- SQL escaping is somewhat idiosyncratic – i.e. “(int)htmlspecialchars()”
- Uses htmlspecialchars() combined with casting to int (instead of just casting to int, or absint()), and uses abs( (int) … ) instead of the WP function absint()
This recommendation applies to version 3.5.5 of this plugin, but the most recent version is 3.7.1. These findings may no longer be correct.
Read more about our failure criteria.