Disclosure: This plugin was inspected at the request of the plugin author. dxw were given a copy of the plugin for review purposes.

• At over 12,000 lines of code, this plugin is too large for a limited review such as this to fully explore the entire codebase
• Function OW_Auto_Submit_Service->get_unsubmitted_posts takes content from the database and puts it directly into an SQL query. This might allow an admin user being able to perform SQL injection attacks
• Uses ‘sslverify’ => false on for every call to wp_remote_post and wp_remote_get. This could open the site up to MITM attacks
• Not all HTML output is escaped properly. For example, the “Oasis Workflow Pro license key” option accepts arbitrary HTML which is not escaped
• Uses unserialize on user-controlled data (i.e. in the workflow import process), which could make this plugin vulnerable to PHP object injection attacks
• If functions wp_get_current_user and get_currentuserinfo are undefined, it fetches the current user by looking at a username stored in a cookie (in function OW_Utility->get_current_user()). This may allow anybody to masquerade as any user on the site

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

• May be vulnerable to SQL injection