WP-Safety

EZ SQL Reports Shortcode Widget and DB Backup Security & Risk Analysis

wordpress.org/plugins/elisqlreports

Create and save SQL Reports in your WP Admin and place them on pages and posts with a shortcode. Keep your database safe with automatic backups.

500 active installs v5.25.25 PHP + WP 2.6+ Updated Jun 26, 2025
backupdatabasereportsshortcodesql
94
A · Safe
CVEs total5
Unpatched0
Last CVEJun 28, 2025
Plugin page Download
Safety Verdict

Is EZ SQL Reports Shortcode Widget and DB Backup Safe to Use in 2026?

Generally Safe

Score 94/100

EZ SQL Reports Shortcode Widget and DB Backup has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jun 28, 2025Updated 9mo ago
Risk Assessment

The plugin elisqlreports v5.25.25 exhibits a mixed security posture. While it demonstrates strengths in using prepared statements for all SQL queries and performing nonce checks on entry points, there are significant concerns. The static analysis reveals a considerable number of dangerous functions, specifically `passthru`, which can lead to arbitrary code execution if not handled with extreme care and strict input validation. Furthermore, the output escaping is only 43% properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data might be rendered directly in the browser without proper sanitization. The historical vulnerability data reveals a concerning pattern of past security issues, including one high and four medium severity vulnerabilities, primarily related to CSRF and XSS. Although there are no currently unpatched CVEs, the recurring nature of these vulnerability types suggests potential ongoing weaknesses in input sanitization and output encoding practices. The plugin has a total of 5 known CVEs, which is a notable number for a single plugin, indicating a history of security flaws. The last vulnerability was also very recent, suggesting that new issues may still be discovered or introduced.

Key Concerns

  • Presence of dangerous function `passthru`
  • Low output escaping rate (43%)
  • High historical vulnerability count (5 CVEs)
  • Past high severity vulnerability (1)
  • Past medium severity vulnerabilities (4)
  • Recent vulnerability discovery (2025-06-28)
Vulnerabilities
5

EZ SQL Reports Shortcode Widget and DB Backup Security Vulnerabilities

CVEs by Year

5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-6462medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode

Jun 28, 2025 Patched in 5.25.25 (1d)
CVE-2025-30787medium · 6.1Cross-Site Request Forgery (CSRF)

EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.08 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Mar 27, 2025 Patched in 5.25.10 (7d)
CVE-2025-30788medium · 4.3Cross-Site Request Forgery (CSRF)

EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.08 - Cross-Site Request Forgery

Mar 27, 2025 Patched in 5.25.10 (7d)
CVE-2025-2319high · 8.8Cross-Site Request Forgery (CSRF)

EZ SQL Reports Shortcode Widget and DB Backup 4.11.13 - 5.25.08 - Cross-Site Request Forgery to Remote Code Execution

Mar 24, 2025 Patched in 5.25.10 (1d)
CVE-2025-26887medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EZ SQL Reports Shortcode Widget and DB Backup <= 5.21.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 22, 2025 Patched in 5.25.08 (10d)
Code Analysis
Analyzed Mar 16, 2026

EZ SQL Reports Shortcode Widget and DB Backup Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
9 prepared
Unescaped Output
31
23 escaped
Nonce Checks
4
Capability Checks
2
File Operations
19
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

passthrupassthru($backup_command.escapeshellarg($backup_file), $errors);index.php:183
passthrupassthru('gunzip -c '.escapeshellarg(trailingslashit($GLOBALS["ELISQLREPORTS"]["settings_array"]['baindex.php:631
passthrupassthru($backup_command.' -e '.escapeshellarg("source $file_sql"), $errors);index.php:640
passthrupassthru($backup_command.' -e '.escapeshellarg("source $file_sql"), $errors);index.php:663

SQL Query Safety

100% prepared9 total queries

Output Escaping

43% escaped54 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
ELISQLREPORTS_settings (index.php:541)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

EZ SQL Reports Shortcode Widget and DB Backup Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[SQLREPORT] index.php:939
[SQLEXPORTCSV] index.php:962
[sqlgetvar] index.php:991
WordPress Hooks 9
actionELISQLREPORTS_daily_backupindex.php:700
actionELISQLREPORTS_hourly_backupindex.php:701
actionadmin_menuindex.php:832
actionadmin_enqueue_scriptsindex.php:837
actionwp_dashboard_setupindex.php:854
actionwidgets_initindex.php:889
actioninitindex.php:906
filterplugin_action_linksindex.php:921
filterplugin_row_metaindex.php:928

Scheduled Events 4

ELISQLREPORTS_daily_backup
ELISQLREPORTS_hourly_backup
ELISQLREPORTS_daily_backup
ELISQLREPORTS_hourly_backup
Maintenance & Trust

EZ SQL Reports Shortcode Widget and DB Backup Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 26, 2025
PHP min version
Downloads24K

Community Trust

Rating94/100
Number of ratings15
Active installs500
Alternatives

EZ SQL Reports Shortcode Widget and DB Backup Alternatives

Database Backup for WordPress

Database Backup for WordPress

wp-db-backup

B
82

Database Backup for WordPress is your one-stop database backup solution for WordPress.

70K 4 CVEs
DBC Backup 2

DBC Backup 2

dbc-backup-2

A
85

DBC Backup 2 is a safe & simple way to schedule regular WordPress database backups using the wp-cron batch jobs.

100 No CVEs
WP-Database-Optimizer-Tools

WP-Database-Optimizer-Tools

wp-database-optimizer-tools

C
63

WP-Database-Optimizer helps you to optimize your database by performing some actions for example optimizing tables, deleting revisions and data that c &hellip;

100 1 unpatched
inx All Backup

inx All Backup

inx-all-backup

A
92

WordPressサイト全体のバックアップと復元が簡単に行えるプラグイン

10 No CVEs
Pitta Migration

Pitta Migration

pitta-migration

A
85

Migrate WordPress databases using WP_HOME and WP_SITEURL constants.

10 No CVEs
Developer Profile

EZ SQL Reports Shortcode Widget and DB Backup Developer Profile

Eli

9 plugins · 101K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
782 days
View full developer profile
Detection Fingerprints

How We Detect EZ SQL Reports Shortcode Widget and DB Backup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/elisqlreports/images/btn_donateCC_WIDE.gif
Version Parameters
elisqlreports/index.php?ver=elisqlreports/js/elisqlreports.js?ver=

HTML / DOM Fingerprints

CSS Classes
metabox-holderstuffboxhndleinsidebutton-primary
HTML Comments
Silence is golden.
Data Attributes
id="top_title"id="admin-page-container"id="ELISQLREPORTS-right-sidebar"id="ELISQLREPORTS-main-section"id="ELISQLREPORTS-metabox-container"id="SQLFormDel"+7 more
JS Globals
window.ELISQLREPORTSvar func
Shortcode Output
[ELISQLREPORTS]
FAQ

Frequently Asked Questions about EZ SQL Reports Shortcode Widget and DB Backup