- Puts variables into SQL without escaping them – includes/core.php lines 311 and 327 – this appears vulnerable to SQLi if a user is able to set the post_types option
- SQL is escaped using addslashes() instead of using esc_sql() or $wpdb->prepare() – hacks.php line 347
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
May be vulnerable to SQL injection.