- At over 13,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
- Variables from unknown sources are put directly into SQL without escaping (core/class-itsec-lockout.php line 149)
- Encourages the user to make wp-config.php writeable by the PHP user (this is not in general safe): “Many of the functions of this plugin require editing your wp-config.php or .htaccess files. Would you like to allow us to safely update these files for you automatically?”
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
Potential SQL injection.