The latest version of Woody ad snippets includes the changelog entry “Fixed: Some issues with plugin security.”. We are currently in the process of getting a better handle of the full impact of a security issue fixed in that version, while we continue to do that we thought it prudent to move ahead with disclosures of another related vulnerability we found while looking into that, which hasn’t been fixed. Considering the multiple issues that lead to this additional vulnerability, we would recommend against using the plugin until it has been more fully reviewed for security issues.

In the file /admin/includes/class.actions.snippet.php the plugin registers the function adminInit() from that file to run during admin_init: [Read more]