Findings
- SQL statements are created without proper escaping (init.php line 382, recommendations.php line 193)
- The plugin appears to allow unauthenticated users to list posts (init.php line 197) – though this is not necessarily a security issue
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
- SQL statements are created without proper escaping