
  • Inserts values into SQL without escaping them
  • Uses variables in create_function()

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Does not escape SQL consistently, and uses create_function().

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code
  • Very large codebase

Read more about our failure criteria.