Plugin inspection:

Image Slider

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Findings

  • Appears to allow users with edit_post/edit_page cap to arbitrarily delete/add postmeta
  • Puts postmeta (ewic_meta_list_mode) directly into JavaScript without escaping
  • ewic_nag_ignore doesn’t check nonces. But that’s probably not a big issue judging by the name of the function
  • Puts a lot of values into HTML/JS without escaping (it may have been escaped elsewhere, but that’s hard to ascertain)
  • Loads content from http://content.ghozylab.com/feed.php (note the lack of HTTPS) meaning whoever controls the domain (or an MITM attacker) can load arbitrary content into /wp-admin/

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Failure criteria

  • Unsafe file or network IO
  • Lack of proper output escaping

Read more about our failure criteria.