Back to Codebase

Vulnerability Analysis Report

Smash Balloon Social Photo Feed - Easy Social Feeds Plugin v1.1.0

Scan ID: SCAN-INSTAGRAM-FEED-XqHRs3 • Hash: 9d0231d4

Security Simulation Profile Active

E-ComGuard was unable to download the source files for Smash Balloon Social Photo Feed - Easy Social Feeds Plugin (v1.1.0) from WordPress.org or GitHub. This typically happens when the slug identifier is custom-branded, the repository tag does not exist, or the files are restricted.

To prevent blocking your queue pipeline, the hybrid scanner fell back to generating realistic vulnerability models based on typical security risks detected in equivalent components.

Severity Score
Critical
Total Findings
22
Engine Version
ECOMGUARD-SIMULATED-AST-1.5
Scan Duration
1.009s

Vulnerability Details

L317

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:317
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L1424

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:1424
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L1807

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:1807
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L32

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:32
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L581

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:581
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L1629

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:1629
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L61

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:61
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L312

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:312
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L166

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:166
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L828

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:828
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L681

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:681
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1070

Potential SQL Injection in class-logger-db.php

CWE-89
File Location: includes/class-logger-db.php:1070
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L1679

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:1679
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L153

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:153
Security Score:
88 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L1161

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1161
Security Score:
84 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L856

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:856
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <?= $raw_banner_html ?>
+ <?= esc_html($raw_banner_html) ?>
L923

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:923
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1680

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:1680
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <?= $raw_banner_html ?>
+ <?= esc_html($raw_banner_html) ?>
L569

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:569
Security Score:
42 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1783

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:1783
Security Score:
42 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1244

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1244
Security Score:
31 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L1804

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:1804
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);