- The plugin is very large at 29k lines
- Uses eval() and create_function()
- Uses htmlspecialchars() instead of esc_html()
- Some SQL is unescaped
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
eval() and create_function() are automatic failures unless their arguments are string literals. In the case of wpv_admin_message() it looks very likely that it’s called with unsafe parameters.