Plugin inspection:

Subscribe to Comments

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

This recommendation applies to version 2.1.2 of this plugin, but the most recent version is 2.3. These findings may no longer be correct.

Findings

  • Generates errors.
  • Most SQL statements appear to be adequately escaped but not using wordpress core functions.
  • Constructs absolute URIs itself, but neglects HTTPS and the port number.
  • Seems to require separate header, footer files, which would not be compatible with some theme frameworks such as Roots.
  • Administrators can perform local file inclusion attacks.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Administrators can perform local file inclusion attacks, for instance to execute arbitrary code they have uploaded via the media uploader or to learn the contents of /etc/passwd.

Failure criteria

  • Execution of unprepared SQL statements
  • Failure to use available core functionality
  • Unsafe file or network IO
  • Very large codebase

Read more about our failure criteria.