Plugin inspection:

Oasis Workflow Pro

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Findings

Disclosure: This plugin was inspected at the request of the plugin author. dxw were given a copy of the plugin for review purposes.

  • At over 12,000 lines of code, this plugin is too large for a limited review such as this to fully explore the entire codebase
  • Function OW_Auto_Submit_Service->get_unsubmitted_posts takes content from the database and puts it directly into an SQL query. This might allow an admin user being able to perform SQL injection attacks
  • Uses ‘sslverify’ => false on for every call to wp_remote_post and wp_remote_get. This could open the site up to MITM attacks
  • Not all HTML output is escaped properly. For example, the “Oasis Workflow Pro license key” option accepts arbitrary HTML which is not escaped
  • Uses unserialize on user-controlled data (i.e. in the workflow import process), which could make this plugin vulnerable to PHP object injection attacks
  • If functions wp_get_current_user and get_currentuserinfo are undefined, it fetches the current user by looking at a username stored in a cookie (in function OW_Utility->get_current_user()). This may allow anybody to masquerade as any user on the site

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • May be vulnerable to SQL injection

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe file or network IO
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.