Findings
Disclosure: This plugin was inspected at the request of the plugin author. dxw were given a copy of the plugin for review purposes.
- At over 12,000 lines of code, this plugin is too large for a limited review such as this to fully explore the entire codebase
- Function
OW_Auto_Submit_Service->get_unsubmitted_posts
takes content from the database and puts it directly into an SQL query. This might allow an admin user being able to perform SQL injection attacks - Uses ‘sslverify’ => false on for every call to wp_remote_post and wp_remote_get. This could open the site up to MITM attacks
- Not all HTML output is escaped properly. For example, the “Oasis Workflow Pro license key” option accepts arbitrary HTML which is not escaped
- Uses unserialize on user-controlled data (i.e. in the workflow import process), which could make this plugin vulnerable to PHP object injection attacks
- If functions wp_get_current_user and get_currentuserinfo are undefined, it fetches the current user by looking at a username stored in a cookie (in function OW_Utility->get_current_user()). This may allow anybody to masquerade as any user on the site
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
- May be vulnerable to SQL injection