[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwah_danQyaYKcxRN3jmKwk1jI9hZJf9Vt0Cx2gelzRg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":19,"download_link":20,"security_score":21,"vuln_count":22,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":53,"crawl_stats":31,"alternatives":61,"analysis":62,"fingerprints":184},"ashe-extra","Ashe Extra","1.3","WP Royal","https:\u002F\u002Fprofiles.wordpress.org\u002Fwproyal\u002F","\u003Cp>Adds One Click Demo Import functionality for Ashe theme. When activated you will be able to import Demo Content for the Ashe theme.\u003C\u002Fp>\n","Adds One Click Demo Import functionality for Ashe theme.",3000,60876,0,"2025-01-07T07:48:00.000Z","6.7.5","4.6","",[],"http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fashe-extra\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fashe-extra.zip",91,2,"2024-12-30 00:00:00","2026-03-15T15:16:48.613Z",[26,41],{"id":27,"url_slug":28,"title":29,"description":30,"plugin_slug":4,"theme_slug":31,"affected_versions":32,"patched_in_version":6,"severity":33,"cvss_score":34,"cvss_vector":35,"vuln_type":36,"published_date":23,"updated_date":37,"references":38,"days_to_patch":40},"CVE-2024-56244","ashe-extra-missing-authorization","Ashe Extra \u003C= 1.2.92 - Missing Authorization","The Ashe Extra plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ashextra_import_xml() function in versions up to, and including, 1.2.92. This makes it possible for authenticated attackers, with subscriber-level access and above, to import XML.",null,"\u003C=1.2.92","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-01-08 18:43:50",[39],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6af02955-2ea4-459a-bea7-ecbe35232ec5?source=api-prod",10,{"id":42,"url_slug":43,"title":44,"description":45,"plugin_slug":4,"theme_slug":31,"affected_versions":46,"patched_in_version":47,"severity":33,"cvss_score":34,"cvss_vector":35,"vuln_type":36,"published_date":48,"updated_date":49,"references":50,"days_to_patch":52},"CVE-2023-46079","ashe-extra-missing-authorization-via-multiple-ajax-actions","Ashe Extra \u003C= 1.2.91 - Missing Authorization via multiple AJAX actions","The Ashe Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in the ashe-extra.php file in versions up to, and including, 1.2.91. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate companion plugins and import content.","\u003C=1.2.91","1.2.92","2023-10-16 00:00:00","2024-11-21 17:19:52",[51],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F09551d22-c8c2-435c-9d00-bb4833497c16?source=api-prod",403,{"slug":54,"display_name":7,"profile_url":8,"plugin_count":55,"total_installs":56,"avg_security_score":57,"avg_patch_time_days":58,"trust_score":59,"computed_at":60},"wproyal",9,765700,89,112,71,"2026-04-04T06:01:22.786Z",[],{"attackSurface":63,"codeSignals":137,"taintFlows":172,"riskAssessment":173,"analyzedAt":183},{"hooks":64,"ajaxHandlers":112,"restRoutes":133,"shortcodes":134,"cronEvents":135,"entryPointCount":136,"unprotectedCount":13},[65,71,75,79,83,88,92,96,100,103,108],{"type":66,"name":67,"callback":68,"file":69,"line":70},"action","admin_init","init","ashe-extra.php",24,{"type":66,"name":72,"callback":73,"file":69,"line":74},"admin_menu","ashextra_options_page",26,{"type":66,"name":76,"callback":77,"file":69,"line":78},"admin_enqueue_scripts","ashextra_widget_enqueue_scripts",35,{"type":66,"name":80,"callback":81,"file":69,"line":82},"load-importer-wordpress","on_load",40,{"type":84,"name":85,"callback":86,"file":69,"line":87},"filter","wp_import_post_meta","on_wp_import_post_meta",41,{"type":84,"name":89,"callback":90,"file":69,"line":91},"wxr_importer.pre_process.post_meta","on_wxr_importer_pre_process_post_meta",42,{"type":84,"name":93,"callback":94,"priority":40,"file":69,"line":95},"wp_import_post_data_processed","pre_post_data",45,{"type":84,"name":97,"callback":98,"priority":40,"file":69,"line":99},"wxr_importer.pre_process.post","pre_process_post",47,{"type":84,"name":97,"callback":101,"priority":40,"file":69,"line":102},"fix_image_duplicate_issue",48,{"type":84,"name":104,"callback":105,"file":106,"line":107},"import_post_meta_key","is_valid_meta_key","includes\\importers\\wxr-importer.php",321,{"type":84,"name":109,"callback":110,"file":106,"line":111},"http_request_timeout","bump_request_timeout",322,[113,118,121,124,127,130],{"action":114,"nopriv":115,"callback":114,"hasNonce":116,"hasCapCheck":116,"file":69,"line":117},"ashextra_contact_from_7_activation",false,true,28,{"action":119,"nopriv":115,"callback":119,"hasNonce":116,"hasCapCheck":116,"file":69,"line":120},"ashextra_instagram_feed_activation",29,{"action":122,"nopriv":115,"callback":122,"hasNonce":116,"hasCapCheck":116,"file":69,"line":123},"ashextra_mailchimp_newsletter_activation",30,{"action":125,"nopriv":115,"callback":125,"hasNonce":116,"hasCapCheck":116,"file":69,"line":126},"ashextra_recent_posts_activation",31,{"action":128,"nopriv":115,"callback":128,"hasNonce":116,"hasCapCheck":116,"file":69,"line":129},"ashextra_royal_elementor_addons_activation",33,{"action":131,"nopriv":115,"callback":131,"hasNonce":116,"hasCapCheck":116,"file":69,"line":132},"ashextra_import_xml",51,[],[],[],6,{"dangerousFunctions":138,"sqlUsage":139,"outputEscaping":147,"fileOperations":136,"externalRequests":169,"nonceChecks":170,"capabilityChecks":170,"bundledLibraries":171},[],{"prepared":140,"raw":22,"locations":141},5,[142,145],{"file":106,"line":143,"context":144},2127,"$wpdb->get_results() with variable interpolation",{"file":106,"line":146,"context":144},2178,{"escaped":140,"rawEcho":55,"locations":148},[149,152,154,156,158,160,162,164,167],{"file":69,"line":150,"context":151},180,"raw output",{"file":69,"line":153,"context":151},189,{"file":69,"line":155,"context":151},198,{"file":69,"line":157,"context":151},207,{"file":69,"line":159,"context":151},216,{"file":69,"line":161,"context":151},225,{"file":69,"line":163,"context":151},415,{"file":165,"line":166,"context":151},"includes\\importers\\logger.php",159,{"file":165,"line":168,"context":151},166,1,7,[],[],{"summary":174,"deductions":175},"The \"ashe-extra\" v1.3 plugin exhibits a mixed security posture.  On the positive side, the static analysis reveals a complete absence of critical or high-severity issues within the analyzed code, including no dangerous functions, no unsanitized taint flows, and all identified AJAX handlers and shortcodes have authorization checks.  The plugin also demonstrates good practices with nonce checks and capability checks on all identified entry points.  However, there are notable areas for improvement.  The output escaping is only properly implemented in 36% of cases, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is directly outputted without sanitization.  While the SQL queries are predominantly prepared, 29% are not, posing a potential SQL injection risk in those specific instances.  The vulnerability history is a significant concern, with two known medium-severity CVEs, both related to Missing Authorization.  The fact that these are not currently unpatched is positive, but the recurring nature of authorization flaws suggests a persistent weakness in how user permissions are handled in certain plugin functionalities.  Overall, while the current code shows improvements in immediate attack surface protection, the historical vulnerability patterns and less-than-ideal output escaping and SQL preparation practices warrant caution.",[176,179,181],{"reason":177,"points":178},"Output escaping is poorly implemented (36%)",8,{"reason":180,"points":140},"SQL queries not always prepared (29%)",{"reason":182,"points":40},"History of medium severity CVEs (2)","2026-03-16T18:23:40.931Z",{"wat":185,"direct":197},{"assetPaths":186,"generatorPatterns":193,"scriptPaths":194,"versionParams":195},[187,188,189,190,191,192],"\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fimages\u002Fcf7.png","\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fimages\u002Finstagram-feed.png","\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fimages\u002Fmailchimp.png","\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fimages\u002Frecent-posts.png","\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fimages\u002Froyal-elementor-addons.png","\u002Fwp-content\u002Fplugins\u002Fashe-extra\u002Fassets\u002Fjs\u002Fadmin-scripts.js",[],[192],[196],"ashe-extra\u002Fassets\u002Fjs\u002Fadmin-scripts.js?ver=",{"cssClasses":198,"htmlComments":205,"htmlAttributes":206,"restEndpoints":211,"jsGlobals":214,"shortcodeOutput":217},[199,200,201,202,203,204],"extra-options-page-wrap","extra-options","ashextra-plugin-activation","plugin-box","after-import-notice","visit-website",[],[207,208,209,210],"id=\"contact_from_7\"","id=\"instagram_feed\"","id=\"mailchimp_newsletter\"","id=\"recent_posts\"",[212,213],"\u002Fwp-json\u002Fashextra\u002Fv1\u002Fimport","\u002Fwp-json\u002Fashextra\u002Fv1\u002Fdemo-content",[215,216]," AsheExtra","ashe_extra_ajax_obj",[]]