Replies: 0
In file wp-email-user-manage-list you have changed mysql_real_escape_string to htmlentities in line 50.
Why?
And why are you not using prepared statements? https://developer.wordpress.org/reference/classes/wpdb/prepare/
And in the same file your are using GET params unescaped in an SQL statement:
$curr_list = $_GET['listname'];
$rows_avail = $wpdb->get_var( "SELECT id FROM $table_name WHERE email = '$new_mememail' and list='$curr_list'" );
is this safe?!
-
This topic was modified 14 minutes ago by
Kipperlenny.
-
This topic was modified 10 minutes ago by
Kipperlenny.
