The plugin sure does what is says, but I’m concerned about the security here.
As whatever a user enters as “widget logic”, gets eval()’ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.
I couldn’t find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.
- The topic ‘[Plugin: Widget Logic] Security hole?’ is closed to new replies.