[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNwC35zSgl2-3-UCKpclmoORS-bXct7YgJtj3YE7VS4w":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":14,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":47,"crawl_stats":37,"alternatives":50,"analysis":153,"fingerprints":235},"aapanel-wp-toolkit","aapanel WP Toolkit","1.2","aapanel","https:\u002F\u002Fprofiles.wordpress.org\u002Faapanel\u002F","\u003Cp>Allows you to manage WordPress remotely on aapanel, one-click login, and some features will be coming in the future.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This file is part of aapanel WP Toolkit.\u003C\u002Fp>\n\u003Cp>aapanel WP Toolkit is free software: you can redistribute it and\u002For modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.\u003C\u002Fp>\n\u003Cp>aapanel WP Toolkit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\u003C\u002Fp>\n\u003Cp>You should have received a copy of the GNU General Public License along with ManageWP Worker. If not, see \u003Ca href=\"https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002F\u003C\u002Fa>.\u003C\u002Fp>\n","A better way to manage dozens of WordPress websites.",1000,3914,100,1,"2025-07-29T02:40:00.000Z","6.8.5","3.0","",[20,21,22,23,24],"administration","automatic","login","manage-wordpress","remote","https:\u002F\u002Fwww.aapanel.com\u002Fnew\u002Ffeature\u002Fwp.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faapanel-wp-toolkit.1.2.zip",98,0,"2025-07-17 16:21:33","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":6,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":29,"updated_date":43,"references":44,"days_to_patch":46},"CVE-2025-6813","aapanel-wp-toolkit-missing-authorization-to-authenticated-subscriber-privilege-escalation-via-autologin-function","aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function","The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges.",null,">=1.0 \u003C=1.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2025-11-05 21:40:21",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F430a0b93-2cb7-45bf-86ac-4a8b3a0be77a?source=api-prod",111,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":46,"trust_score":48,"computed_at":49},78,"2026-04-04T09:21:02.282Z",[51,72,94,116,138],{"slug":52,"name":53,"version":54,"author":55,"author_profile":56,"description":57,"short_description":58,"active_installs":59,"downloaded":60,"rating":61,"num_ratings":48,"last_updated":62,"tested_up_to":63,"requires_at_least":64,"requires_php":65,"tags":66,"homepage":70,"download_link":71,"security_score":61,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"remove-dashboard-access-for-non-admins","Remove Dashboard Access","1.2.1","TrustedLogin","https:\u002F\u002Fprofiles.wordpress.org\u002Ftrustedlogin\u002F","\u003Cp>The easiest and safest way to restrict access to your WordPress site’s Dashboard and administrative menus. Remove Dashboard Access is a lightweight plugin that automatically redirects users who shouldn’t have access to the Dashboard to a custom URL of your choosing. Redirects can also be configured on a per-role\u002Fper-capability basis, allowing you to keep certain users out of the Dashboard, while retaining access for others.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Dashboard access to user roles:\n\u003Cul>\n\u003Cli>Admins only\u003C\u002Fli>\n\u003Cli>Admins + editors\u003C\u002Fli>\n\u003Cli>Admins, editors, and authors\u003C\u002Fli>\n\u003Cli>or restrict by specific user capability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Choose your own redirect URL\u003C\u002Fli>\n\u003Cli>Optionally allow users to edit their profiles\u003C\u002Fli>\n\u003Cli>Display a message on the login screen so users know why they’re being redirected\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Blocking access to the Dashboard is a great way to prevent clients from breaking their sites, prevent users from seeing things they shouldn’t, and to keep your site’s backend more secure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Allow only users with roles or capabilities:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You can restrict Dashboard access to Admins only, Editors or above, Authors or above, or by selecting a specific user capability.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Grant access to user profiles:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Optionally allow all users the ability to edit their profiles in the Dashboard. Users lacking the chosen capability won’t be able to access any other sections of the Dashboard.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Show a custom login message:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supply a message to display on the login screen. Leaving this blank disables the message.\u003C\u002Fli>\n\u003C\u002Ful>\n","Disable Dashboard access for users of a specific role or capability. Disallowed users are redirected to a chosen URL. Get set up in seconds.",30000,467245,92,"2024-11-29T20:13:00.000Z","6.7.5","3.1.0","5.3",[67,20,68,22,69],"access","dashboard","restrict","https:\u002F\u002Fwww.trustedlogin.com\u002Fremove-dashboard-access\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fremove-dashboard-access-for-non-admins.1.2.1.zip",{"slug":73,"name":74,"version":75,"author":76,"author_profile":77,"description":78,"short_description":79,"active_installs":80,"downloaded":81,"rating":82,"num_ratings":83,"last_updated":84,"tested_up_to":85,"requires_at_least":86,"requires_php":18,"tags":87,"homepage":91,"download_link":92,"security_score":93,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"autologin-links","Autologin Links","1.12.0","WPAutoLogin","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpautologin\u002F","\u003Cp>This plugin allows admininstators to generate autologin links for their\u003Cbr \u002F>\nWordPress website, logging in visitors under a certain user name. Administrators\u003Cbr \u002F>\ncan edit (generate and delete) autologin links for users, users can only view\u003Cbr \u002F>\ntheir autologin links. Note that \u003Cstrong>This plugin bypasses the standard\u003Cbr \u002F>\nauthentication method of wordpress via login and password and should only be\u003Cbr \u002F>\nused if you understand the security issues mentioned below and on the\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fwww.craftware.nl\u002Fwordpress-autologin\u002F\" rel=\"nofollow ugc\">plugin website\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Usage\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Once this plugin is activated, administrators can generate autologin links on\u003Cbr \u002F>\nthe edit profile administration pages for different users. Users can view their\u003Cbr \u002F>\nautlogin links on their profile pages. Autologin links are of the form:\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fyourwebsite\u002F[subdirectory\u002F]?autologin_code=ABC123\u003C\u002Fp>\n\u003Cp>For more convenience it is possible since version 1.05 to generate login links\u003Cbr \u002F>\ndirectly using the wordpress, site-preview functionality. When viewing the page\u003Cbr \u002F>\nwhile being logged in as an administrator, the top-bar will show an extra item\u003Cbr \u002F>\n“Auto-login link”. When pointing at the menu item, a dropdown list will list\u003Cbr \u002F>\nall users for whom autologin links were generated on their profile pages. When\u003Cbr \u002F>\nclicking on one of the users, a popup will open showing the link that will\u003Cbr \u002F>\nautomatically login a visitor as the selected user and bring him to the\u003Cbr \u002F>\ncurrent page.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security issues\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Since autologin links are meant to be an OPEN way to login to\u003Cbr \u002F>\nyour website and can be viewed by users on their profile, it might be considered\u003Cbr \u002F>\nan INSECURE plugin for WordPress. I did my best to make it as secure as possible\u003Cbr \u002F>\nto fit my own needs, but this lead to some design choices which might not sit\u003Cbr \u002F>\nwell with all administrators:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Autologin codes are saved as plain text.\u003C\u002Fstrong> This means that anyone who can\u003Cbr \u002F>\nexecute queries on the WordPress database (plugins, administrators, system\u003Cbr \u002F>\nadministrators) can obtain the autologin code for a certain user. I planned an\u003Cbr \u002F>\nextension of this plugin where login codes are hashed. However, this again has\u003Cbr \u002F>\nthe disadvantage that noone can redisplay a once generated login link.\u003C\u002Fp>\n\u003Cp>This is the most severe problem. For a full self-assesment of possible security\u003Cbr \u002F>\nissues regarding this problem, please visit the\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fwww.craftware.nl\u002Fwordpress-autologin\u002F\" rel=\"nofollow ugc\">plugin website\u003C\u002Fa>.\u003C\u002Fp>\n","WARNING: THIS PLUGIN CAN BE INSECURE IF NOT USED CAUTIOUSLY. Allows selected users to autologin to your WordPress website via autologin links.",8000,56259,94,15,"2021-02-24T21:07:00.000Z","5.6.17","4.9.8",[88,21,89,90,22],"auto","link","links","https:\u002F\u002Fwww.craftware.info\u002Fprojects-lists\u002Fwordpress-autologin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautologin-links.zip",85,{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":13,"num_ratings":104,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":112,"download_link":113,"security_score":114,"vuln_count":14,"unpatched_count":28,"last_vuln_date":115,"fetched_at":30},"slash-admin","Slash Admin","3.8.3","Giorgos Sarigiannidis","https:\u002F\u002Fprofiles.wordpress.org\u002Fgsarig\u002F","\u003Cp>Slash Admin gathers some common functions that you probably need in most of your websites. The plugin lets you change various different options in a WordPress website, keeps them active even if you switch your theme and helps you create a friendlier Admin Panel for you and your editors.\u003C\u002Fp>\n\u003Cp>If you are lost with the many options, here’s a presentation of the plugin’s \u003Ca href=\"https:\u002F\u002Fwww.gsarigiannidis.gr\u002Fslash-admin-best-features\u002F\" rel=\"nofollow ugc\">best features\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>\u003Cem>Frontend\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Option to point to a static splash page.\u003C\u002Fli>\n\u003Cli>Option to convert email addresses characters to HTML entities to block spam bots.\u003C\u002Fli>\n\u003Cli>Show EU Cookie Law consent message (check screenshots about available options). Since v.3.0 it also supports WPML for different message per language.\u003C\u002Fli>\n\u003Cli>Add a “Loading” animation which hides itself when the page is fully loaded\u003C\u002Fli>\n\u003Cli>Enqueue your own Google Web Fonts, with option to load it locally for better performance and privacy\u003C\u002Fli>\n\u003Cli>Get rid of the word “Category:” in front of the Archive title (usually needed if your theme uses the_archive_title()).\u003C\u002Fli>\n\u003Cli>Add excerpt support to pages.\u003C\u002Fli>\n\u003Cli>Enable the use of shortcodes in widgets.\u003C\u002Fli>\n\u003Cli>Display a warning for users of old versions of Internet Explorer (IE8 or older). Yes, sadly there are still people who use Internet Explorer 8…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Administration\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Insert Google Analytics tracking code (so as you don’t have to remember re-entering it in case you switch themes in the future)\u003C\u002Fli>\n\u003Cli>Hide Site Health from everyone except from a selected Admin (\u003Ca href=\"https:\u002F\u002Fwww.gsarigiannidis.gr\u002Fhow-to-hide-wordpress-site-health-from-everyone-but-you\u002F\" rel=\"nofollow ugc\">read more\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>Hide ACF options from everyone except from the selected Admin\u003C\u002Fli>\n\u003Cli>Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email. By default, it will be sent to the admin email. Slash Admin allows you to override it (you can also add multiple recipients if you like). \u003Ca href=\"https:\u002F\u002Fwww.gsarigiannidis.gr\u002Fhow-to-hide-wordpress-site-health-from-everyone-but-you\u002F\" rel=\"nofollow ugc\">Read more\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Change the address that receives the Plugin and Theme auto-update email notifications\u003C\u002Fli>\n\u003Cli>Make WordPress respect the order of the tags you insert in a post (\u003Ca href=\"https:\u002F\u002Fwww.gsarigiannidis.gr\u002Fwordpress-post-tags-order\" rel=\"nofollow ugc\">read more\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>Limit the number of revisions that WordPress keeps for each post (keeps the database cleaner)\u003C\u002Fli>\n\u003Cli>Prevent Post Updates and Deletion After a Set Period. Useful if you have many editors or in cases where an editor’s account is compromised, adding spam code to the posts (by disallowing editing of older posts you limit the damage)\u003C\u002Fli>\n\u003Cli>Enable Jetpack development mode\u003C\u002Fli>\n\u003Cli>Move Jetpack share and like buttons\u003C\u002Fli>\n\u003Cli>Maintenance mode. If checked, non-Admins will not be able to acess the WordPress backend and they will see a customizable message instead. Useful if you want to perform some maintenance work to your website and you don’t want your Editors to add or modify the content before you finish. Admins are not affected and they can always login as usual.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Login screen\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add your custom logo at the WordPress log-in screen\u003C\u002Fli>\n\u003Cli>Make the login screen logo (custom or default) linking to your website’s homepage instead of wordpress.org\u003C\u002Fli>\n\u003Cli>After login, redirect users at the homepage instead of their profile page\u003C\u002Fli>\n\u003Cli>Disable the Admin Bar for all users except Administrators. Applies only to the front-end. It’s useful if you want your site to be visible only to logged-in users (e.g. during developement phase), but you don’t want them to access the dashboard or get confused with the admin bar\u003C\u002Fli>\n\u003Cli>Add your custom CSS to the login screen to completely change its appearance\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Non-admins\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hide unnecessary options from the Admin menu for non admins (so editors won’t get overwhelmed with options that have no meaning for the current website).\u003C\u002Fli>\n\u003Cli>Disable tags and categories\u003C\u002Fli>\n\u003Cli>Hide specific pages from non admins. For example, you might not want your editors to have access to the static frontpage, the blog page or pages that you use as page templates.\u003C\u002Fli>\n\u003Cli>Allow editors to manage Menus and Widgets and access some other appearance settings previously acessible only to admins (for example, you might want to give your client the option to modify the website’s menu, but you would rather avoid making him\u002Fher an administrator).\u003C\u002Fli>\n\u003Cli>Hide notices about updating WordPress and other plugins for all users except from Admins (sometimes clients get confused with those notices and think that there is something wrong with the website).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>White label backend\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Change the “Howdy” message at the top right corner of the admin (both backend and logged-in frontend)\u003C\u002Fli>\n\u003Cli>Change the default footer text at the admin\u003C\u002Fli>\n\u003Cli>Replace the WordPress logo at the top left corner of the admin bar with your own (both backend and logged-in frontend)\u003C\u002Fli>\n\u003Cli>Replace the default Welcome message at the Dashboard with your own\u003C\u002Fli>\n\u003Cli>Add a Dashboard Widget to provide general or commercial information to your clients (for example: your contact info or links to support documentation)\u003C\u002Fli>\n\u003Cli>Add your own custom CSS for the Admin area\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Performance\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable Emojis\u003C\u002Fli>\n\u003Cli>Disable wp-embed script from the frontend or load it conditionally\u003C\u002Fli>\n\u003Cli>DNS prefetching notifies the client that there are assets we’ll need later from a specific URL (outside our website’s domain) so the browser can resolve the DNS as quickly as possible.\u003C\u002Fli>\n\u003Cli>Link prefetching and prerendering. Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache. When the user visits one of the prefetched documents, it can be served up quickly out of the browser’s cache. Prerendering downloads and renders the entire page and hides it from the user until it is requested, therefore, it should be used with caution.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Shortcodes\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>If you manually include email addresses in your posts, you should consider disguising them in order to “fool” e-mail harvesters (check FAQ for details).\u003C\u002Fli>\n\u003Cli>Show a telephone number in a way that it is clickable. When clicked, if you are on a mobile device it opens the phone’s dialer and if you are on a desktop computer it prompts to make a call via a related program (e.g. Skype).\u003C\u002Fli>\n\u003Cli>If you develop your site on localhost or on a temporary URL, you might want to avoid absolute URLs inside posts and pages. That way you don’t need to update your links after migrating to your actual domain (check FAQ for details). \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Development functions\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Using \u003Ccode>slash_dump()\u003C\u002Fcode> instead of \u003Ccode>var_dump()\u003C\u002Fcode> will wrap the output in \u003Ccode>\u003Cpre>\u003C\u002Fpre>\u003C\u002Fcode> tags, for better readability. \u003Ccode>slash_admin_dump()\u003C\u002Fcode> does the same thing, only this time the output is only visible to admins (can be handy if you want to debug a live site).\u003C\u002Fli>\n\u003Cli>Show warnings if the site is on air and debug mode is still on and if the site is on localhost and debug mode is off. Also, show warning if the website is on air and you have chosen to hide it from Search Engines.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Notifications\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>Slash Admin displays the following notifications:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A list with the users who logged in during the past 15 minutes (except from you, obviously)\u003C\u002Fli>\n\u003Cli>A warning when debug mode is enabled (you should enable it when developing, but disable it when the site goes live)\u003C\u002Fli>\n\u003Cli>A warning when your site is hidden from search engines\u003C\u002Fli>\n\u003C\u002Ful>\n","Dozens of settings aiming at creating a friendlier administration environment for both Administrators and Editors.",500,27689,9,"2024-03-01T12:59:00.000Z","6.4.8","5.0","7.0",[110,20,68,22,111],"admin","wordpress","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fslash-admin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fslash-admin.3.8.3.zip",84,"2024-04-23 00:00:00",{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":124,"downloaded":125,"rating":126,"num_ratings":127,"last_updated":128,"tested_up_to":16,"requires_at_least":107,"requires_php":18,"tags":129,"homepage":134,"download_link":135,"security_score":136,"vuln_count":14,"unpatched_count":28,"last_vuln_date":137,"fetched_at":30},"ws-force-login-page","WS Force Login Page","3.0.4","Silver Muru","https:\u002F\u002Fprofiles.wordpress.org\u002Fsilvermuru\u002F","\u003Cp>WS Force Login Page force users who are not logged in by redirect into login page, this way it is good tool for developers to install sites which are in development process by restrict access to site and its content. Or when you want to put all site articles under password this plugin will do this! Working also with domains what includes umlaut letters like ö, ä, õ, ü\u003C\u002Fp>\n\u003Cp>Suitable also for putting site to maintenance mode and show custom message in login view.\u003C\u002Fp>\n","Redirecting user to login page if not logged in, working also with domains what includes umlaut letters like ö, ä, õ, ü",400,15422,90,2,"2025-05-19T15:02:00.000Z",[20,130,131,132,133],"force-user-login","hidden","maintenance-mode","under-construction","https:\u002F\u002Fwww.silvermuru.ee\u002Fen\u002Fwordpress\u002Fplugins\u002Fws-force-login-page\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fws-force-login-page.3.0.4.zip",99,"2025-04-24 00:00:00",{"slug":139,"name":140,"version":141,"author":142,"author_profile":143,"description":144,"short_description":145,"active_installs":13,"downloaded":146,"rating":13,"num_ratings":14,"last_updated":147,"tested_up_to":106,"requires_at_least":64,"requires_php":18,"tags":148,"homepage":151,"download_link":152,"security_score":93,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"hidemein","HideMeIn","1.0.4","Daniele Alessandra","https:\u002F\u002Fprofiles.wordpress.org\u002Fdanielealessandra\u002F","\u003Cp>HideMeIn is a WordPress Plugin that hides you from other users’ eyes.\u003Cbr \u002F>\nOnce installed and activated no one will see you in administrators’ dashboard, neither in users administration page.\u003C\u002Fp>\n\u003Cp>What it does\u003C\u002Fp>\n\u003Cul>\n\u003Cli>It hides you! Only you will see your name in administrator’s pages.\u003C\u002Fli>\n\u003Cli>It hides itself, only you will see that this plugin is running.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>What it does not\u003C\u002Fp>\n\u003Cul>\n\u003Cli>It does not grant access to a WordPress installation if you are not authorized.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Compatibility\u003C\u002Fp>\n\u003Cp>This plugins is written using only no particular hacks, so it is virtually compatible with any other existing plugin. If you are experiencing problems with this plugin please tell me your theme name and list all plugins you are using, I’ll do my best to fix any incompatibility issues.\u003C\u002Fp>\n\u003Cp>Demo\u003C\u002Fp>\n\u003Cp>This plugins needs Administrator capabilities to work, because of this I’m not able to set up a demo for you at the moment.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>THIS SOFTWARE IS PROVIDED BY THE AUTHOR “AS IS’’ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\u003Cbr \u002F>\n  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n","HideMeIn is a WordPress Plugin that hides you from other users’ eyes. Once installed and activated no one will see you in administrators’ dashboard, n …",2625,"2023-10-25T15:10:00.000Z",[110,20,22,149,150],"secret","user","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhidemein\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhidemein.zip",{"attackSurface":154,"codeSignals":190,"taintFlows":217,"riskAssessment":218,"analyzedAt":234},{"hooks":155,"ajaxHandlers":186,"restRoutes":187,"shortcodes":188,"cronEvents":189,"entryPointCount":28,"unprotectedCount":28},[156,162,166,170,173,177,180],{"type":157,"name":158,"callback":159,"file":160,"line":161},"action","set_auth_cookie","closure","includes\\class-aapanel-wp-toolkit-agent.php",81,{"type":157,"name":163,"callback":164,"priority":28,"file":165,"line":126},"wp_loaded","dispatch_to_agent","includes\\class-aapanel-wp-toolkit.php",{"type":157,"name":167,"callback":168,"file":165,"line":169},"admin_init","enqueue_jquery_dialog_modal_scripts",91,{"type":157,"name":171,"callback":172,"file":165,"line":61},"admin_print_styles","enqueue_jquery_dialog_modal_styles",{"type":157,"name":174,"callback":175,"file":165,"line":176},"admin_footer","render_security_key_dialog_modal_html",93,{"type":157,"name":171,"callback":178,"file":165,"line":179},"render_security_key_dialog_modal_styles",101,{"type":181,"name":182,"callback":183,"priority":184,"file":165,"line":185},"filter","plugin_row_meta","add_view_security_key_info_link",10,102,[],[],[],[],{"dangerousFunctions":191,"sqlUsage":192,"outputEscaping":197,"fileOperations":14,"externalRequests":28,"nonceChecks":28,"capabilityChecks":127,"bundledLibraries":216},[],{"prepared":28,"raw":14,"locations":193},[194],{"file":160,"line":195,"context":196},47,"$wpdb->get_var() with variable interpolation",{"escaped":198,"rawEcho":199,"locations":200},4,7,[201,204,206,208,210,212,214],{"file":165,"line":202,"context":203},310,"raw output",{"file":165,"line":205,"context":203},337,{"file":165,"line":207,"context":203},342,{"file":165,"line":209,"context":203},347,{"file":165,"line":211,"context":203},355,{"file":165,"line":213,"context":203},360,{"file":165,"line":215,"context":203},368,[],[],{"summary":219,"deductions":220},"The security posture of the \"aapanel-wp-toolkit\" plugin v1.2 presents a mixed bag of strengths and concerning weaknesses. On the positive side, the plugin exhibits a remarkably small attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events. This significantly limits the potential entry points for attackers. Furthermore, there are no detected dangerous functions or external HTTP requests, which are generally good indicators of secure coding practices. The taint analysis also shows no critical or high severity flows with unsanitized paths, suggesting a lack of obvious command injection or similar severe vulnerabilities in this specific analysis.\n\nHowever, several critical concerns emerge from the static analysis and historical data. The fact that 100% of SQL queries are not using prepared statements is a significant risk, exposing the plugin to potential SQL injection vulnerabilities. The low percentage (36%) of properly escaped output also indicates a risk of Cross-Site Scripting (XSS) vulnerabilities. The complete absence of nonce checks on any entry points, coupled with only two capability checks, suggests a serious lack of authorization and authentication mechanisms, which could allow unauthorized users to perform actions they shouldn't.\n\nThe vulnerability history, while currently showing no unpatched CVEs, reveals a past high-severity vulnerability, specifically missing authorization. This pattern of past authorization issues, combined with the current lack of robust authorization checks in the static analysis, suggests a recurring area of weakness. The presence of a past high-severity vulnerability is a strong indicator that the plugin's developers may struggle with implementing secure authorization, making it a target for future exploits, especially given the other identified code quality issues.",[221,223,226,229,232],{"reason":222,"points":184},"100% of SQL queries without prepared statements",{"reason":224,"points":225},"Only 36% of outputs properly escaped",6,{"reason":227,"points":228},"No nonce checks on any entry points",8,{"reason":230,"points":231},"Only 2 capability checks for the entire plugin",5,{"reason":233,"points":83},"Past high severity vulnerability (Missing Authorization)","2026-03-16T18:45:53.770Z",{"wat":236,"direct":243},{"assetPaths":237,"generatorPatterns":240,"scriptPaths":241,"versionParams":242},[238,239],"\u002Fwp-content\u002Fplugins\u002Faapanel-wp-toolkit\u002Fassets\u002Fcss\u002Fdialog.css","\u002Fwp-content\u002Fplugins\u002Faapanel-wp-toolkit\u002Fassets\u002Fjs\u002Fdialog.js",[],[],[],{"cssClasses":244,"htmlComments":246,"htmlAttributes":247,"restEndpoints":249,"jsGlobals":250,"shortcodeOutput":251},[245],"aap-dialog",[],[248],"id=\"aap-wp-view-security-key\"",[],[],[]]