Findings
- At over 26,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
- Uses eval() in php code (the value to be eval’d only contains whitelisted characters but it is unknown if this is secure enough)
- Uses create_function() on values which may or may not be integers
- Uses eval() in JavaScript
- Doesn’t escape SQL properly
- Allows users authorised to use the API to insert arbitrary SQL, since arguments are escaped with esc_sql() which does not prevent SQL injection (it only escapes SQL strings – not e.g. integers, which can also be used to escape out of SQL statements)
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
- Uses PHP’s eval() which could lead to arbitrary code execution.
- Allows admin users to enter arbitrary SQL in update statements