str_replace() is used to sanitize file path but function output is not assigned to variable.

Using basic_settings() we can update every WordPress options, for example

$_REQUEST['title'] is not escaped.

$_REQUEST['widget'] is not escaped.

Package functions are accessible to every registered users because admin privileges are not checked properly.

wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked).

There is few places where `Database

Every registered user can access UploadHandler.php.