This plugin contains several instances where SQL statements contain user-submitted data but are not safely prepared. Although it appears that none of these usages are easily exploitable this is concerning.

It makes extensive use of the php ‘extract’ function and it is not clear that all these uses are safe.

Finally, the code contains several extremely large functions which extensively mix logic and html output, which makes it difficult to follow and difficult to make a clear assessment.

The plugin meets a large number of failure criteria and is of poor quality, leading the tester to fear that subsequent versions of the plugin are likely to introduce vulnerabilities:

This plugin executes unprepared SQL statements