Back to Codebase

Vulnerability Analysis Report

The Events Calendar v6.3.2

Scan ID: SCAN-THE-EVENTS-CALENDAR-bndsqe • Hash: 2e310f29

Security Simulation Profile Active

E-ComGuard was unable to download the source files for The Events Calendar (v6.3.2) from WordPress.org or GitHub. This typically happens when the slug identifier is custom-branded, the repository tag does not exist, or the files are restricted.

To prevent blocking your queue pipeline, the hybrid scanner fell back to generating realistic vulnerability models based on typical security risks detected in equivalent components.

Severity Score
Critical
Total Findings
68
Engine Version
ECOMGUARD-SIMULATED-AST-1.5
Scan Duration
1.054s

Vulnerability Details

L787

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:787
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L70

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:70
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L724

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:724
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L1608

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:1608
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L1226

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:1226
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L1473

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:1473
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L1493

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:1493
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L474

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:474
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L109

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:109
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L782

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:782
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L1553

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:1553
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L557

Dynamic Code Execution (eval) in custom-eval.php

CWE-94
File Location: wp-content/plugins/custom-eval.php:557
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L980

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:980
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L483

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:483
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1637

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:1637
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1756

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:1756
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_results("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (" . $post_id_in . ") GROUP BY comment_post_ID");
+ $wpdb->get_results($wpdb->prepare("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (%s) GROUP BY comment_post_ID", $post_id_in));
L690

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:690
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1554

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:1554
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1653

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:1653
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L1436

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:1436
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L780

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:780
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1313

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:1313
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L1494

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:1494
Security Score:
91 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_results("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (" . $post_id_in . ") GROUP BY comment_post_ID");
+ $wpdb->get_results($wpdb->prepare("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (%s) GROUP BY comment_post_ID", $post_id_in));
L951

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:951
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L797

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:797
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L1258

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:1258
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_results("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (" . $post_id_in . ") GROUP BY comment_post_ID");
+ $wpdb->get_results($wpdb->prepare("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (%s) GROUP BY comment_post_ID", $post_id_in));
L1659

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:1659
Security Score:
89 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L686

Potential SQL Injection in export.php

CWE-89
File Location: wp-admin/export.php:686
Security Score:
88 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L1222

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:1222
Security Score:
88 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L380

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:380
Security Score:
88 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L259

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:259
Security Score:
85 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1842

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:1842
Security Score:
84 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1338

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:1338
Security Score:
83 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L1529

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:1529
Security Score:
83 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <?= $raw_banner_html ?>
+ <?= esc_html($raw_banner_html) ?>
L1709

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1709
Security Score:
81 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1796

Cross-Site Scripting (XSS) in async-upload.php

CWE-79
File Location: wp-admin/async-upload.php:1796
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <?= $raw_banner_html ?>
+ <?= esc_html($raw_banner_html) ?>
L1161

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1161
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1444

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:1444
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L471

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:471
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1625

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1625
Security Score:
79 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L487

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:487
Security Score:
78 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L547

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:547
Security Score:
77 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1215

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1215
Security Score:
76 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1226

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1226
Security Score:
76 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L358

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:358
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L137

Cross-Site Scripting (XSS) in async-upload.php

CWE-79
File Location: wp-admin/async-upload.php:137
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1009

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1009
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L59

Cross-Site Scripting (XSS) in async-upload.php

CWE-79
File Location: wp-admin/async-upload.php:59
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1537

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1537
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- <?= $raw_banner_html ?>
+ <?= esc_html($raw_banner_html) ?>
L1090

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:1090
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L1182

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1182
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L1559

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:1559
Security Score:
45 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L71

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:71
Security Score:
42 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L108

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:108
Security Score:
41 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L134

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:134
Security Score:
41 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L1588

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1588
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L725

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:725
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L602

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:602
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L1789

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1789
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L1650

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:1650
Security Score:
31 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L896

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:896
Security Score:
31 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1256

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:1256
Security Score:
30 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1770

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:1770
Security Score:
29 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L1628

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1628
Security Score:
29 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1290

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1290
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L1437

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:1437
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L922

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:922
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1728

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:1728
Security Score:
26 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);