[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f60k6I-sAd5avHdKtowyLq-iv3lARuIqcm06UzEfqZxQ":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":36,"analysis":139,"fingerprints":227},"back-to-the-theme","Back To The Theme","1.2.0","Mikael Korpela","https:\u002F\u002Fprofiles.wordpress.org\u002Fsimison\u002F","\u003Cp>A tool to observe how a page loads in different themes simultaneously.\u003Cbr \u002F>\nUseful for debugging plugins or Gutenberg blocks.\u003C\u002Fp>\n\u003Cp>How to Use:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install several themes you’d like to check out.\u003C\u002Fli>\n\u003Cli>Create a new page.\u003C\u002Fli>\n\u003Cli>Navigate to \u003Cem>Tools\u003C\u002Fem> \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cem>Back To The Theme\u003C\u002Fem>\u003C\u002Fli>\n\u003Cli>Choose if you want to demo editor- or view side.\u003C\u002Fli>\n\u003Cli>Select the themes you’d like to check out.\u003C\u002Fli>\n\u003Cli>Choose the page you just created. This page will be previewed with all the themes you’ve selected.\u003C\u002Fli>\n\u003Cli>Click \u003Cem>Do it!\u003C\u002Fem>.\u003C\u002Fli>\n\u003Cli>Scroll to see the page rendered with all the themes you selected.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>You’ll see your page load with different themes in a bunch of iframes for handy preview and debugging.\u003C\u002Fp>\n\u003Cp>A nice list of popular themes to test:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>wp theme install \\\u003Cbr \u002F>\n  astra \\\u003Cbr \u002F>\n  colormag \\\u003Cbr \u002F>\n  customizr \\\u003Cbr \u002F>\n  generatepress \\\u003Cbr \u002F>\n  hestia \\\u003Cbr \u002F>\n  hueman \\\u003Cbr \u002F>\n  oceanwp \\\u003Cbr \u002F>\n  shapely \\\u003Cbr \u002F>\n  storefront \\\u003Cbr \u002F>\n  sydney \\\u003Cbr \u002F>\n  twentyeleven \\\u003Cbr \u002F>\n  twentyfifteen \\\u003Cbr \u002F>\n  twentyfourteen \\\u003Cbr \u002F>\n  twentynineteen \\\u003Cbr \u002F>\n  twentyseventeen \\\u003Cbr \u002F>\n  twentysixteen \\\u003Cbr \u002F>\n  twentyten \\\u003Cbr \u002F>\n  twentythirteen \\\u003Cbr \u002F>\n  twentytwelve \\\u003Cbr \u002F>\n  vantage\u003Cbr \u002F>\n    `\u003C\u002Fp>\n\u003Cp>See docs for \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fcli\u002Fcommands\u002Ftheme\u002Finstall\u002F\" rel=\"nofollow ugc\">wp theme install\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsimison\u002Fback-to-the-theme\" rel=\"nofollow ugc\">Plugin’s source code on GitHub\u003C\u002Fa>.\u003C\u002Fp>\n","See a page with different themes all at once, just like that!",10,1687,0,"2019-03-01T22:26:00.000Z","5.1.22","4.6","5.6.0",[19,20,21,22],"debug","development","testing","themes","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fback-to-the-theme.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"simison",3,20,30,84,"2026-04-04T13:45:10.441Z",[37,57,78,102,122],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":17,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":55,"download_link":56,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"sf-adminbar-tools","Admin Bar Tools","4.0","Grégory Viguier","https:\u002F\u002Fprofiles.wordpress.org\u002Fgreglone\u002F","\u003Cp>The plugin adds a new tab in your admin bar with simple but useful indications and tools.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Displays the number of queries in your page and the amount of time to generate the page.\u003C\u002Fli>\n\u003Cli>Displays the php memory usage and php memory limits (constants \u003Ccode>WP_MEMORY_LIMIT\u003C\u002Fcode> and \u003Ccode>WP_MAX_MEMORY_LIMIT\u003C\u002Fcode>).\u003C\u002Fli>\n\u003Cli>displays the php version and WP version.\u003C\u002Fli>\n\u003Cli>Displays \u003Ccode>WP_DEBUG\u003C\u002Fcode>, \u003Ccode>SCRIPT_DEBUG\u003C\u002Fcode>, \u003Ccode>WP_DEBUG_LOG\u003C\u002Fcode>, \u003Ccode>WP_DEBUG_DISPLAY\u003C\u002Fcode>, and error reporting values.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>In your site front-end:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Lists the template and all template parts used in the current page (template parts added with \u003Ccode>get_template_part()\u003C\u002Fcode>). Compatible with WooCommerce’s templates.\u003C\u002Fli>\n\u003Cli>\u003Ccode>$wp_query\u003C\u002Fcode>: this will open a lightbox displaying the content of \u003Ccode>$wp_query\u003C\u002Fcode>. Click the lightbox title to reload the value, click outside the lightbox to close it.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>In your site administration:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Admin hooks: lists some oftenly used hooks (like \u003Ccode>admin_init\u003C\u002Fcode>). The indicator to the right of the line tells you how many times the hook has been triggered by a callback. A “P” means the hook has a parameter: hover it for more details. Click a hook (on its text) to auto-select its code, for example: click \u003Cem>admin_init\u003C\u002Fem> to select \u003Ccode>add_action( 'admin_init', '' );\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Ccode>$current_screen\u003C\u002Fcode>: displays the value of 4 properties of this object: \u003Ccode>id\u003C\u002Fcode>, \u003Ccode>base\u003C\u002Fcode>, \u003Ccode>parent_base\u003C\u002Fcode>, \u003Ccode>parent_file\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Ccode>$...now\u003C\u002Fcode>: displays the value of the well-known variables \u003Ccode>$pagenow\u003C\u002Fcode>, \u003Ccode>$typenow\u003C\u002Fcode>, and \u003Ccode>$taxnow\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>On a user profile page, \u003Ccode>$userdata\u003C\u002Fcode>: : this will open a lightbox displaying the user’s data.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can decide who’s gonna use this plugin (go to your profile page for all the settings). This way, the plugin’s items won’t show up to other users (your client for example).\u003Cbr \u002F>\nAlso, a new menu item \u003Ccode>Code Tester\u003C\u002Fcode> will appear. There you are able to do some tests with your code.\u003C\u002Fp>\n","Adds some small development tools to the admin bar.",400,15121,96,8,"2021-01-18T16:09:00.000Z","4.7","5.6",[19,20,53,21,54],"query","tests","https:\u002F\u002Fwww.screenfeed.fr\u002Fsf-abt\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsf-adminbar-tools.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":11,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":75,"download_link":76,"security_score":77,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"development-assistant","Development Assistant","1.2.10","OMG!PRESS","https:\u002F\u002Fprofiles.wordpress.org\u002Fomgpress\u002F","\u003Cp>Development Assistant is a comprehensive toolkit designed to streamline the development process and enhance support capabilities within WordPress. Whether you’re a seasoned developer or a novice WordPress user, this plugin provides essential functionalities to manage debugging, diagnose issues, and facilitate smoother development workflows.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Debugging Made Easy:\u003C\u002Fstrong> Enable WP_DEBUG, WP_DEBUG_LOG, and WP_DEBUG_DISPLAY modes directly from the WordPress admin panel without the need to manually edit the wp-config.php file. Effortlessly toggle these settings to facilitate efficient debugging and error tracking.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Create Support User in One Click:\u003C\u002Fstrong> Create a support user with a single click to provide temporary access to your WordPress environment. This feature simplifies the process of sharing debugging information with developers or support teams, enabling them to diagnose and resolve issues more effectively. You can control after how many days the user will be auto-deleted. After creating a user, you can quickly copy the credentials to the clipboard, or share them via email (optionally adding a message).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugin Conflict Resolution:\u003C\u002Fstrong> Simplify the process of identifying and resolving plugin conflicts. Quickly compare the performance of active and inactive plugins, and temporarily disable or enable plugins to isolate issues without disrupting your entire plugin ecosystem.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SMTP Testing with MailHog:\u003C\u002Fstrong> Seamlessly integrate MailHog for SMTP testing purposes. Verify the functionality of email delivery within your WordPress environment, ensuring reliable communication with users and clients.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Download Plugins:\u003C\u002Fstrong> Download plugins directly from the WordPress admin panel’s plugin view. Streamline your workflow by easily obtaining plugin files for offline storage, manual installation, or testing in other environments and sandboxes. This feature facilitates seamless testing of plugins in various environments, allowing for thorough evaluation and development iterations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reset:\u003C\u002Fstrong> Effortlessly undo any changes made by the plugin to restore your WordPress environment to its original state. This feature deletes all plugin settings and data from the database, resets debug constants to their pre-activation states, deletes the debug.log file (if it didn’t exist before activation), and activates any temporarily deactivated plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Who Can Benefit\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Power Developers:\u003C\u002Fstrong> Streamline your development workflow with a comprehensive toolkit tailored for debugging and issue resolution. Enhance productivity and efficiency while tackling complex WordPress projects.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Novice Users:\u003C\u002Fstrong> Empower yourself to diagnose and troubleshoot WordPress issues with ease. Quickly share debugging information with developers or support teams to expedite issue resolution and enhance your WordPress experience.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Development Assistant is your go-to solution for simplifying WordPress development tasks and enhancing support capabilities. Whether you’re troubleshooting intricate issues or optimizing your development workflow, this plugin equips you with the tools you need for success.\u003C\u002Fp>\n","Toolkit for debugging and customer support.",2056,60,2,"2025-10-08T01:06:00.000Z","6.8.5","5.0.0","7.4.0",[19,20,73,74,21],"manager","support","https:\u002F\u002Fomgpress.com\u002Fdevelopment-assistant","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdevelopment-assistant.1.2.10.zip",100,{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":88,"num_ratings":89,"last_updated":90,"tested_up_to":91,"requires_at_least":92,"requires_php":93,"tags":94,"homepage":97,"download_link":98,"security_score":99,"vuln_count":100,"unpatched_count":13,"last_vuln_date":101,"fetched_at":27},"query-monitor","Query Monitor – The developer tools panel for WordPress","3.20.2","John Blackbourn","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohnbillion\u002F","\u003Cp>Query Monitor is the developer tools panel for WordPress and WooCommerce. It enables debugging of database queries, PHP errors, hooks and actions, block editor blocks, enqueued scripts and stylesheets, HTTP API calls, and more.\u003C\u002Fp>\n\u003Cp>It includes some advanced features such as debugging of Ajax calls, REST API calls, user capability checks, and full support for block themes and full site editing. It includes the ability to narrow down much of its output by plugin or theme, allowing you to quickly determine poorly performing plugins, themes, or functions.\u003C\u002Fp>\n\u003Cp>Query Monitor focuses heavily on presenting its information in a useful manner, for example by showing aggregate database queries grouped by the plugins, themes, or functions that are responsible for them. It adds an admin toolbar menu showing an overview of the current page, with complete debugging information shown in panels once you select a menu item.\u003C\u002Fp>\n\u003Cp>Query Monitor supports versions of WordPress up to three years old, and PHP version 7.4 or higher.\u003C\u002Fp>\n\u003Cp>For complete information, please see \u003Ca href=\"https:\u002F\u002Fquerymonitor.com\u002F\" rel=\"nofollow ugc\">the Query Monitor website\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Here’s an overview of what’s shown for each page load:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Database queries, including notifications for slow, duplicate, or erroneous queries. Allows filtering by query type (\u003Ccode>SELECT\u003C\u002Fcode>, \u003Ccode>UPDATE\u003C\u002Fcode>, \u003Ccode>DELETE\u003C\u002Fcode>, etc), responsible component (plugin, theme, WordPress core), and calling function, and provides separate aggregate views for each.\u003C\u002Fli>\n\u003Cli>The template filename, the complete template hierarchy, and names of all template parts that were loaded or not loaded (for block themes and classic themes).\u003C\u002Fli>\n\u003Cli>PHP errors presented nicely along with their responsible component and call stack, and a visible warning in the admin toolbar.\u003C\u002Fli>\n\u003Cli>Usage of “Doing it Wrong” or “Deprecated” functionality in the code on your site.\u003C\u002Fli>\n\u003Cli>Blocks and associated properties within post content and within full site editing (FSE).\u003C\u002Fli>\n\u003Cli>Matched rewrite rules, associated query strings, and query vars.\u003C\u002Fli>\n\u003Cli>Enqueued scripts and stylesheets, along with their dependencies, dependents, and alerts for broken dependencies.\u003C\u002Fli>\n\u003Cli>Language settings and loaded translation files (MO files and JSON files) for each text domain.\u003C\u002Fli>\n\u003Cli>HTTP API requests, with response code, responsible component, and time taken, with alerts for failed or erroneous requests.\u003C\u002Fli>\n\u003Cli>User capability checks, along with the result and any parameters passed to the capability check.\u003C\u002Fli>\n\u003Cli>Environment information, including detailed information about PHP, the database, WordPress, and the web server.\u003C\u002Fli>\n\u003Cli>The values of all WordPress conditional functions such as \u003Ccode>is_single()\u003C\u002Fcode>, \u003Ccode>is_home()\u003C\u002Fcode>, etc.\u003C\u002Fli>\n\u003Cli>Transients that were updated.\u003C\u002Fli>\n\u003Cli>Usage of \u003Ccode>switch_to_blog()\u003C\u002Fcode> and \u003Ccode>restore_current_blog()\u003C\u002Fcode> on Multisite installations.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In addition:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Whenever a redirect occurs, Query Monitor adds an HTTP header containing the call stack, so you can use your favourite HTTP inspector or browser developer tools to trace what triggered the redirect.\u003C\u002Fli>\n\u003Cli>The response from any jQuery-initiated Ajax request on the page will contain various debugging information in its headers. PHP errors also get output to the browser’s developer console.\u003C\u002Fli>\n\u003Cli>The response from an authenticated WordPress REST API request will contain an overview of performance information and PHP errors in its headers, as long as the authenticated user has permission to view Query Monitor’s output. An \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fusing-the-rest-api\u002Fglobal-parameters\u002F#_envelope\" rel=\"nofollow ugc\">an enveloped REST API request\u003C\u002Fa> will include even more debugging information in the \u003Ccode>qm\u003C\u002Fcode> property of the response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>By default, Query Monitor’s output is only shown to Administrators on single-site installations, and Super Admins on Multisite installations.\u003C\u002Fp>\n\u003Cp>In addition to this, you can set an authentication cookie which allows you to view Query Monitor output when you’re not logged in (or if you’re logged in as a non-Administrator). See the Settings panel for details.\u003C\u002Fp>\n\u003Ch3>Other Plugins\u003C\u002Fh3>\n\u003Cp>I maintain several other plugins for developers. Check them out:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fuser-switching\u002F\" rel=\"ugc\">User Switching\u003C\u002Fa> provides instant switching between user accounts in WordPress.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-crontrol\u002F\" rel=\"ugc\">WP Crontrol\u003C\u002Fa> lets you view and control what’s happening in the WP-Cron system\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy Statement\u003C\u002Fh3>\n\u003Cp>Query Monitor is private by default and always will be. It does not persistently store any of the data that it collects. It does not send data to any third party, nor does it include any third party resources. \u003Ca href=\"https:\u002F\u002Fquerymonitor.com\u002Fprivacy\u002F\" rel=\"nofollow ugc\">Query Monitor’s full privacy statement can be found here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Accessibility Statement\u003C\u002Fh3>\n\u003Cp>Query Monitor aims to be fully accessible to all of its users. \u003Ca href=\"https:\u002F\u002Fquerymonitor.com\u002Faccessibility\u002F\" rel=\"nofollow ugc\">Query Monitor’s full accessibility statement can be found here\u003C\u002Fa>.\u003C\u002Fp>\n","Query Monitor is the developer tools panel for WordPress and WooCommerce.",200000,19156533,98,463,"2025-12-11T22:16:00.000Z","6.9.4","6.1","7.4",[19,95,20,96,79],"debug-bar","performance","https:\u002F\u002Fquerymonitor.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquery-monitor.3.20.2.zip",97,1,"2026-03-30 23:21:22",{"slug":103,"name":104,"version":105,"author":106,"author_profile":107,"description":108,"short_description":109,"active_installs":110,"downloaded":111,"rating":77,"num_ratings":112,"last_updated":113,"tested_up_to":114,"requires_at_least":115,"requires_php":23,"tags":116,"homepage":120,"download_link":121,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"monkeyman-rewrite-analyzer","Monkeyman Rewrite Analyzer","1.0","Jan Fabry","https:\u002F\u002Fprofiles.wordpress.org\u002Fjanfabry\u002F","\u003Cp>This is a tool to understand your rewrite rules (“Pretty Permalinks”). It is indispensable if you are adding or modifying rules and want to understand how they work (or why they don’t work).\u003C\u002Fp>\n\u003Cp>It is only an analyzer, it does not change any rules for you. It parses the rules down to their components and shows the connection with the resulting query variables. It allows you to try out different URLs to see which rules will match and what the value of the different query variables will be (see screenshots).\u003C\u002Fp>\n\u003Cp>This plugin was written as a tool to help answering questions about rewrite rules on \u003Ca href=\"http:\u002F\u002Fwordpress.stackexchange.com\u002F\" rel=\"nofollow ugc\">the WordPress Stack Exchange\u003C\u002Fa>.\u003C\u002Fp>\n","Making sense of the rewrite mess. Display and play with your rewrite rules.",2000,73356,26,"2011-05-12T17:49:00.000Z","3.2.1","3.0",[19,20,117,118,119],"mod_rewrite","permalinks","rewrite","http:\u002F\u002Fwordpress.stackexchange.com\u002Fq\u002F3606\u002F8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmonkeyman-rewrite-analyzer.1.0.zip",{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":130,"downloaded":131,"rating":77,"num_ratings":48,"last_updated":132,"tested_up_to":133,"requires_at_least":134,"requires_php":23,"tags":135,"homepage":23,"download_link":138,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"monster-widget","Monster Widget","0.3","Automattic","https:\u002F\u002Fprofiles.wordpress.org\u002Fautomattic\u002F","\u003Cp>The Monster widget consolidates all 13 core widgets into a single widget enabling theme developers to create multiple instances with ease. It has been created to save time during theme development and review by minimizing the steps needed to populate a sidebar with widgets. The Monster widget is not designed for use in production.\u003C\u002Fp>\n","Provides a quick and easy method of adding all core widgets to a sidebar for testing purposes.",1000,160640,"2017-11-10T15:47:00.000Z","4.9.29","3.2.0",[19,136,137],"theme-development","widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmonster-widget.zip",{"attackSurface":140,"codeSignals":172,"taintFlows":189,"riskAssessment":219,"analyzedAt":226},{"hooks":141,"ajaxHandlers":168,"restRoutes":169,"shortcodes":170,"cronEvents":171,"entryPointCount":13,"unprotectedCount":13},[142,147,151,156,160,164],{"type":143,"name":144,"callback":145,"file":146,"line":48},"action","admin_menu","add_menu","class.back-to-the-theme.php",{"type":143,"name":148,"callback":149,"file":146,"line":150},"admin_enqueue_scripts","register_assets",9,{"type":152,"name":153,"callback":154,"file":146,"line":155},"filter","template","switch_template",14,{"type":152,"name":157,"callback":158,"file":146,"line":159},"stylesheet","switch_stylesheet",15,{"type":152,"name":161,"callback":162,"file":146,"line":163},"show_admin_bar","__return_false",18,{"type":143,"name":165,"callback":166,"file":167,"line":159},"plugins_loaded","init","index.php",[],[],[],[],{"dangerousFunctions":173,"sqlUsage":174,"outputEscaping":176,"fileOperations":13,"externalRequests":13,"nonceChecks":100,"capabilityChecks":13,"bundledLibraries":188},[],{"prepared":13,"raw":13,"locations":175},[],{"escaped":159,"rawEcho":177,"locations":178},4,[179,182,184,186],{"file":146,"line":180,"context":181},146,"raw output",{"file":146,"line":183,"context":181},159,{"file":146,"line":185,"context":181},191,{"file":146,"line":187,"context":181},253,[],[190,209],{"entryPoint":191,"graph":192,"unsanitizedCount":13,"severity":208},"render_previews (class.back-to-the-theme.php:117)",{"nodes":193,"edges":205},[194,199],{"id":195,"type":196,"label":197,"file":146,"line":198},"n0","source","$_POST (x2)",142,{"id":200,"type":201,"label":202,"file":146,"line":203,"wp_function":204},"n1","sink","echo() [XSS]",164,"echo",[206],{"from":195,"to":200,"sanitized":207},true,"low",{"entryPoint":210,"graph":211,"unsanitizedCount":13,"severity":208},"\u003Cclass.back-to-the-theme> (class.back-to-the-theme.php:0)",{"nodes":212,"edges":217},[213,216],{"id":195,"type":196,"label":214,"file":146,"line":215},"$_GET (x3)",73,{"id":200,"type":201,"label":202,"file":146,"line":180,"wp_function":204},[218],{"from":195,"to":200,"sanitized":207},{"summary":220,"deductions":221},"The \"back-to-the-theme\" v1.2.0 plugin exhibits a generally strong security posture based on the provided static analysis. The absence of any reported CVEs, coupled with the analysis indicating zero AJAX handlers, REST API routes, shortcodes, or cron events, suggests a minimal attack surface. Furthermore, the code demonstrates good practices with 100% of SQL queries using prepared statements and a high percentage (79%) of output being properly escaped. The presence of a nonce check is also a positive indicator for security awareness.\n\nHowever, a critical weakness identified is the complete lack of capability checks for any operations. While the current entry points might not be exploitable without them, this is a significant oversight that leaves any future additions or modifications vulnerable to unauthorized access if authentication and authorization are not explicitly implemented. The taint analysis, although limited in scope with only two flows analyzed, did not reveal any critical or high-severity unsanitized paths, which is reassuring.\n\nGiven the plugin's history of zero vulnerabilities and the limited attack surface, the overall risk appears low. Nevertheless, the absence of capability checks is a fundamental security gap that could pose a future risk. The strength lies in the absence of known vulnerabilities and the use of prepared statements, while the primary weakness is the potential for unauthorized access due to missing capability checks.",[222,224],{"reason":223,"points":159},"Missing capability checks",{"reason":225,"points":177},"79% output properly escaped, but 21% not","2026-03-17T00:35:25.115Z",{"wat":228,"direct":235},{"assetPaths":229,"generatorPatterns":231,"scriptPaths":232,"versionParams":233},[230],"\u002Fwp-content\u002Fplugins\u002Fback-to-the-theme\u002Fback-to-the-theme.css",[],[],[234],"back-to-the-theme\u002Fback-to-the-theme.css?ver=",{"cssClasses":236,"htmlComments":239,"htmlAttributes":240,"restEndpoints":246,"jsGlobals":247,"shortcodeOutput":248},[237,238],"back-to-the-theme-container","back-to-the-theme-preview",[],[241,242,243,244,245],"name=\"back-to-the-theme-side\"","name=\"back-to-the-theme-post-id\"","id=\"back-to-the-theme-post-id\"","name=\"back_to_the_theme[]\"","name=\"back-to-the-theme-hide-admin-bar\"",[],[],[]]