Plugin inspection:

XML Sitemap & Google News feeds

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 4.3.2 of this plugin, but the most recent version is 5.4.9. These findings may no longer be correct.


  • Puts variables into SQL without escaping them – includes/core.php lines 311 and 327 – this appears vulnerable to SQLi if a user is able to set the post_types option
  • SQL is escaped using addslashes() instead of using esc_sql() or $wpdb->prepare() – hacks.php line 347

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

May be vulnerable to SQL injection.

Failure criteria

  • Execution of unprepared SQL statements

Read more about our failure criteria.