[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f172SV6DGlujgNNLBSKOl-UqKq9vyTiHkcouSanqyV5g":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":46,"crawl_stats":37,"alternatives":53,"analysis":54,"fingerprints":102},"append-extensions-on-pages","Append extensions on Pages","1.1.2","Suresh Kumar Mukhiya","https:\u002F\u002Fprofiles.wordpress.org\u002Fsureshhardiya\u002F","\u003Cp>This plugin helps to appends .html on the wordpress pages when used with permalink. If you are a developer then you can modify this plugin to use any extension you want.\u003C\u002Fp>\n\u003Cp>You can choose the extension you want to have on your pages when used with permalik. Availble choices are .jsp, .htm, .html, .asp, .ror. Every time new extension is used, please make sure to refresh permalink.\u003C\u002Fp>\n","This plugin helps to appends .html or .asp or .htm etc on the wordpress pages when used with permalink.",900,11890,100,7,"2017-09-09T10:53:00.000Z","4.8.28","3.1","",[20,21,22,23,24],"html-on-permalink","add-aspx-on-pages","add-html-on-pages","add-php-on-pages","append-html-on-pages","http:\u002F\u002Fwww.skmukhiya.com.np","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fappend-extensions-on-pages.zip",63,1,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":29,"updated_date":43,"references":44,"days_to_patch":37},"CVE-2025-57940","append-extensions-on-pages-authenticated-administrator-stored-cross-site-scripting","Append extensions on Pages \u003C= 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Append extensions on Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=1.1.2","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-09-26 15:26:52",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F06a29065-8e20-4ead-865f-addd84917336?source=api-prod",{"slug":47,"display_name":7,"profile_url":8,"plugin_count":48,"total_installs":49,"avg_security_score":50,"avg_patch_time_days":51,"trust_score":50,"computed_at":52},"sureshhardiya",4,1220,80,30,"2026-04-04T13:47:28.790Z",[],{"attackSurface":55,"codeSignals":81,"taintFlows":91,"riskAssessment":92,"analyzedAt":101},{"hooks":56,"ajaxHandlers":76,"restRoutes":77,"shortcodes":78,"cronEvents":79,"entryPointCount":80,"unprotectedCount":80},[57,63,67,70],{"type":58,"name":59,"callback":60,"file":61,"line":62},"action","init","aeop_html_page_permalink","append_extension_on_pages.php",13,{"type":58,"name":64,"callback":65,"file":61,"line":66},"admin_menu","aeop_settings_menu",19,{"type":58,"name":68,"callback":69,"file":61,"line":27},"admin_init","aeop_set_up_options",{"type":71,"name":72,"callback":73,"priority":74,"file":61,"line":75},"filter","user_trailingslashit","aeop_no_page_slash",66,127,[],[],[],[],0,{"dangerousFunctions":82,"sqlUsage":83,"outputEscaping":85,"fileOperations":80,"externalRequests":80,"nonceChecks":80,"capabilityChecks":80,"bundledLibraries":90},[],{"prepared":80,"raw":80,"locations":84},[],{"escaped":80,"rawEcho":28,"locations":86},[87],{"file":61,"line":88,"context":89},85,"raw output",[],[],{"summary":93,"deductions":94},"The \"append-extensions-on-pages\" plugin v1.1.2 exhibits a mixed security posture. While the static analysis indicates a minimal attack surface with no identified dangerous functions, SQL injection vulnerabilities, or unhandled file operations, there are significant concerns. Notably, 100% of outputs are not properly escaped, presenting a strong risk of Cross-Site Scripting (XSS) vulnerabilities. This is further compounded by a known medium severity CVE related to XSS that remains unpatched, indicating a historical tendency towards this type of vulnerability and a lack of timely security patching.\n\nThe vulnerability history reveals a pattern of XSS issues, with a recent medium severity vulnerability from September 2025. This suggests that developers may not be adequately addressing input sanitization and output encoding, even when vulnerabilities are identified. The absence of nonce and capability checks across all entry points (though the entry points themselves are zero) means that if any were introduced or inadvertently created, they would be unprotected.\n\nIn conclusion, despite a seemingly small attack surface in this specific version, the lack of output escaping and the presence of an unpatched XSS vulnerability are critical weaknesses. The plugin's history points to ongoing issues with secure coding practices regarding user-generated content. Users should exercise extreme caution, and developers should prioritize addressing the unescaped output and the existing CVE.",[95,98],{"reason":96,"points":97},"Unpatched CVE (Medium Severity)",15,{"reason":99,"points":100},"100% of outputs unescaped",8,"2026-03-16T19:14:57.014Z",{"wat":103,"direct":109},{"assetPaths":104,"generatorPatterns":106,"scriptPaths":107,"versionParams":108},[105],"\u002Fwp-content\u002Fplugins\u002Fappend-extensions-on-pages\u002F",[],[],[],{"cssClasses":110,"htmlComments":116,"htmlAttributes":117,"restEndpoints":119,"jsGlobals":120,"shortcodeOutput":121},[111,112,113,114,115],"welcome-panel","welcome-panel-content","welcome-panel-column-container","welcome-panel-column","welcome-panel-last",[],[118],"id=\"aeop-submit-button\"",[],[],[]]