WordPress Plugin CallbackKiller Security Analysis: RCE/XSS/SQLi Risks

Plugin Name: CallbackKiller service widget Plugin URI: http://callbackkiller.com/ Description: Describes a widget for the CallbackKiller service for WordPress Author: CallbackKiller Author URI: http://callbackkiller.com/ Version: 1.2 Key Functions: - : Creates the plugin's admin menu - : Initializes the plugin and adds necessary WordPress options - : Creates the settings page - : Adds a settings link on the plugin page - : Adds required JavaScript and CSS code to the page footer - : Executes API requests - : Handles API response results - , , : Handles login, registration, and logout functions Potential Vulnerabilities: - Uses to directly execute API requests without input validation, potentially leading to remote code execution risks. - The plugin directly loads JavaScript and CSS files from external servers, posing a Cross-Site Scripting (XSS) risk. - Lacks sufficient input validation and filtering for the variable, which may lead to SQL injection or command injection risks. - The plugin stores sensitive information (such as login hashes and site IDs) in the database, which may require additional security measures to protect this data.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin CallbackKiller Security Analysis: RCE/XSS/SQLi Risks