- HTML and JS output is mostly unescaped.
- unserialize() is used on content taken from the database.
- Does not use nonces and is vulnerable to CSRF
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
With the lack of escaping it’s fairly likely that a reflected XSS vulnerability exists. Also vulnerable to CSRF with can lead to stored XSS.