• Trusts the value of $_SERVER['HTTP_X_FORWARDED_FOR'] as a source for the user’s IP address. This means that if the server does not strip or replace that value before passing it to PHP, unauthenticated users can insert arbitrary strings into the IP address field of the logs
• Note that the IP address field is created as varchar(17) so most unauthenticated users connecting to the site via IPv6 will not have their IP addresses recorded in the database
• The above two issues are probably not security issues so long as the logs generated by this plugin are not used for security purposes
• Contains a “pass through” mode where the plugin makes an HTTP request to a target URL and then displays the returned content as HTML. It is unclear what utility this feature serves, and it allows admins to seriously compromise the security of the site by including arbitrary HTML from potentially untrusted third parties

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Allows admin users to embed arbitrary HTML from any third party with a website, without providing any warning about how dangerous this feature is.