Plugin inspection:

GD Star Rating

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Findings

The plugin is extremely large at over 16k SLOC of PHP. SQL is not escaped. Requires PHP files within the plugin directory to be executable. HTML is not escaped in many instances.

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

Contains XSS vulnerability. Contains blind SQL injection vulnerability. Due to the massive amount of code and the ease with which these vulnerabilities were found, more vulnerabilities of this type seem likely.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Failure to use available core functionality
  • Unsafe file or network IO
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.