- Writes values returned from the Medium API directly into the database without sanitisation or escaping
- Some of those values are also then echoed into WordPress admin pages without escaping
- Writes $_POST values directly to the database without sanitisation or escaping
- Does not make use of WPDB’s prepare() method, or alternative form of SQL statement escaping
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
This plugin writes results from the Medium API directly to the WordPress database, without sanitisation or escaping. If the API were hijacked, this could be used to perform a SQL injection, or insert other malicious content. Unexpected results could also cause database errors.
Some values from the API are later echoed into WordPress admin pages without escaping.
The plugin does not escape data from $_POST variables before writing them to the database. However, WordPress’ emulation of
magic_quotes_gpc prevents this being a SQL injection vulnerability.