Plugin allows unauthenticated code to be run on the server.

[apokalyptik]

See:

curl -v -v http://$HOSTNAME/wp-content/plugins/wordpress-console/query.php --data 'query=echo%201%2B1%3B'

Installing the plugin as-is is begging (pretty please) to be hacked.

Suggested fix: sign query with a shared secret, generated randomly (the random generation could be better, but it'll work for now)

Patch: http://blog.apokalyptik.com/files/wordpress-console-auth.diff

[jerodsanto]

require shared secret to run query (patch by apokalyptik). Closed by 5a94d4338a39fe0847226e331dbc13091347ba3b