• At over 26,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
• Uses eval() in php code (the value to be eval’d only contains whitelisted characters but it is unknown if this is secure enough)
• Uses create_function() on values which may or may not be integers
• Uses eval() in JavaScript
• Doesn’t escape SQL properly
• Allows users authorised to use the API to insert arbitrary SQL, since arguments are escaped with esc_sql() which does not prevent SQL injection (it only escapes SQL strings – not e.g. integers, which can also be used to escape out of SQL statements)

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

• Uses PHP’s eval() which could lead to arbitrary code execution.
• Allows admin users to enter arbitrary SQL in update statements