Plugin inspection:

ThreeWP Broadcast

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.20 of this plugin, but the most recent version is 46.15. These findings may no longer be correct.

Findings

Contains over 8,000 lines of PHP, most of which is found in a directory named plainview_sdk.

plainview_sdk contains a function base::mime_type() which passes its argument to exec() without sanitisation. plainview_sdk contains a function base::download() which opens a file and outputs it. It is unknown if these functions would be accessible by an attacker.

No escaping of SQL, either in the plugin or in plainview_sdk.

No escaping of HTML.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

The plugin contains unsafe calls to exec(), however it is unknown if this code is used. Lack of SQL escaping.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Lack of proper output escaping
  • Unsafe execution of system commands

Read more about our failure criteria.