Functions that cannot be used safely should never be used.
DBMS_UTILITY.EXEC_DDL_STATEMENT
will only execute statements classified as part of the Data Definition Language. Other statements not supported by embedded SQL will be silently ignored. This behavior makes it difficult to detect errors when using the procedure.
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 242
[2] How to write SQL injection proof PL/SQL