No, there is no way to “hack” a site through this plugin.
It is possible that somebody hacked into your site through other means and then modified this plugin, randomly, with their code. That’s not a fault of the plugin. You need to find the hacker’s original entry point to your site.
Thread Starter
Beee
(@beee)
never say never.
the plugin is deleted and the issue hasn’t occured anymore…
Nonsense. In this case, I can indeed say “never”.
Code isn’t magic. Security issues that exist can be seen. In this case, there is no input accepted from anywhere that could lead to a “hack” from an outside source. All the screens are “admin-only”. It doesn’t have any front-end facing pages or fields.
While it’s possible that there may be a security issue in the plugin, as that is always possible, the nature of the plugin would make it where only an admin user could exploit it, because only an admin-user can trigger the interface code to run. While it is possible that some malicious code contained in a tumblr blog could be imported through this and cause problems, it’s also the case that you should own whatever content you import, and if you import malicious content, well, then you probably should not do that.
