Yesterday we noted how two of the most popular WordPress plugins were insecurely using the function extract(), as they were extracting the $_POST variable, which involves untrusted user input and the documentation for that function warns against:

Warning Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES). [Read more]