- In unconfirmed.php on line 573 there is very nearly an SQL injection, saved only by WP’s emulation of magic_quotes_gpc
- Contains an XSS vulnerability: https://advisories.dxw.com/advisories/xss-in-unconfirmed-1-2-3/
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
Contains XSS vulnerability.