[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEsNfrm7JOtaco6MmfNQVnkuaLAWH57_SjYGydzBi_ZQ":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":13,"download_link":18,"security_score":19,"vuln_count":20,"unpatched_count":11,"last_vuln_date":21,"fetched_at":22,"vulnerabilities":23,"developer":38,"crawl_stats":29,"alternatives":43,"analysis":44,"fingerprints":93},"bfg-tools-extension-zipper","BFG Tools – Extension Zipper","1.0.8","Joby Franczek","https:\u002F\u002Fprofiles.wordpress.org\u002Fthebaldfatguy\u002F","\u003Cp>The \u003Cstrong>BFG Tools – Extension Zipper\u003C\u002Fstrong> lets you create on-demand ZIP files of any installed WordPress plugin directly from the admin dashboard.\u003Cbr \u002F>\nPerfect for backups, migrating plugins between sites, sending code to a developer, or archiving a working version before updates.\u003C\u002Fp>\n\u003Cp>All ZIP files are generated safely using PHP’s ZipArchive and saved to \u003Ccode>\u002Fwp-content\u002Fuploads\u002Fextension-zips\u002F\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Learn more or get support here:\u003Cbr \u002F>\nhttps:\u002F\u002Fthebaldfatguy.com\u002Fwordpress-plugins\u002Fextension-zipper\u002F\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Lists every installed plugin with a “Create ZIP” button \u003C\u002Fli>\n\u003Cli>Saves ZIPs to a safe writable directory (\u003Ccode>uploads\u002Fextension-zips\u003C\u002Fcode>) \u003C\u002Fli>\n\u003Cli>Automatically names ZIPs using plugin name + version \u003C\u002Fli>\n\u003Cli>Includes a download link for the latest build \u003C\u002Fli>\n\u003Cli>Skips junk files (node_modules, .git, .DS_Store, vendor\u002Fbin, logs, etc.) \u003C\u002Fli>\n\u003Cli>Fully WP-org guideline compatible (unique prefix, safe path handling, nonces, etc.)\u003C\u002Fli>\n\u003C\u002Ful>\n","A clean, reliable way to package any installed plugin into a ZIP file directly inside WP-Admin.",0,189,"","6.9.4","6.0","7.4",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbfg-tools-extension-zipper.1.0.8.zip",99,1,"2026-02-13 14:25:30","2026-03-15T10:48:56.248Z",[24],{"id":25,"url_slug":26,"title":27,"description":28,"plugin_slug":4,"theme_slug":29,"affected_versions":30,"patched_in_version":6,"severity":31,"cvss_score":32,"cvss_vector":33,"vuln_type":34,"published_date":21,"updated_date":35,"references":36,"days_to_patch":20},"CVE-2025-13681","bfg-tools-extension-zipper-authenticated-administrator-path-traversal-via-firstfile-parameter","BFG Tools – Extension Zipper \u003C= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter","The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `\u002Fwp-content\u002Fplugins\u002F` directory, which can contain sensitive information such as wp-config.php.",null,"\u003C=1.0.7","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-14 03:25:27",[37],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bd95df9-4355-4d57-ba44-59280463e284?source=api-prod",{"slug":39,"display_name":7,"profile_url":8,"plugin_count":40,"total_installs":11,"avg_security_score":41,"avg_patch_time_days":20,"trust_score":41,"computed_at":42},"thebaldfatguy",2,100,"2026-04-05T15:00:50.455Z",[],{"attackSurface":45,"codeSignals":68,"taintFlows":91,"riskAssessment":29,"analyzedAt":92},{"hooks":46,"ajaxHandlers":64,"restRoutes":65,"shortcodes":66,"cronEvents":67,"entryPointCount":11,"unprotectedCount":11},[47,53,56,60],{"type":48,"name":49,"callback":50,"file":51,"line":52},"action","admin_menu","bfgtoexz_tools_register_menu","bfg-tools-extension-zipper.php",116,{"type":48,"name":49,"callback":54,"file":51,"line":55},"menu",131,{"type":48,"name":57,"callback":58,"file":51,"line":59},"admin_post_bfgtoexz_zip","zip",132,{"type":48,"name":61,"callback":62,"file":51,"line":63},"admin_notices","notice",134,[],[],[],[],{"dangerousFunctions":69,"sqlUsage":70,"outputEscaping":72,"fileOperations":11,"externalRequests":11,"nonceChecks":20,"capabilityChecks":89,"bundledLibraries":90},[],{"prepared":11,"raw":11,"locations":71},[],{"escaped":73,"rawEcho":74,"locations":75},38,6,[76,79,81,83,85,87],{"file":51,"line":77,"context":78},95,"raw output",{"file":51,"line":80,"context":78},112,{"file":51,"line":82,"context":78},202,{"file":51,"line":84,"context":78},205,{"file":51,"line":86,"context":78},207,{"file":51,"line":88,"context":78},209,4,[],[],"2026-03-17T06:01:32.530Z",{"wat":94,"direct":103},{"assetPaths":95,"generatorPatterns":98,"scriptPaths":99,"versionParams":100},[96,97],"\u002Fwp-content\u002Fplugins\u002Fbfg-tools-extension-zipper\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fbfg-tools-extension-zipper\u002Fjs\u002Fscript.js",[],[97],[101,102],"bfg-tools-extension-zipper\u002Fcss\u002Fstyle.css?ver=","bfg-tools-extension-zipper\u002Fjs\u002Fscript.js?ver=",{"cssClasses":104,"htmlComments":105,"htmlAttributes":110,"restEndpoints":112,"jsGlobals":113,"shortcodeOutput":117},[],[106,107,108,109],"\u003C!-- A unique, prefixed hub slug for this plugin’s top-level menu -->","\u003C!-- Top-level “BFG Tools” hub (guarded + prefixed) -->","\u003C!-- Extension Zipper (prefixed, i18n fixed, safer paths) -->","\u003C!-- Canonical constants (reviewer request: determine locations via helpers) -->",[111],"data-nonce=\"bfgtoexz_nonce\"",[],[114,50,115,116],"BFGTOEXZ_HUB_SLUG","bfgtoexz_tools_render_hub","BFGTOEXZ_Extension_Zipper",[]]