[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRqFBj1dbQJWHInVLs7IV93r5PXC5dxh0rV3O7JS7oQw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":17,"tags":18,"homepage":17,"download_link":19,"security_score":20,"vuln_count":21,"unpatched_count":21,"last_vuln_date":22,"fetched_at":23,"vulnerabilities":24,"developer":25,"crawl_stats":22,"alternatives":32,"analysis":33,"fingerprints":116},"broken-image-checker","Broken Image Checker","2.0","saurav.rox","https:\u002F\u002Fprofiles.wordpress.org\u002Fsauravrox\u002F","\u003Cp>Easily checks the featured image of any post types. It also shows the post-type of the corresponding post. Further more, it shows post status and shows the message if the featured image of any post is not found. No message means featured image is valid and fine.\u003Cbr \u002F>\nYou can also filter the posts according to author name.\u003C\u002Fp>\n","Checks the featured image of any of the post types if they are broken or not.",10,3401,74,3,"2016-03-06T09:00:00.000Z","4.4.34","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroken-image-checker.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":20,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"sauravrox",4,90,30,84,"2026-04-04T13:10:53.347Z",[],{"attackSurface":34,"codeSignals":54,"taintFlows":74,"riskAssessment":102,"analyzedAt":115},{"hooks":35,"ajaxHandlers":50,"restRoutes":51,"shortcodes":52,"cronEvents":53,"entryPointCount":21,"unprotectedCount":21},[36,42,46],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","plugins_loaded","bic_load_textdomain","broken-image-checker.php",41,{"type":37,"name":43,"callback":44,"file":40,"line":45},"admin_enqueue_scripts","bic_load_plugin_css",55,{"type":37,"name":47,"callback":48,"file":40,"line":49},"admin_menu","bic_register_menu_page",67,[],[],[],[],{"dangerousFunctions":55,"sqlUsage":56,"outputEscaping":58,"fileOperations":21,"externalRequests":21,"nonceChecks":21,"capabilityChecks":21,"bundledLibraries":73},[],{"prepared":21,"raw":21,"locations":57},[],{"escaped":59,"rawEcho":60,"locations":61},1,6,[62,65,67,69,71,72],{"file":40,"line":63,"context":64},87,"raw output",{"file":40,"line":66,"context":64},105,{"file":40,"line":68,"context":64},115,{"file":40,"line":70,"context":64},122,{"file":40,"line":70,"context":64},{"file":40,"line":70,"context":64},[],[75,93],{"entryPoint":76,"graph":77,"unsanitizedCount":59,"severity":92},"bic_function (broken-image-checker.php:75)",{"nodes":78,"edges":89},[79,84],{"id":80,"type":81,"label":82,"file":40,"line":83},"n0","source","$_GET",95,{"id":85,"type":86,"label":87,"file":40,"line":66,"wp_function":88},"n1","sink","echo() [XSS]","echo",[90],{"from":80,"to":85,"sanitized":91},false,"medium",{"entryPoint":94,"graph":95,"unsanitizedCount":59,"severity":101},"\u003Cbroken-image-checker> (broken-image-checker.php:0)",{"nodes":96,"edges":99},[97,98],{"id":80,"type":81,"label":82,"file":40,"line":83},{"id":85,"type":86,"label":87,"file":40,"line":66,"wp_function":88},[100],{"from":80,"to":85,"sanitized":91},"low",{"summary":103,"deductions":104},"The 'broken-image-checker' plugin version 2.0 demonstrates a generally good security posture with no known vulnerabilities in its history and a clean record regarding dangerous functions, SQL queries, file operations, and external HTTP requests. The static analysis also shows no identified attack surface through AJAX, REST API, shortcodes, or cron events, and no critical or high-severity taint flows. This indicates that the plugin developers have implemented several key security best practices.\n\nHowever, there are significant concerns. The extremely low percentage of properly escaped output (14%) is a major red flag. This suggests a high likelihood of cross-site scripting (XSS) vulnerabilities, where user-supplied data could be injected into the web page without proper sanitization, leading to potential unauthorized actions or data theft. Furthermore, the absence of any nonce checks or capability checks on the identified entry points, even though the attack surface is reported as zero, suggests a potential oversight. If any entry points were to be discovered or introduced in future versions, they might be left unprotected. The taint analysis, while not reporting critical or high severity, did reveal unsanitized paths in all analyzed flows, which warrants further investigation.\n\nIn conclusion, while the plugin avoids common pitfalls like raw SQL and known CVEs, the severe lack of output escaping presents a substantial risk. The absence of explicit authentication checks on entry points, coupled with the presence of unsanitized paths in taint flows, indicates areas for improvement. The plugin's strength lies in its lack of historical vulnerabilities and its avoidance of direct code execution risks, but the output sanitization issue significantly lowers its overall security score.",[105,108,110,113],{"reason":106,"points":107},"Low output escaping percentage",15,{"reason":109,"points":11},"Unsanitized paths in taint flows",{"reason":111,"points":112},"No nonce checks on entry points",5,{"reason":114,"points":112},"No capability checks on entry points","2026-03-17T01:20:55.495Z",{"wat":117,"direct":126},{"assetPaths":118,"generatorPatterns":121,"scriptPaths":122,"versionParams":123},[119,120],"\u002Fwp-content\u002Fplugins\u002Fbroken-image-checker\u002Fassets\u002Fbic-style.css","\u002Fwp-content\u002Fplugins\u002Fbroken-image-checker\u002Fassets\u002Fbic-custom.js",[],[120],[124,125],"broken-image-checker\u002Fassets\u002Fbic-style.css?ver=","broken-image-checker\u002Fassets\u002Fbic-custom.js?ver=",{"cssClasses":127,"htmlComments":130,"htmlAttributes":131,"restEndpoints":135,"jsGlobals":136,"shortcodeOutput":137},[128,129],"bic-plugin-header","bic-table",[],[132,133,134],"id=\"foo\"","name=\"myselect\"","onchange=\"self.location=self.location+'&idx='+this.value\"",[],[],[]]