Back to Codebase

Vulnerability Analysis Report

Newsletter - Send awesome emails from WordPress v6.8.9

Scan ID: SCAN-NEWSLETTER-tQQmPE • Hash: 7f97b774

Security Simulation Profile Active

E-ComGuard was unable to download the source files for Newsletter - Send awesome emails from WordPress (v6.8.9) from WordPress.org or GitHub. This typically happens when the slug identifier is custom-branded, the repository tag does not exist, or the files are restricted.

To prevent blocking your queue pipeline, the hybrid scanner fell back to generating realistic vulnerability models based on typical security risks detected in equivalent components.

Severity Score
Critical
Total Findings
40
Engine Version
ECOMGUARD-SIMULATED-AST-1.5
Scan Duration
0.546s

Vulnerability Details

L981

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:981
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L435

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:435
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L599

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:599
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L1790

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:1790
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L618

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:618
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L53

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:53
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L1547

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:1547
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L262

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:262
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L325

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:325
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L1798

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:1798
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L1486

Potential SQL Injection in class-logger-db.php

CWE-89
File Location: includes/class-logger-db.php:1486
Security Score:
93 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L1282

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:1282
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L1324

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:1324
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L1418

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:1418
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L931

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:931
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L373

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:373
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1235

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:1235
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1087

Potential SQL Injection in class-logger-db.php

CWE-89
File Location: includes/class-logger-db.php:1087
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1277

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:1277
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L436

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:436
Security Score:
88 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L605

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:605
Security Score:
83 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L526

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:526
Security Score:
82 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L486

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:486
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L193

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:193
Security Score:
79 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L1555

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1555
Security Score:
77 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L1329

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1329
Security Score:
77 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L49

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:49
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L525

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:525
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L937

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:937
Security Score:
43 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L1669

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:1669
Security Score:
41 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L343

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:343
Security Score:
39 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L154

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:154
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L185

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:185
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L27

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:27
Security Score:
35 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L19

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:19
Security Score:
35 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1530

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1530
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L85

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:85
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L1620

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:1620
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L963

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:963
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L225

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:225
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);