[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX85shzYDwDuzN74h_49b6AUrOQF8Ims6unF6EqVkxO0":3,"$fiH02O5Rbpl6R1GKLZXsHhs0SMS_kMxCyB5laQp0uXnA":188,"$fJt8vf_YookH3X8YBTWt97YGepIiwF39OjxcEMoHfCgY":193},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"discovery_status":25,"vulnerabilities":26,"developer":27,"crawl_stats":23,"alternatives":32,"analysis":33,"fingerprints":169},"aati-wp-finetuning","AATI WP Finetuning","0.9.2","jseutens","https:\u002F\u002Fprofiles.wordpress.org\u002Fjseutens\u002F","\u003Cp>Fine tuning a WP setup by removing or adding options , just for easy updating setting on all my personal sites. If useful for someone else , use it 🙂\u003C\u002Fp>\n\u003Cp>Add form submission IP’s to fail2ban for Contact Form 7 and WS Form PRO.\u003Cbr \u002F>\nLog unkown user logins and wrong logins to fail2ban.\u003C\u002Fp>\n\u003Cp>Change the layout of the login form if you add a logo file , background file can be uploaded to but only is used when the special logo is uploaded.\u003C\u002Fp>\n","Fine tuning a WP setup by removing or adding options , just for easy updating setting on all my personal sites. If useful for someone else , use it :- …",30,2576,0,"2024-11-17T08:50:00.000Z","6.7.5","6.2.2","8.0",[19],"aati-finetuning-fail2ban-login-logon-security-cronjob","https:\u002F\u002Fgithub.com\u002Fjseutens\u002Faati-wp-finetuning\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faati-wp-finetuning.zip",92,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":22,"avg_patch_time_days":11,"trust_score":30,"computed_at":31},2,60,88,"2026-05-19T17:35:46.483Z",[],{"attackSurface":34,"codeSignals":139,"taintFlows":156,"riskAssessment":157,"analyzedAt":168},{"hooks":35,"ajaxHandlers":135,"restRoutes":136,"shortcodes":137,"cronEvents":138,"entryPointCount":13,"unprotectedCount":13},[36,42,47,49,52,54,57,62,68,75,81,85,87,90,93,97,101,105,107,111,115,119,122,125,128,132],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","plugins_loaded","aatiwpf_load_textdomain","aati-wp-finetuning.php",45,{"type":37,"name":43,"callback":44,"file":45,"line":46},"admin_notices","disable_wp_cron_admin_notice","includes\\admin\\aatiwpf_cron.php",35,{"type":37,"name":43,"callback":44,"file":45,"line":48},50,{"type":37,"name":43,"callback":50,"file":45,"line":51},"shell_exec_not_available_notice",61,{"type":37,"name":43,"callback":44,"file":45,"line":53},65,{"type":37,"name":43,"callback":55,"file":45,"line":56},"server_cron_status_admin_notices",72,{"type":37,"name":58,"callback":59,"file":60,"line":61},"admin_menu","AATIWPF_menu_setup","includes\\admin\\aatiwpf_settings.php",19,{"type":37,"name":63,"callback":64,"priority":65,"file":66,"line":67},"wp_login_failed","log_failed_attempt",1,"includes\\shared\\aatiwpf_anti-logon_f2b.php",7,{"type":69,"name":70,"callback":71,"priority":72,"file":73,"line":74},"filter","wpcf7_before_send_mail","closure",100,"includes\\shared\\aatiwpf_anti-spam_cf7.php",21,{"type":37,"name":76,"callback":77,"priority":78,"file":79,"line":80},"wsf_action_tag","aatiwpf_action_function",10,"includes\\shared\\aatiwpf_anti-spam_wsform.php",8,{"type":69,"name":82,"callback":83,"file":84,"line":67},"wp_sitemaps_enabled","__return_false","includes\\shared\\aatiwpf_core.php",{"type":69,"name":86,"callback":83,"file":84,"line":78},"wp_is_application_passwords_available",{"type":69,"name":88,"callback":83,"file":84,"line":89},"allow_major_auto_core_updates",12,{"type":69,"name":91,"callback":83,"file":84,"line":92},"xmlrpc_enabled",16,{"type":37,"name":94,"callback":95,"file":84,"line":96},"template_redirect","disable_author_redirect",40,{"type":69,"name":98,"callback":71,"file":99,"line":100},"rest_endpoints","includes\\shared\\aatiwpf_functions.php",29,{"type":37,"name":102,"callback":103,"file":99,"line":104},"init","aatiwpf_clean_head",36,{"type":37,"name":102,"callback":106,"file":99,"line":53},"custom_wp_remove_global_css",{"type":37,"name":108,"callback":109,"file":99,"line":110},"admin_init","AATIWPF_deactivate_gravatar",79,{"type":69,"name":112,"callback":113,"file":114,"line":89},"login_headerurl","aatiwpf_login_logo_url","includes\\shared\\aatiwp_logon.php",{"type":69,"name":116,"callback":117,"file":114,"line":118},"login_headertext","aatiwpf_login_logo_url_title",17,{"type":37,"name":120,"callback":121,"file":114,"line":74},"login_enqueue_scripts","aatiwpf_add_logon_stylesheet",{"type":37,"name":120,"callback":123,"file":114,"line":124},"aatiwpf_add_logon_bg_stylesheet",28,{"type":37,"name":126,"callback":127,"file":114,"line":46},"wp_logout","aatiwpf_redirect_after_logout",{"type":37,"name":129,"callback":130,"file":114,"line":131},"customize_register","aatiwpf_add_custom_login_css",43,{"type":37,"name":120,"callback":133,"file":114,"line":134},"aatiwpf_add_custom_login_style_css",64,[],[],[],[],{"dangerousFunctions":140,"sqlUsage":145,"outputEscaping":147,"fileOperations":148,"externalRequests":13,"nonceChecks":13,"capabilityChecks":65,"bundledLibraries":155},[141],{"fn":142,"file":45,"line":143,"context":144},"shell_exec",23,"$output = shell_exec('crontab -l');",{"prepared":13,"raw":13,"locations":146},[],{"escaped":148,"rawEcho":28,"locations":149},4,[150,153],{"file":45,"line":151,"context":152},46,"raw output",{"file":45,"line":154,"context":152},68,[],[],{"summary":158,"deductions":159},"The plugin \"aati-wp-finetuning\" v0.9.2 exhibits a mixed security posture. On the positive side, it has a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all SQL queries are properly prepared, and the plugin does not make external HTTP requests. This indicates good practices in preventing common web vulnerabilities.\n\nHowever, there are significant concerns. The presence of the dangerous function `shell_exec` is a major red flag, as it can allow for arbitrary command execution if not handled with extreme caution and strict input validation, which is not evident from the provided data. The lack of nonce checks on AJAX handlers (though there are none, this signals a potential gap if any were to be added) and the moderate rate of unescaped output (67% is not ideal) also represent potential weaknesses that could be exploited.\n\nThe plugin's vulnerability history is currently clean, with no recorded CVEs. This is a strength, but it does not negate the risks identified in the code analysis. The combination of a small attack surface with a dangerous function and some output escaping issues suggests that while the plugin might be relatively safe in its current form due to limited entry points, a single flaw in the handling of `shell_exec` could lead to severe consequences. Developers should prioritize sanitizing inputs to `shell_exec` and ensuring all output is properly escaped.",[160,163,166],{"reason":161,"points":162},"Dangerous function detected (shell_exec)",15,{"reason":164,"points":165},"Moderate rate of unescaped output",5,{"reason":167,"points":165},"No nonce checks (if AJAX existed)","2026-03-16T22:29:02.523Z",{"wat":170,"direct":179},{"assetPaths":171,"generatorPatterns":174,"scriptPaths":175,"versionParams":176},[172,173],"\u002Fwp-content\u002Fplugins\u002Faati-wp-finetuning\u002Fassets\u002Fcss\u002Faatiwpf-admin.css","\u002Fwp-content\u002Fplugins\u002Faati-wp-finetuning\u002Fassets\u002Fjs\u002Faatiwpf-admin.js",[],[173],[177,178],"aati-wp-finetuning\u002Fassets\u002Fcss\u002Faatiwpf-admin.css?ver=","aati-wp-finetuning\u002Fassets\u002Fjs\u002Faatiwpf-admin.js?ver=",{"cssClasses":180,"htmlComments":181,"htmlAttributes":182,"restEndpoints":184,"jsGlobals":185,"shortcodeOutput":187},[],[],[183],"data-aatiwpf-cron-status",[],[186],"aatiwpf_admin_params",[],{"error":189,"url":190,"statusCode":191,"statusMessage":192,"message":192},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Faati-wp-finetuning\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":13,"versions":194},[]]