Plugin inspection:

Unconfirmed

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Warnings

This recommendation applies to version 1.2.7 of this plugin, but the most recent version is 1.3.7. These findings may no longer be correct.

Findings

  • On line 574 of unconfirmed.php, text from $_REQUEST is escaped for insertion into an SQL query using sanitize_text_field(), which is not considered to adequately prevent SQL injections when compared to $wpdb->prepare() or esc_sql(). Appears not to be vulnerable due to WordPress’s emulation of magic_quotes_gpc
  • No other issues found

Failure criteria

  • Execution of unprepared SQL statements

Read more about our failure criteria.