diff --git a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
index 6918bc6..4048c7b 100644
--- a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
+++ b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
@@ -143,6 +143,7 @@ Use this [simple Burp Suite extention](https://gist.github.com/ethicalhack3r/7c2
 - ```assert()```
 - ```preg_replace()``` dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.
 - ```php://input``` reads raw data from the request body, can lead to RCE if used in eval
+- ```call_user_func()``` calls a function from a string, see https://owasp.org/www-community/attacks/Function_Injection
 
 ## Authorisation