From their site: “A high RIPS CodeRisk does not mean that there is a critical vulnerability in the plugin that can be directly exploited by an attacker, though it is possible. Quite often the affected code is not reachable without prior authentication, so there is no differentiation between authenticated and unauthenticated issues in the value.”
I’ll see what they have to say. Relevanssi code has been audited by multiple security teams and follows safe WordPress conventions. As far as I can tell, this is a false alert and there are no risks in using Relevanssi.
Relevanssi has a very limited surface that is exposed to general public, and all input that Relevanssi gets from users is securely sanitized and validated. There are couple of unpleasant things that can be done with Relevanssi with an admin account – but if someone has malicious intent and full admin access to your site, them being able to use Relevanssi to slow down your site is the least of your worries.
Hello Mikko,
I see daily scans on my site where hacks are tried. Are you saying that your code an not be security improved? It doesn’t look like you are to far from the green section.
I see a lot of plugins which have a Zero (0) risk. I also see others that went form a 90% risk to a 9% after looking at it.
So you are not at all worried about it?
