• The first (and biggest problem) with this plugin is, that it doesn’t generate the code with the plugin code. The plugin is just a proxy that calls a remote server that produces some code and then downloads it into the WP installation. So the owner of the remote server has your installation in his hands. He could send you any sort of code he wants, opening backdoors, hijacking your complete installation.

    The other problem is that the code of the plugin is crap. It takes any incoming POST response and just uses it without validation or sanitization. But this is just another security concern.

    Long story short: Don’t use this plugin. Simply don’t.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author emarket-design

    (@emarket-design)

    Franz,
    Thanks for reviewing our plugin. I have passed your feedback to our development team.
    Please do not hesitate to contact us if you have additional feedback/concern/questions.

    [ Signature moderated. ]

    Plugin Author emarket-design

    (@emarket-design)

    Franz,
    In WPAS 1.1.1 relase, we have hardened overall plugin security by adding extra nonces, data sanitization/validation rules and WordPress HTTP API calls. We have also included a diagram detailing what comes in and out of your computer. Anything else?
    Thanks!

    Franz Josef Kaiser – I can see you want safe software. I hope you figure out a way of making the worlds software safer.

    Your comments apply to most “Small, close source, software” that is available on the web. A large percentage of the software available on cnet matches your description. The problem of secure software is well known, but thankfully most people are good, and try to make the world a better place.

    Eddy Parkinson.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Don't use this plugin’ is closed to new replies.