Vulnerability examples using eval() plug-ins in WordPress

I have inherited a WordPress website that uses the RunPHP plug-in for executing snippets of PHP code in between posts. I have a feeling that this isn’t the best way to implement such functionality. But since this is legacy code that has been functionally correct for a very long time, I’ll need some solid examples of problem scenarios.

For those not familiar with RunPHP, it is a plug-in which executes PHP code embedded inside the Post or Page body using eval(). The code block is never received from the user, but entered into the database by the site owner / content creator.

The use case for this plug-in in our context is as follows.

A form is created as a Post, whose submit action is set to a Page (let’s call it form handler). The form handler contains PHP code in its body and the RunPHP plug-in is activated for that Page. When the form gets submitted, the form handler receives the data and the PHP code in its body is executed.

This is besides some rather glaring security issues in the form handler code (dynamic user-submitted variable evaluation, no input-sanitization, no parametrized SQL queries).

Can somebody here verify my doubts about runtime code execution plug-ins in WP?

Much appreciated.

Form code in a Post –

<form action="/?p=1234" method="post">
    <input name="foobar" type="text" />
    <input type="submit" />
</form>

Handler code in a Page (this is stored in the database, and eval()-ed at runtime) –

<?php
    $foobar = $_POST["foobar"]; // This contains a SQL-injection vulnerability; But that's a separate issue, I think
    $query = "INSERT INTO table (field) VALUES ("" . $foobar . "")"; // Use variable in a query string
?>