Plugin inspection:

Post Indexer

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


  • Content is taken from the database and inserted directly into SQL in classes/class.model.php at lines 387, 403
  • A function argument is inserted directly into SQL in classes/class.model.php at line 593 (this function is called with a value taken from the database), line 664 (insert_or_update), line 789 and in classes/networkquery.php line 3754 where the argument appears to be a WP Query object and in includes/functions.php lines 194, 201, 545, 548, 551
  • Output is not escaped properly in the settings page but the form appears to require a nonce

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

An admin user or a compromised admin account may be able to perform SQLi attacks.

Failure criteria

  • Execution of unprepared SQL statements
  • Lack of proper output escaping

Read more about our failure criteria.