This plugin is poorly-written. Among the issues identified are:
- No SQL escaping (but it does not immediately appear exploitable).
- No HTML escaping, may be vulnerable to XSS attacks.
- Produces many PHP notices during normal operation.
- Code is idiosyncratic in places. Sometimes uses include() where a function would be more appropriate (see line 555 of content-scheduler.php for an instance of this).
We are confident more problems would be found on a deeper inspection of the code.
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
Probable admin XSS which could be used by an editor/author to hijack an administrator session.