We have been looking over the implications of adding a check for usage of the function create_function() to our security checker for WordPress plugins. That function has some security risk (though we can’t recall it being part of any disclosed vulnerabilities in WordPress plugins), it is being deprecated in PHP 7.2, and the PHP documentation for it suggest that “Relying on this function is highly discouraged.”.

In looking in to whether it would make sense to add a check for usage of create_function() we found it being included (though possibly not being used) in 19 of the 100 most popular plugins in the Plugin Directory. In a couple of the plugins, it is located in files that are part of the third-party library phpseclib. [Read more]