Plugin inspection:


Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


  • Writes values returned from the Medium API directly into the database without sanitisation or escaping
  • Some of those values are also then echoed into WordPress admin pages without escaping
  • Writes $_POST values directly to the database without sanitisation or escaping
  • Does not make use of WPDB’s prepare() method, or alternative form of SQL statement escaping

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

This plugin writes results from the Medium API directly to the WordPress database, without sanitisation or escaping. If the API were hijacked, this could be used to perform a SQL injection, or insert other malicious content. Unexpected results could also cause database errors.

Some values from the API are later echoed into WordPress admin pages without escaping.

The plugin does not escape data from $_POST variables before writing them to the database. However, WordPress’ emulation of magic_quotes_gpc prevents this being a SQL injection vulnerability.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Lack of proper output escaping

Read more about our failure criteria.