• Overrides memory_limit option
• Contains the ability to transmit data from one WordPress installation to another. A detailed security audit of the protocol used would be outside of the scope of a light-touch inspection such as this
• Appears to use unserialize() as part of the protocol. Depending on what classes are available in this plugin or other active plugins, unserialize() can lead to arbitrary code execution
• Unlinks files without checking they reside within a particular directory. Unknown if this can be exploited
• Checks for new versions via HTTP instead of HTTPS, though it seems that there’s not much a MITM attack could achieve in this case
• The plugin contains a comment which recommends disabling TLS verification “as a last resort” (this is probably a bad idea, even as a last resort): “Define RAMP_DISABLE_SSL_VERIFY as true to disable SSL certificate validation. This significantly reduces the security of SSL, but may be necessary in environments where WordPress cannot validate the production SSL certificate. Use this as a last resort if you are seeing this error: Error (-32300): transport error: http_request_failed SSL certificate problem: Invalid certificate chain”

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

• Use of unserialize() could potentially lead to ACE in certain situations
• Use of unlink() without checking for attempts at directory traversal