- SQL is not escaped (upload.php, lines 131, 141, 148, 156), probably only exploitable by an admin
- Uses mysql_* functions instead of $wpdb
- Note that it adds nonce values as URL parameters instead of as hidden fields in the forms
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
May contain SQL injection vulnerabilities, probably only exploitable by admin users.