[a904guy]

I always preferred the remote code execution search myself personally...

https://github.com/search?q=extension%3Aphp+exec+%24_GET&typ...

[fjcaetano]

Holy shit! Look at this! This is hilarious! https://github.com/bratliff/engconf/blob/0b8f003edc5f5d25fe1...

[krapp]

Oh. And it's for wordpress. Isn't that just fucking wonderful. I would guess looking at the age of the account and the complete lack of documentation that it's a personal project he never really intended to get much scrutiny. I'm sure if someone looked at my github they could find some bad code too. Not that bad though.

Edit - made an issue.

[spyder]

And it has been already exploited: http://wordpress.org/support/topic/plugin-ezpz-one-click-bac...

[a904guy]

CGI Python? Happens... https://github.com/search?q=extension%3Apy+os.system+%22impo...

[a904guy]

Django... https://github.com/search?q=extension%3Apy+os.system+%22requ...

[fjcaetano]

The difference is that SQL injection will only happen when using raw queries.

System (as you mentioned) or EXEC injections, however, may get out of hand.

[ris]

I only found one exploitable example browsing the first few pages, whereas the majority of the OP's results looked fairly exploitable.