Plugin inspection:

Image Slider

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.1.41 of this plugin, but the most recent version is 1.1.113. These findings may no longer be correct.

Findings

  • Appears to allow users with edit_post/edit_page cap to arbitrarily delete/add postmeta
  • Puts postmeta (ewic_meta_list_mode) directly into JavaScript without escaping
  • ewic_nag_ignore doesn’t check nonces. But that’s probably not a big issue judging by the name of the function
  • Puts a lot of values into HTML/JS without escaping (it may have been escaped elsewhere, but that’s hard to ascertain)
  • Loads content from http://content.ghozylab.com/feed.php (note the lack of HTTPS) meaning whoever controls the domain (or an MITM attacker) can load arbitrary content into /wp-admin/

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Failure criteria

  • Unsafe file or network IO
  • Lack of proper output escaping

Read more about our failure criteria.