From 0beedd72bccd4ff66b4fab6b030c7b603a27c0a9 Mon Sep 17 00:00:00 2001
From: Ryan Dewhurst <ryandewhurst@gmail.com>
Date: Thu, 19 Nov 2020 12:32:59 +0100
Subject: [PATCH] Updated WordPress Plugin Security Testing Cheat Sheet
 (markdown)

---
 WordPress-Plugin-Security-Testing-Cheat-Sheet.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
index 6918bc6..4048c7b 100644
--- a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
+++ b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
@@ -143,6 +143,7 @@ Use this [simple Burp Suite extention](https://gist.github.com/ethicalhack3r/7c2
 - ```assert()```
 - ```preg_replace()``` dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.
 - ```php://input``` reads raw data from the request body, can lead to RCE if used in eval
+- ```call_user_func()``` calls a function from a string, see https://owasp.org/www-community/attacks/Function_Injection
 
 ## Authorisation