[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQUg0jFp54NkrLkVKOe93SgpBGoJVhVSpeW356hAwaB8":3},{"slug":4,"name":5,"version":6,"author":5,"author_profile":7,"description":8,"short_description":9,"active_installs":10,"downloaded":11,"rating":12,"num_ratings":12,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":12,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":112,"crawl_stats":34,"alternatives":118,"analysis":205,"fingerprints":474},"canto","Canto","3.1.1","https:\u002F\u002Fprofiles.wordpress.org\u002Fflightbycanto\u002F","\u003Cp>Simplify collaboration: Publish media from Canto to WordPress. Browse\u002Fsearch your library directly. Inserted images save to WordPress.\u003C\u002Fp>\n","Find & publish creative assets to WordPress easily, no email or folder search needed, with Canto's digital asset management.",100,14826,0,"2025-12-23T05:35:00.000Z","6.8.5","5.0","",[4,18,19,20,21],"dam","digital-asset-management","file-storage","photo-library","https:\u002F\u002Fwww.canto.com\u002Fintegrations\u002Fwordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcanto.3.1.1.zip",89,7,"2024-06-13 15:59:14","2026-03-15T15:16:48.613Z",[29,45,57,69,84,93,102],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":36,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":26,"updated_date":41,"references":42,"days_to_patch":44},"CVE-2024-4936","canto-unauthenticated-remote-file-inclusion","Canto \u003C= 3.0.8 - Unauthenticated Remote File Inclusion","The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit.",null,"\u003C=3.0.8","3.0.9","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2024-07-01 13:33:10",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F95a68ae0-36da-499b-a09d-4c91db8aa338?source=api-prod",18,{"id":46,"url_slug":47,"title":48,"description":49,"plugin_slug":4,"theme_slug":34,"affected_versions":50,"patched_in_version":51,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":52,"updated_date":53,"references":54,"days_to_patch":56},"CVE-2024-25096","canto-remote-file-inclusion-to-code-execution","Canto \u003C= 3.0.6 - Remote File Inclusion to Code Execution","The Canto plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.0.6 via the 'abspath' parameter. This is due to the use of the include_once statement on the parameter allowing remote file inclusion. This makes it possible for unauthenticated attackers to execute code on the server.","\u003C=3.0.6","3.0.7","2024-02-12 00:00:00","2024-04-12 19:00:18",[55],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faa080b36-01ce-496a-9938-9715f0131e29?source=api-prod",61,{"id":58,"url_slug":59,"title":60,"description":61,"plugin_slug":4,"theme_slug":34,"affected_versions":62,"patched_in_version":63,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":64,"updated_date":65,"references":66,"days_to_patch":68},"CVE-2023-3452","canto-unauthenticated-remote-file-inclusion-2","Canto \u003C= 3.0.4 - Unauthenticated Remote File Inclusion","The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.","\u003C=3.0.4","3.0.5","2023-08-09 00:00:00","2024-01-22 19:56:02",[67],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa76077c6-700a-4d21-a930-b0d6455d959c?source=api-prod",167,{"id":70,"url_slug":71,"title":72,"description":73,"plugin_slug":4,"theme_slug":34,"affected_versions":74,"patched_in_version":75,"severity":76,"cvss_score":77,"cvss_vector":78,"vuln_type":79,"published_date":80,"updated_date":65,"references":81,"days_to_patch":83},"CVE-2020-28976","canto-blind-server-side-request-forgery-via-detailphp","Canto \u003C= 1.9.0 - Blind Server-Side Request Forgery via detail.php","The Canto plugin 1.9.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via \u002Fincludes\u002Flib\u002Fdetail.php?subdomain=SSRF.","\u003C=1.9.0","2.0.1","high",8.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:L","Server-Side Request Forgery (SSRF)","2020-12-04 00:00:00",[82],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5781420d-b1e0-435f-8bf2-193cc7b095ed?source=api-prod",1145,{"id":85,"url_slug":86,"title":87,"description":88,"plugin_slug":4,"theme_slug":34,"affected_versions":74,"patched_in_version":75,"severity":76,"cvss_score":77,"cvss_vector":78,"vuln_type":79,"published_date":89,"updated_date":65,"references":90,"days_to_patch":92},"CVE-2020-24063","canto-blind-server-side-request-forgery-via-downloadphp","Canto \u003C= 1.9.0 - Blind Server-Side Request Forgery via download.php","The Canto plugin 2.1.1 for WordPress allows includes\u002Flib\u002Fdownload.php?subdomain= SSRF.","2020-11-30 00:00:00",[91],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F904e407c-5ec7-433f-9161-eb4d6d263a97?source=api-prod",1149,{"id":94,"url_slug":95,"title":96,"description":97,"plugin_slug":4,"theme_slug":34,"affected_versions":74,"patched_in_version":75,"severity":76,"cvss_score":77,"cvss_vector":78,"vuln_type":79,"published_date":98,"updated_date":65,"references":99,"days_to_patch":101},"CVE-2020-28977","canto-blind-server-side-request-forgery-via-getphp","Canto \u003C= 1.9.0 - Blind Server-Side Request Forgery via get.php","The Canto plugin 1.3.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via \u002Fincludes\u002Flib\u002Fget.php?subdomain=SSRF.","2020-03-12 00:00:00",[100],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4a330416-f867-4a1a-a692-6003e231ed54?source=api-prod",1412,{"id":103,"url_slug":104,"title":105,"description":106,"plugin_slug":4,"theme_slug":34,"affected_versions":107,"patched_in_version":75,"severity":76,"cvss_score":77,"cvss_vector":78,"vuln_type":79,"published_date":98,"updated_date":108,"references":109,"days_to_patch":111},"CVE-2020-28978","canto-blind-server-side-request-forgery-via-treephp","Canto \u003C= 1.9.0 - Blind Server-Side Request Forgery via tree.php","The Canto plugin 1.9.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker to make a request to any internal and external server via \u002Fincludes\u002Flib\u002Ftree.php?subdomain=SSRF.","\u003C2.0.1","2026-01-21 20:55:42",[110],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc03cf3a2-3be9-44da-a050-a5978eb3eadc?source=api-prod",2142,{"slug":113,"display_name":5,"profile_url":7,"plugin_count":114,"total_installs":10,"avg_security_score":24,"avg_patch_time_days":115,"trust_score":116,"computed_at":117},"flightbycanto",1,871,71,"2026-04-04T07:12:42.462Z",[119,136,153,171,187],{"slug":120,"name":121,"version":122,"author":123,"author_profile":124,"description":125,"short_description":126,"active_installs":127,"downloaded":128,"rating":12,"num_ratings":12,"last_updated":129,"tested_up_to":14,"requires_at_least":130,"requires_php":131,"tags":132,"homepage":16,"download_link":135,"security_score":10,"vuln_count":12,"unpatched_count":12,"last_vuln_date":34,"fetched_at":27},"pixx-io","pixx.io","2.1.1","pixx.io GmbH","https:\u002F\u002Fprofiles.wordpress.org\u002Fpixxio\u002F","\u003Cp>Integrate pixx.io DAM Digital Asset Management into WordPress. Use files from your pixx.io media pool with WordPress easily and without any detour.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>You can easily import image files into your WordPress library with our plugin.\u003C\u002Fp>\n\u003Cp>If you use Gutenberg or the Classic Editor, you can import the images directly from pixx.io into your media library and use them from there.\u003C\u002Fp>\n\u003Cp>Otherwise you can just import the images in the media overview.\u003C\u002Fp>\n\u003Cp>When importing into your WordPress library you can choose the file format. Also, there is a preview to choose from where your image will be imported in JPEG format with a maximum width of 1000px.\u003C\u002Fp>\n","Integrate pixx.io DAM Digital Asset Management into WordPress. Use files from your pixx.io media pool with WordPress easily and without any detour.",90,2261,"2025-11-12T09:48:00.000Z","6.0","7.4",[18,19,133,134],"pixx","pixxio","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpixx-io.2.1.1.zip",{"slug":137,"name":138,"version":139,"author":137,"author_profile":140,"description":141,"short_description":142,"active_installs":143,"downloaded":144,"rating":12,"num_ratings":12,"last_updated":145,"tested_up_to":146,"requires_at_least":130,"requires_php":147,"tags":148,"homepage":16,"download_link":152,"security_score":10,"vuln_count":12,"unpatched_count":12,"last_vuln_date":34,"fetched_at":27},"openasset","OpenAsset","5.0.0","https:\u002F\u002Fprofiles.wordpress.org\u002Fopenasset\u002F","\u003Cp>\u003Cstrong>It is possible to use this plugin to just sync images without integrating data, however, if you are looking to sync Project or Employee data to your website, it requires writing code for frontend integration.  It is therefore advised that you do not install directly on your live website.  Install onto a development environment first.  Ensure your integration is fully tested before you deploy live.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Anyone can download this plugin but in order to install and configure, it requires you to be an OpenAsset customer and have a specific OpenAsset license. If you are interested in the obtaining the license please reach out to your OpenAsset Customer Success Manager or \u003Ca href=\"https:\u002F\u002Fpages.openasset.com\u002Fintegrations-contact-us.html\" rel=\"nofollow ugc\">submit this form\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>OpenAsset is a leading provider of Digital Asset Management solutions designed to meet the unique needs of the Architecture, Engineering, and Construction (AEC) industries. Our vision is to supercharge productivity of AEC marketing and business pursuit teams so they can win more business.\u003C\u002Fp>\n\u003Cp>OpenAsset’s Website Connector for WordPress enables AEC companies to sync project and employee profiles with relevant details, experience, and marketing-ready images directly from OpenAsset to their public-facing website.  This eliminates data redundancy, ensuring that high-quality assets are maintained centrally, streamlining workflows and boosting efficiency.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Effortless Project Showcase:\u003C\u002Fstrong> Showcase your AEC projects seamlessly on your website with a few clicks. The connector enables display of approved and consistent project details, enhancing your online presence.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Employee Profiles that Stand Out:\u003C\u002Fstrong> Highlight your team’s expertise by effortlessly publishing employee profiles directly from the DAM. Keep your team information up-to-date and impress your clients with the talent behind your projects.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Marketing-Ready Images:\u003C\u002Fstrong> Present your projects with stunning visuals. The connector enables you to select and publish marketing-ready images directly from your DAM, ensuring consistency and professionalism across your web presence.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Data Consistency and Centralization:\u003C\u002Fstrong> Say goodbye to inconsistency. The connector synchronizes with your OpenAsset instance, ensuring that the information on your website is up-to-date and reflective of your latest projects and team members.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Presentation and web design in your control:\u003C\u002Fstrong>  The connector offers a simple UI template that you are free to modify or your web developer is able to integrate the data into your fully custom website UI.\u003C\u002Fp>\n\u003Ch3>Links\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.openasset.com\" rel=\"nofollow ugc\">openasset.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsuccess.openasset.com\u002Fen\u002Farticles\u002F8970283-using-openasset-s-website-connector-for-wordpress\" rel=\"nofollow ugc\">Using OpenAsset’s Website Connector for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsuccess.openasset.com\u002Fen\u002Farticles\u002F8971102-using-the-templates-bundled-with-openasset-s-website-connector-for-wordpress\" rel=\"nofollow ugc\">Using the templates bundled with OpenAsset’s Website Connector for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsuccess.openasset.com\u002Fen\u002Farticles\u002F8971297-creating-a-fully-custom-ui-with-openasset-s-website-connector-for-wordpress\" rel=\"nofollow ugc\">Creating a fully custom UI with OpenAsset’s Website Connector for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Support OpenAsset’s Website Connector for WordPress is provided directly from OpenAsset’s support team.\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you have questions pertaining to downloading, installing, configuring and syncing the plugin, please reach out to: \u003Ca href=\"mailto:support@openasset.com\" rel=\"nofollow ugc\">support@openasset.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> We do not offer support for modifying or customizing your web pages including issues relating to the presentation of your information or images. Please contact your web developer for this.\u003C\u002Fp>\n\u003Ch3>3rd Party Services\u003C\u002Fh3>\n\u003Cp>OpenAsset’s Website Connector for WordPress makes use of OpenAsset’s API to retrieve and display data from your OpenAsset instance. By using this plugin you agree to OpenAsset’s terms of service and privacy policy.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fopenasset.com\u002Fterms-ltd\" rel=\"nofollow ugc\">OpenAsset Terms & Conditions\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.iubenda.com\u002Fprivacy-policy\u002F69272435\" rel=\"nofollow ugc\">OpenAsset Privacy Policy\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Using this plugin means that you do not need to interact with OpenAsset’s API in code but for reference it is \u003Ca href=\"https:\u002F\u002Fdevelopers.openasset.com\" rel=\"nofollow ugc\">documented here\u003C\u002Fa>\u003C\u002Fp>\n","Sync your AEC Project Portfolio, Employees and Images from OpenAsset to your Wordpress Website.",10,5977,"2026-01-12T17:16:00.000Z","6.9.4","8.0",[18,19,149,150,151],"images","projects","team","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fopenasset.5.0.0.zip",{"slug":154,"name":155,"version":156,"author":157,"author_profile":158,"description":159,"short_description":160,"active_installs":143,"downloaded":161,"rating":12,"num_ratings":12,"last_updated":162,"tested_up_to":163,"requires_at_least":15,"requires_php":16,"tags":164,"homepage":168,"download_link":169,"security_score":170,"vuln_count":12,"unpatched_count":12,"last_vuln_date":34,"fetched_at":27},"pics-io","Pics.io digital asset management for WordPress","1.0.1","TopTechPhoto Inc.","https:\u002F\u002Fprofiles.wordpress.org\u002Ftoptechphoto\u002F","\u003Cp>This plugin was created to help Pics.io users save time on switching between tabs when they want to make a post for their blog or website with several images that are stored in digital asset management software.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Quick access to your Picsio library from a post editor\u003C\u002Fli>\n\u003Cli>Powerful search by text or by filters like color, rating, or upload time\u003C\u002Fli>\n\u003Cli>Ability to browse through the entire collections tree\u003C\u002Fli>\n\u003Cli>Quick preview of an image by clicking on its thumbnail\u003C\u002Fli>\n\u003Cli>Upload from Picsio to the Media Library and add an image to a post\u003C\u002Fli>\n\u003Cli>Create galleries from several images\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>If you have questions about the plugin, contact us at support@pics.io or via live chat. We reply 24 hours 5 days a week.\u003C\u002Fp>\n","Insert images from your Pics.io Digital asset management to a post without leaving WP admin.",5048,"2023-04-24T15:40:00.000Z","6.2.9",[18,20,165,166,167],"gallery","image","wordpress-gallery-plugin","https:\u002F\u002Fpics.io\u002Fdam-wordpress-integration","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpics-io.1.0.1.zip",85,{"slug":172,"name":173,"version":174,"author":175,"author_profile":176,"description":177,"short_description":178,"active_installs":12,"downloaded":179,"rating":12,"num_ratings":12,"last_updated":16,"tested_up_to":180,"requires_at_least":181,"requires_php":182,"tags":183,"homepage":184,"download_link":185,"security_score":10,"vuln_count":12,"unpatched_count":12,"last_vuln_date":34,"fetched_at":186},"hivo-library","HIVO Connector","0.0.4","hivo","https:\u002F\u002Fprofiles.wordpress.org\u002Fhivo\u002F","\u003Cp>This plugin allows users of HIVO to add Assets from their HIVO Library to the WordPress Media Library.\u003C\u002Fp>\n","Login to your HIVO Library and add Assets directly to your Wordpress Media tab.",1252,"6.6.5","4.4.0","4.3.0",[18,19,175],"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhivo-connector\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhivo-library.0.0.4.zip","2026-03-15T10:48:56.248Z",{"slug":188,"name":189,"version":190,"author":191,"author_profile":192,"description":193,"short_description":194,"active_installs":12,"downloaded":195,"rating":12,"num_ratings":12,"last_updated":196,"tested_up_to":197,"requires_at_least":130,"requires_php":198,"tags":199,"homepage":203,"download_link":204,"security_score":10,"vuln_count":12,"unpatched_count":12,"last_vuln_date":34,"fetched_at":27},"vy-bildbank","Vy Bildbank","1.1.1","vybildbank","https:\u002F\u002Fprofiles.wordpress.org\u002Ftingmediabank\u002F","\u003Cp>Access your media assets from your account at the cloud service Vy Bildbank.\u003C\u002Fp>\n","Access your media assets from your account at the cloud service Vy Bildbank.",756,"2026-02-05T12:23:00.000Z","6.7.5","7.0",[18,19,200,201,202],"image-bank","media","media-library","https:\u002F\u002Fbildbank.se\u002Fsv\u002Fsupport\u002Fwordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvy-bildbank.zip",{"attackSurface":206,"codeSignals":307,"taintFlows":337,"riskAssessment":458,"analyzedAt":473},{"hooks":207,"ajaxHandlers":285,"restRoutes":301,"shortcodes":302,"cronEvents":303,"entryPointCount":306,"unprotectedCount":306},[208,214,217,221,226,229,235,238,241,246,250,254,257,261,264,268,272,275,278,281],{"type":209,"name":210,"callback":211,"file":212,"line":213},"action","init","canto_textdomain","block\\index.php",15,{"type":209,"name":210,"callback":215,"file":212,"line":216},"canto_register_block",99,{"type":209,"name":218,"callback":219,"file":212,"line":220},"enqueue_block_editor_assets","canto_enqueue_block_editor_assets",108,{"type":209,"name":210,"callback":222,"priority":223,"file":224,"line":225},"closure",5,"canto.php",46,{"type":209,"name":210,"callback":227,"file":224,"line":228},"canto_load_elementor_integration",63,{"type":230,"name":231,"callback":232,"priority":233,"file":224,"line":234},"filter","the_content","canto_render_acf_fields",20,171,{"type":209,"name":236,"callback":222,"file":224,"line":237},"wp_footer",174,{"type":209,"name":239,"callback":222,"file":224,"line":240},"rest_api_init",205,{"type":209,"name":210,"callback":242,"priority":243,"file":244,"line":245},"init_settings",11,"includes\\class-canto-settings.php",53,{"type":209,"name":247,"callback":248,"file":244,"line":249},"admin_init","register_settings",56,{"type":209,"name":251,"callback":252,"file":244,"line":253},"admin_menu","add_menu_item",59,{"type":230,"name":255,"callback":222,"file":244,"line":256},"safe_style_css",473,{"type":209,"name":258,"callback":258,"priority":143,"file":259,"line":260},"admin_enqueue_scripts","includes\\class-canto.php",164,{"type":209,"name":258,"callback":262,"priority":143,"file":259,"line":263},"admin_enqueue_styles",165,{"type":230,"name":265,"callback":266,"priority":143,"file":259,"line":267},"script_loader_tag","md_modify_jsx_tag",181,{"type":230,"name":269,"callback":270,"file":259,"line":271},"cron_schedules","fbc_scheduled_update",188,{"type":209,"name":270,"callback":273,"file":259,"line":274},"fbc_scheduler",214,{"type":209,"name":210,"callback":276,"priority":12,"file":259,"line":277},"load_localisation",224,{"type":209,"name":210,"callback":279,"priority":233,"file":259,"line":280},"init_acf_integration",234,{"type":209,"name":282,"callback":283,"file":284,"line":44},"elementor\u002Fwidgets\u002Fregister","register_widgets","includes\\elementor\\class-canto-elementor.php",[286,290,294,298],{"action":287,"nopriv":288,"callback":287,"hasNonce":288,"hasCapCheck":288,"file":244,"line":289},"fbc_updateOptions",false,76,{"action":291,"nopriv":288,"callback":292,"hasNonce":288,"hasCapCheck":288,"file":259,"line":293},"fbc_get_token","getToken",227,{"action":295,"nopriv":288,"callback":296,"hasNonce":288,"hasCapCheck":288,"file":259,"line":297},"fbc_getMetadata","getMetadata",229,{"action":299,"nopriv":288,"callback":299,"hasNonce":288,"hasCapCheck":288,"file":259,"line":300},"updateOptions",231,[],[],[304],{"hook":270,"callback":270,"file":259,"line":305},211,4,{"dangerousFunctions":308,"sqlUsage":309,"outputEscaping":311,"fileOperations":223,"externalRequests":306,"nonceChecks":114,"capabilityChecks":12,"bundledLibraries":336},[],{"prepared":12,"raw":12,"locations":310},[],{"escaped":312,"rawEcho":313,"locations":314},84,9,[315,319,321,323,325,327,329,332,334],{"file":316,"line":317,"context":318},"block\\canto.php",39,"raw output",{"file":224,"line":320,"context":318},95,{"file":224,"line":322,"context":318},136,{"file":259,"line":324,"context":318},466,{"file":259,"line":326,"context":318},505,{"file":259,"line":328,"context":318},534,{"file":330,"line":331,"context":318},"includes\\elementor\\class-canto-elementor-widget.php",217,{"file":330,"line":333,"context":318},230,{"file":330,"line":335,"context":318},239,[],[338,375,392,408,435,449],{"entryPoint":339,"graph":340,"unsanitizedCount":25,"severity":374},"settings_page (includes\\class-canto-settings.php:234)",{"nodes":341,"edges":369},[342,347,353,357,360,364],{"id":343,"type":344,"label":345,"file":244,"line":346},"n0","source","$_SERVER",294,{"id":348,"type":349,"label":350,"file":244,"line":351,"wp_function":352},"n1","sink","echo() [XSS]",481,"echo",{"id":354,"type":344,"label":355,"file":244,"line":356},"n2","$_SERVER (x2)",499,{"id":358,"type":349,"label":350,"file":244,"line":359,"wp_function":352},"n3",501,{"id":361,"type":344,"label":362,"file":244,"line":363},"n4","$_REQUEST (x5)",507,{"id":365,"type":349,"label":366,"file":244,"line":367,"wp_function":368},"n5","update_option() [Settings Manipulation]",513,"update_option",[370,372,373],{"from":343,"to":348,"sanitized":371},true,{"from":354,"to":358,"sanitized":288},{"from":361,"to":365,"sanitized":288},"medium",{"entryPoint":376,"graph":377,"unsanitizedCount":114,"severity":374},"getMetaData (includes\\class-canto.php:436)",{"nodes":378,"edges":389},[379,382,385],{"id":343,"type":344,"label":380,"file":259,"line":381},"$_POST",451,{"id":348,"type":383,"label":384,"file":259,"line":381},"transform","→ curl_action()",{"id":354,"type":349,"label":386,"file":259,"line":387,"wp_function":388},"wp_remote_request() [SSRF]",271,"wp_remote_request",[390,391],{"from":343,"to":348,"sanitized":288},{"from":348,"to":354,"sanitized":288},{"entryPoint":393,"graph":394,"unsanitizedCount":114,"severity":374},"\u003Cclass-canto> (includes\\class-canto.php:0)",{"nodes":395,"edges":404},[396,399,401,402,403],{"id":343,"type":344,"label":397,"file":259,"line":398},"$_POST (x6)",569,{"id":348,"type":349,"label":366,"file":259,"line":400,"wp_function":368},571,{"id":354,"type":344,"label":380,"file":259,"line":381},{"id":358,"type":383,"label":384,"file":259,"line":381},{"id":361,"type":349,"label":386,"file":259,"line":387,"wp_function":388},[405,406,407],{"from":343,"to":348,"sanitized":371},{"from":354,"to":358,"sanitized":288},{"from":358,"to":361,"sanitized":288},{"entryPoint":409,"graph":410,"unsanitizedCount":433,"severity":434},"\u003Ccanto> (block\\canto.php:0)",{"nodes":411,"edges":428},[412,414,415,417,419,421,422,426],{"id":343,"type":344,"label":413,"file":316,"line":306},"$_GET",{"id":348,"type":349,"label":350,"file":316,"line":44,"wp_function":352},{"id":354,"type":344,"label":416,"file":316,"line":306},"$_GET (x4)",{"id":358,"type":349,"label":350,"file":316,"line":418,"wp_function":352},30,{"id":361,"type":344,"label":420,"file":316,"line":317},"$_GET['args']",{"id":365,"type":349,"label":350,"file":316,"line":317,"wp_function":352},{"id":423,"type":344,"label":424,"file":316,"line":425},"n6","$_GET['wpClientId']",40,{"id":427,"type":349,"label":350,"file":316,"line":425,"wp_function":352},"n7",[429,430,431,432],{"from":343,"to":348,"sanitized":288},{"from":354,"to":358,"sanitized":371},{"from":361,"to":365,"sanitized":288},{"from":423,"to":427,"sanitized":371},2,"low",{"entryPoint":436,"graph":437,"unsanitizedCount":25,"severity":434},"\u003Cclass-canto-settings> (includes\\class-canto-settings.php:0)",{"nodes":438,"edges":445},[439,440,441,442,443,444],{"id":343,"type":344,"label":345,"file":244,"line":346},{"id":348,"type":349,"label":350,"file":244,"line":351,"wp_function":352},{"id":354,"type":344,"label":355,"file":244,"line":356},{"id":358,"type":349,"label":350,"file":244,"line":359,"wp_function":352},{"id":361,"type":344,"label":362,"file":244,"line":363},{"id":365,"type":349,"label":366,"file":244,"line":367,"wp_function":368},[446,447,448],{"from":343,"to":348,"sanitized":371},{"from":354,"to":358,"sanitized":288},{"from":361,"to":365,"sanitized":288},{"entryPoint":450,"graph":451,"unsanitizedCount":457,"severity":434},"updateOptions (includes\\class-canto.php:567)",{"nodes":452,"edges":455},[453,454],{"id":343,"type":344,"label":397,"file":259,"line":398},{"id":348,"type":349,"label":366,"file":259,"line":400,"wp_function":368},[456],{"from":343,"to":348,"sanitized":288},6,{"summary":459,"deductions":460},"The 'canto' plugin version 3.1.1 exhibits a mixed security posture. While it shows strengths in its handling of SQL queries and output escaping, with 100% of SQL queries using prepared statements and 90% of outputs properly escaped, significant concerns are raised by the attack surface and its vulnerability history.  The static analysis reveals a substantial attack surface with 4 AJAX handlers, all of which lack authentication checks. This is a major security flaw, as it exposes these endpoints to unauthorized access and potential exploitation.\n\nThe plugin's vulnerability history is alarming, with 7 known CVEs, including 3 critical and 4 high-severity issues. The prevalence of 'PHP Remote File Inclusion' and 'Server-Side Request Forgery' vulnerabilities in its past suggests recurring weaknesses in how the plugin handles user input, file operations, and external requests. The fact that the last vulnerability was reported very recently (2024-06-13) indicates ongoing security challenges.\n\nIn conclusion, while the plugin has some good practices in place, the unprotected AJAX endpoints and the extensive history of critical and high-severity vulnerabilities, particularly those related to file inclusion and SSRF, present a significant risk. These weaknesses outweigh the positive aspects of its code, making it a potentially dangerous component if not thoroughly secured or updated.",[461,463,465,467,469,471],{"reason":462,"points":233},"4 AJAX handlers without auth checks",{"reason":464,"points":233},"Total 7 known CVEs (3 critical, 4 high)",{"reason":466,"points":213},"Flows with unsanitized paths",{"reason":468,"points":213},"Vulnerability history includes RFI and SSRF",{"reason":470,"points":143},"Lack of capability checks",{"reason":472,"points":223},"Only 1 nonce check","2026-03-16T20:41:01.836Z",{"wat":475,"direct":481},{"assetPaths":476,"generatorPatterns":478,"scriptPaths":479,"versionParams":480},[477],"\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fblock\u002Fblock.js",[],[477],[],{"cssClasses":482,"htmlComments":487,"htmlAttributes":488,"restEndpoints":493,"jsGlobals":495,"shortcodeOutput":497},[483,484,485,486],"acf-fields-container","acf-field-image","acf-field-label","acf-image",[],[489,490,491,492],"data-post-id","data-canto-acf","data-field-name","data-field-type",[494],"\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts?_fields[]=canto_acf_fields",[496],"canto_acf_fields_loaded",[]]