Back to Codebase

Vulnerability Analysis Report

WordPress Core v2.9.2

Scan ID: SCAN-WORDPRESS-CORE-Z4aMv6 • Hash: 0ff8033c

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.725s

Vulnerability Details

L280

Dynamic Code Execution in blogger.php

CWE-94
File Location: wp-admin/import/blogger.php:280
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('this.status='+text);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L657

Potential SQL Injection in blogger.php

CWE-89
File Location: wp-admin/import/blogger.php:657
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $authors = (array) $wpdb->get_col("SELECT DISTINCT meta_value FROM $wpdb->postmeta WHERE meta_key = 'blogger_author' AND post_id IN (" . join( ',', $post_ids ) . ")");
+ $wpdb->query($wpdb->prepare("SELECT ... WHERE field = %s", $variable));
L697

Potential SQL Injection in blogger.php

CWE-89
File Location: wp-admin/import/blogger.php:697
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $results = (array) $wpdb->get_results("SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = 'blogger_author' AND post_id IN ($post_ids)");
+ $wpdb->query($wpdb->prepare("SELECT ... WHERE field = %s", $variable));
L1227

Potential SQL Injection in admin-ajax.php

CWE-89
File Location: wp-admin/admin-ajax.php:1227
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $posts = $wpdb->get_results( "SELECT ID, post_title, post_status, post_date FROM $wpdb->posts WHERE post_type = '$what' AND post_status IN ('draft', 'publish') AND ($search) ORDER BY post_date_gmt DESC LIMIT 50" );
+ $wpdb->query($wpdb->prepare("SELECT ... WHERE field = %s", $variable));
L26

Potential SQL Injection in edit-comments.php

CWE-89
File Location: wp-admin/edit-comments.php:26
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
+ $wpdb->query($wpdb->prepare("SELECT ... WHERE field = %s", $variable));