[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWYoezcv8dWNGdkWeBnOe4dNySwQKTWV_PnOScUs8wdA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":62,"crawl_stats":37,"alternatives":68,"analysis":145,"fingerprints":308},"clickcease-click-fraud-protection","ClickCease Click Fraud Protection","3.2.13","eranfl","https:\u002F\u002Fprofiles.wordpress.org\u002Feranfl\u002F","\u003Cp>Bots and invalid traffic can reach your site through paid, organic, and direct traffic, resulting in a wasted ad budget and disrupted marketing funnels.\u003C\u002Fp>\n\u003Cp>Prevent bots, competitors, and malicious users from damaging your marketing performance with ClickCease, the industry-leading service that keeps your website and ads safe from fraud. Quick installation and real-time protection for all your website’s incoming traffic.\u003C\u002Fp>\n\u003Cp>ClickCease protects you from invalid traffic by monitoring and protecting your:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Paid traffic (Google, Facebook, & Microsoft)\u003C\u002Fli>\n\u003Cli>Organic traffic\u003C\u002Fli>\n\u003Cli>Direct traffic\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Put a stop to ad and click fraud on your website with our market-leading AI software. Allow yourself to fully focus on growing your business without having online fraud distract you.\u003C\u002Fp>\n\u003Cp>You will need an active ClickCease subscription to use this WordPress plugin.\u003C\u002Fp>\n","Protect your website and ad campaigns from bots, competitors, and click fraud with ClickCease's advanced fraud prevention and real-time monitoring.",10000,261207,66,7,"2025-07-21T15:27:00.000Z","6.6.5","5.6",[19,20,21,22,23],"bot-protection","click-fraud","clickcease","fraud-protection","website-protection","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclickcease-click-fraud-protection.zip",99,2,0,"2024-05-06 00:00:00","2026-03-15T15:16:48.613Z",[32,48],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2023-6810","clickcease-click-fraud-protection-improper-authorization-to-sensitive-information-exposure-via-getsettings","ClickCease Click Fraud Protection \u003C= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings","The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the get_settings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to retrieve the plugin's configured API keys.",null,"\u003C=3.2.4","3.2.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Improper Access Control","2024-07-29 21:36:25",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d572cac-b8e3-4c52-9b35-80fe5ee9e900?source=api-prod",85,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":37,"affected_versions":53,"patched_in_version":54,"severity":40,"cvss_score":41,"cvss_vector":55,"vuln_type":56,"published_date":57,"updated_date":58,"references":59,"days_to_patch":61},"CVE-2024-33678","clickcease-click-fraud-protection-cross-site-request-forgery","ClickCease Click Fraud Protection \u003C= 3.2.7 - Cross-Site Request Forgery","The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the save_settings() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C=3.2.7","3.2.8","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2024-04-26 00:00:00","2024-09-09 20:33:11",[60],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe03f95ae-c1ba-4679-888b-055293e1351f?source=api-prod",137,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":63,"avg_security_score":64,"avg_patch_time_days":65,"trust_score":66,"computed_at":67},10700,100,111,79,"2026-04-03T21:33:49.060Z",[69,81,98,114,129],{"slug":70,"name":71,"version":72,"author":7,"author_profile":8,"description":73,"short_description":74,"active_installs":75,"downloaded":76,"rating":28,"num_ratings":28,"last_updated":77,"tested_up_to":16,"requires_at_least":17,"requires_php":17,"tags":78,"homepage":24,"download_link":80,"security_score":64,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"cheq-essentials-go-to-market-security","CHEQ Essentials","1.13","\u003Cp>As a website owner, one of the biggest challenges you face is dealing with invalid traffic. Invalid traffic (27% of direct and organic traffic on average in 2022) refers to any non-human or fraudulent activity, such as bots, click farms, and other forms of automated traffic. This can not only damage your site’s reputation but also result in lost revenue, slow performance, and skewed data that damage your decision-making.\u003C\u002Fp>\n\u003Cp>CHEQ Essentials is here to help. We use advanced algorithms and machine learning techniques to analyze user behavior and distinguish between legitimate and invalid traffic.\u003C\u002Fp>\n\u003Cp>With this plugin, you can automatically monitor your website traffic in real time and identify any suspicious patterns or behavior. The plugin also provides detailed reports and analytics that can help you better understand your traffic and identify any potential issues.\u003C\u002Fp>\n\u003Cp>Once the plugin detects invalid traffic, it can take immediate action to prevent further damage. This may include blocking IP addresses on Google Ads, redirecting traffic to a 403 page, or implementing other measures to prevent bots and other automated traffic from accessing your site.\u003C\u002Fp>\n\u003Cp>Overall, this is an essential tool for any website owner who wants to secure and protect their site from fraudulent activity and ensure a safe and reliable user experience. With CHEQ Essentials, you can rest assured that your site is protected from invalid traffic and other forms of online fraud.\u003C\u002Fp>\n\u003Cp>You will need an active CHEQ Essentials subscription to use this WordPress plugin.\u003C\u002Fp>\n","Protect, analyze & block threats in real time your website from bots, click fraud, and invalid traffic with CHEQ Essentials.",700,6693,"2025-07-21T15:20:00.000Z",[19,20,22,79,23],"spam-protection","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcheq-essentials-go-to-market-security.zip",{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":89,"downloaded":90,"rating":28,"num_ratings":28,"last_updated":91,"tested_up_to":92,"requires_at_least":93,"requires_php":94,"tags":95,"homepage":24,"download_link":97,"security_score":64,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"click-fraud-free","ClickFraudFree","1.0.0","cffjerson","https:\u002F\u002Fprofiles.wordpress.org\u002Fcffjerson\u002F","\u003Cp>ClickFraudFree is a \u003Cstrong>service-based plugin\u003C\u002Fstrong> that helps website owners protect their traffic and advertising campaigns from fraudulent clicks, bots, and malicious users.\u003C\u002Fp>\n\u003Cp>This plugin connects your WordPress site to the \u003Cstrong>ClickFraudFree external service\u003C\u002Fstrong>, which analyzes traffic patterns and detects invalid or fraudulent activity in real time.\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Important:\u003C\u002Fstrong>\u003Cbr \u002F>\nThis plugin relies on a \u003Cstrong>remote service\u003C\u002Fstrong> and does not function without an active ClickFraudFree account.\u003C\u002Fp>\n\u003Ch3>How the service works\u003C\u002Fh3>\n\u003Cp>When enabled, the plugin sends limited traffic-related data to the ClickFraudFree servers for analysis. This allows the service to detect and prevent click fraud and invalid traffic.\u003C\u002Fp>\n\u003Cp>The plugin may communicate with the following external server:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>https:\u002F\u002Fclickfraudfree.com\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data sent to the service\u003C\u002Fh3>\n\u003Cp>Depending on your configuration, the plugin may transmit the following data to the ClickFraudFree service:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Client ID (provided by the ClickFraudFree account)\u003C\u002Fli>\n\u003Cli>Visitor IP address\u003C\u002Fli>\n\u003Cli>HTTP referrer URL\u003C\u002Fli>\n\u003Cli>Timestamp of the visit\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No personally identifiable user data is collected intentionally beyond what is required for fraud detection.\u003C\u002Fp>\n\u003Ch3>Why this data is needed\u003C\u002Fh3>\n\u003Cp>This information is required to:\u003Cbr \u002F>\n* Identify repeat or automated traffic\u003Cbr \u002F>\n* Detect bot activity and click farms\u003Cbr \u002F>\n* Prevent competitors from generating invalid ad clicks\u003Cbr \u002F>\n* Protect advertising budgets and analytics accuracy\u003C\u002Fp>\n\u003Ch3>Account requirement\u003C\u002Fh3>\n\u003Cp>An active ClickFraudFree account is required to use this plugin.\u003Cbr \u002F>\nYou must sign up at \u003Cstrong>https:\u002F\u002Fclickfraudfree.com\u003C\u002Fstrong> and obtain a Client ID.\u003C\u002Fp>\n","Protects websites and ad campaigns from bots, competitors, and invalid traffic using a remote click fraud detection service.",40,155,"2026-01-26T12:20:00.000Z","6.9.4","6.0","7.4",[96,19,20,22,23],"ad-fraud","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclick-fraud-free.1.0.0.zip",{"slug":99,"name":100,"version":84,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":28,"downloaded":104,"rating":28,"num_ratings":28,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":111,"download_link":112,"security_score":113,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"bluefield-identity","Bluefield Identity","https:\u002F\u002Fprofiles.wordpress.org\u002Fbluefieldidentity\u002F","\u003Ch3>If you’re using paid search advertising, want to prevent click fraud and preserve your ad budgets, you need Bluefield Identity.\u003C\u002Fh3>\n\u003Cp>Screen \u003Cstrong>ALL\u003C\u002Fstrong> incoming traffic to your site blocking click fraud, web scraping and other destructive actions with the most effective service in the industry. Give us a try with our 30 day free trial and see what partnering with Bluefield Identity can do for you.\u003C\u002Fp>\n\u003Cp>Quick and easy installation provides immediate real-time protection for ALL your site’s incoming traffic.\u003C\u002Fp>\n\u003Cp>When we say \u003Cstrong>“risk free”\u003C\u002Fstrong> we mean mean exactly that. Install Bluefield Identity and try us for 30 days. At the end of the month you’ll get an invoice and a performance report. Compare that against your own analytics and data and \u003Cstrong>YOU\u003C\u002Fstrong> decide. If you want to continue denying bad traffic that doesn’t convert, pay the invoice (Bluefield Identity costs \u003Cstrong>$30USD per month for 6000 clicks and $10 for each additional 2000 clicks\u003C\u002Fstrong>) and we keep screening your site visitors and protecting your ad budgets. If not…don’t pay the bill. The trial ends, we close your account and we thank you for giving us a try and you owe us nothing.\u003C\u002Fp>\n\u003Cp>It’s that simple. No gimmicks and no strings attached. We believe in our service and will prove it to you.\u003C\u002Fp>\n\u003Cp>Cancel anytime by simply not paying the last invoice because there are no contracts. If you choose to come back later, simply pay the unpaid invoice and we’re partners again.\u003C\u002Fp>\n\u003Ch4>Why is Bluefield Identity better?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>Bluefield Identity screens ALL traffic, paid and organic and we screen for \u003Cstrong>ALL paid traffic sources\u003C\u002Fstrong>, not just Google, Meta and Microsoft.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Bluefield Identity works on YOUR website and we don’t require access to your paid ads accounts.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Bluefield Identity allows you to refine what traffic you allow by configuring your own filters (as of September 2024, we use 17 different filters). Create geofences, set click rate limits (3 separate tiers), deny access from proxy sources and much more. Bluefield Identity is a web application firewall designed from the ground up to defeat click fraud and other malicious activity.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Block click fraud, web scraping and other destructive actions with the most effective web application firewall in the industry.",917,"2024-09-30T21:40:00.000Z","6.5.8","5.0","5.6.20",[99,19,20,110],"paid-click","https:\u002F\u002Fgithub.com\u002FBluefield-Identity\u002Fwp-bluefield","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbluefield-identity.1.0.0.zip",92,{"slug":115,"name":116,"version":84,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":28,"downloaded":121,"rating":28,"num_ratings":28,"last_updated":122,"tested_up_to":123,"requires_at_least":107,"requires_php":94,"tags":124,"homepage":24,"download_link":128,"security_score":64,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"bunkr-solution","Bunkr Solution","Bunkr","https:\u002F\u002Fprofiles.wordpress.org\u002Fyfel\u002F","\u003Cp>Bunkr Solution provides enterprise-grade bot protection for your WordPress site through sophisticated server-side analysis.\u003C\u002Fp>\n\u003Cp>Key Features:\u003Cbr \u002F>\n* Real-time behavioral analysis\u003Cbr \u002F>\n* Advanced bot detection\u003Cbr \u002F>\n* Seamless user experience for legitimate visitors\u003Cbr \u002F>\n* Enterprise-grade protection\u003Cbr \u002F>\n* Easy integration with WordPress\u003C\u002Fp>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to the Bunkr API service to analyze website traffic and provide bot protection. Here’s what you need to know:\u003C\u002Fp>\n\u003Ch4>Service Information\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Service\u003C\u002Fstrong>: Bunkr Bot Protection API (https:\u002F\u002Fwpde.bunkr-solution.com)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Real-time analysis of website requests to identify and block malicious bot traffic\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Provider\u003C\u002Fstrong>: Bunkr Solution (https:\u002F\u002Fbunkr-solution.com)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Data Transmission\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>When data is sent\u003C\u002Fstrong>: Every time a non-admin user visits your website (excluding AJAX requests)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent\u003C\u002Fstrong>:\u003Cbr \u002F>\n* Request metadata: URL, HTTP method, referrer, timestamp\u003Cbr \u002F>\n* Server headers: User-Agent, Accept headers, security headers (Sec-* headers)\u003Cbr \u002F>\n* Network information: IP address, domain name\u003Cbr \u002F>\n* Browser context: Mobile detection, HTTPS status\u003Cbr \u002F>\n* Cookie analysis: Count and types of cookies (WordPress, session, persistent)\u003Cbr \u002F>\n* Request identifier: Unique request identifier\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No sensitive data\u003C\u002Fstrong>: The plugin does not send form data, post content, user credentials, or personal information.\u003C\u002Fp>\n\u003Ch4>Legal Information\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Terms of Service\u003C\u002Fstrong>: https:\u002F\u002Fbunkr-solution.com\u002Fterms\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Policy\u003C\u002Fstrong>: https:\u002F\u002Fbunkr-solution.com\u002Fprivacy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>User Consent\u003C\u002Fh4>\n\u003Cp>By installing and activating this plugin, you acknowledge that:\u003Cbr \u002F>\n1. Request data will be sent to Bunkr’s servers for analysis\u003Cbr \u002F>\n2. This data transmission is necessary for the plugin’s bot protection functionality\u003Cbr \u002F>\n3. You have reviewed Bunkr’s terms of service and privacy policy\u003Cbr \u002F>\n4. You are responsible for informing your website users about this data processing if required by applicable privacy laws\u003C\u002Fp>\n","Advanced bot protection for WordPress using real-time behavioral analysis. Blocks malicious traffic while allowing legitimate users seamless access.",519,"2025-10-10T13:14:00.000Z","6.8.5",[125,19,20,126,127],"anti-spam","firewall","security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbunkr-solution.1.0.2.zip",{"slug":130,"name":131,"version":84,"author":132,"author_profile":133,"description":134,"short_description":135,"active_installs":28,"downloaded":136,"rating":28,"num_ratings":28,"last_updated":24,"tested_up_to":92,"requires_at_least":93,"requires_php":94,"tags":137,"homepage":24,"download_link":143,"security_score":64,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":144},"campaign-ai","Campaign AI","campaignai2026","https:\u002F\u002Fprofiles.wordpress.org\u002Fcampaignai2026\u002F","\u003Cp>Campaign AI is a \u003Cstrong>service-connected WordPress plugin\u003C\u002Fstrong> that integrates your website with the Campaign AI fraud prevention platform.\u003C\u002Fp>\n\u003Cp>The plugin enables your site to communicate with Campaign AI’s remote analysis system, allowing traffic activity to be evaluated for signs of automated behavior, malicious access, or advertising abuse.\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Notice:\u003C\u002Fstrong>\u003Cbr \u002F>\nCampaign AI requires an \u003Cstrong>active external account\u003C\u002Fstrong>. The plugin alone does not provide fraud detection without a valid Campaign AI integration code.\u003C\u002Fp>\n\u003Ch3>How Campaign AI works\u003C\u002Fh3>\n\u003Cp>Once configured, Campaign AI observes incoming visits and sends limited technical data to its remote service.\u003Cbr \u002F>\nThis information is processed to help identify patterns commonly associated with click fraud, bots, and invalid traffic sources.\u003C\u002Fp>\n\u003Cp>The plugin communicates with the following external service:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>https:\u002F\u002Fcronjob.campaign-ai.com\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Information transmitted\u003C\u002Fh3>\n\u003Cp>To function correctly, Campaign AI may transmit the following data elements to its service endpoint:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Campaign AI integration code\u003C\u002Fli>\n\u003Cli>Visitor IP address\u003C\u002Fli>\n\u003Cli>Referrer URL (if available)\u003C\u002Fli>\n\u003Cli>Time of the request\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This data is used strictly for traffic evaluation and fraud detection purposes.\u003C\u002Fp>\n\u003Ch3>Purpose of data processing\u003C\u002Fh3>\n\u003Cp>The transmitted information allows Campaign AI to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Detect automated or scripted traffic\u003C\u002Fli>\n\u003Cli>Identify suspicious click behavior\u003C\u002Fli>\n\u003Cli>Reduce waste from invalid advertising interactions\u003C\u002Fli>\n\u003Cli>Improve campaign performance insights\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Campaign AI does \u003Cstrong>not intentionally collect personal user information\u003C\u002Fstrong> beyond what is technically necessary to perform fraud analysis.\u003C\u002Fp>\n\u003Ch3>Account requirement\u003C\u002Fh3>\n\u003Cp>An active Campaign AI account is required to use this plugin.\u003Cbr \u002F>\nYou can register and obtain an integration code at:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>https:\u002F\u002Fwww.campaign-ai.com\u003C\u002Fstrong>\u003C\u002Fp>\n","Campaign AI integration plugin that protects websites and ad campaigns from bots and invalid traffic using real-time click fraud detection.",118,[138,139,140,141,142],"ad-fraud-protection","ads-security","bot-detection","click-fraud-prevention","invalid-traffic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcampaign-ai.1.0.0.zip","2026-03-15T10:48:56.248Z",{"attackSurface":146,"codeSignals":206,"taintFlows":234,"riskAssessment":293,"analyzedAt":307},{"hooks":147,"ajaxHandlers":180,"restRoutes":202,"shortcodes":203,"cronEvents":204,"entryPointCount":205,"unprotectedCount":205},[148,154,158,162,165,169,173,177],{"type":149,"name":150,"callback":151,"file":152,"line":153},"action","plugins_loaded","init","clickcease.php",20,{"type":149,"name":155,"callback":156,"file":152,"line":157},"wp_enqueue_scripts","add_stats_script",42,{"type":149,"name":159,"callback":160,"file":152,"line":161},"send_headers","clickcease_server_validation",46,{"type":149,"name":155,"callback":163,"file":152,"line":164},"enqueue_custom_scripts",47,{"type":149,"name":166,"callback":167,"file":152,"line":168},"wp_body_open","add_noscript_tag",48,{"type":149,"name":170,"callback":171,"file":152,"line":172},"admin_menu","create_clickcease_plugin_options_page",241,{"type":149,"name":174,"callback":175,"priority":26,"file":152,"line":176},"admin_init","clickcease_admin_init",244,{"type":149,"name":178,"callback":178,"file":152,"line":179},"admin_enqueue_scripts",253,[181,186,189,192,195,199],{"action":182,"nopriv":183,"callback":182,"hasNonce":183,"hasCapCheck":183,"file":184,"line":185},"get_settings",false,"classes\\routes.php",12,{"action":187,"nopriv":183,"callback":187,"hasNonce":183,"hasCapCheck":183,"file":184,"line":188},"update_whitelist",13,{"action":190,"nopriv":183,"callback":190,"hasNonce":183,"hasCapCheck":183,"file":184,"line":191},"save_settings",14,{"action":193,"nopriv":183,"callback":193,"hasNonce":183,"hasCapCheck":183,"file":184,"line":194},"updateInstallClickFraud",15,{"action":196,"nopriv":183,"callback":197,"hasNonce":183,"hasCapCheck":183,"file":152,"line":198},"validate_clickcease_response","check_with_clickcease",49,{"action":196,"nopriv":200,"callback":197,"hasNonce":183,"hasCapCheck":183,"file":152,"line":201},true,50,[],[],[],6,{"dangerousFunctions":207,"sqlUsage":208,"outputEscaping":210,"fileOperations":28,"externalRequests":231,"nonceChecks":27,"capabilityChecks":232,"bundledLibraries":233},[],{"prepared":28,"raw":28,"locations":209},[],{"escaped":188,"rawEcho":211,"locations":212},9,[213,216,219,221,223,225,227,228,230],{"file":184,"line":214,"context":215},93,"raw output",{"file":217,"line":218,"context":215},"classes\\rtiService.php",187,{"file":217,"line":220,"context":215},196,{"file":217,"line":222,"context":215},205,{"file":217,"line":224,"context":215},248,{"file":152,"line":226,"context":215},190,{"file":152,"line":226,"context":215},{"file":152,"line":229,"context":215},228,{"file":152,"line":229,"context":215},8,3,[],[235,267,282],{"entryPoint":236,"graph":237,"unsanitizedCount":266,"severity":40},"save_settings (classes\\routes.php:54)",{"nodes":238,"edges":262},[239,244,250,253,257],{"id":240,"type":241,"label":242,"file":184,"line":243},"n0","source","$_POST (x4)",62,{"id":245,"type":246,"label":247,"file":184,"line":248,"wp_function":249},"n1","sink","update_option() [Settings Manipulation]",74,"update_option",{"id":251,"type":241,"label":252,"file":184,"line":13},"n2","$_POST",{"id":254,"type":255,"label":256,"file":184,"line":13},"n3","transform","→ validateDomainKey()",{"id":258,"type":246,"label":259,"file":260,"line":14,"wp_function":261},"n4","wp_remote_get() [SSRF]","classes\\formService.php","wp_remote_get",[263,264,265],{"from":240,"to":245,"sanitized":183},{"from":251,"to":254,"sanitized":183},{"from":254,"to":258,"sanitized":183},5,{"entryPoint":268,"graph":269,"unsanitizedCount":281,"severity":40},"\u003Croutes> (classes\\routes.php:0)",{"nodes":270,"edges":277},[271,273,274,275,276],{"id":240,"type":241,"label":272,"file":184,"line":243},"$_POST (x5)",{"id":245,"type":246,"label":247,"file":184,"line":248,"wp_function":249},{"id":251,"type":241,"label":252,"file":184,"line":13},{"id":254,"type":255,"label":256,"file":184,"line":13},{"id":258,"type":246,"label":259,"file":260,"line":14,"wp_function":261},[278,279,280],{"from":240,"to":245,"sanitized":200},{"from":251,"to":254,"sanitized":183},{"from":254,"to":258,"sanitized":183},1,{"entryPoint":283,"graph":284,"unsanitizedCount":281,"severity":292},"update_whitelist (classes\\routes.php:113)",{"nodes":285,"edges":290},[286,288],{"id":240,"type":241,"label":252,"file":184,"line":287},116,{"id":245,"type":246,"label":247,"file":184,"line":289,"wp_function":249},120,[291],{"from":240,"to":245,"sanitized":183},"low",{"summary":294,"deductions":295},"The ClickCease Click Fraud Protection plugin v3.2.13 exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling, exclusively using prepared statements and having no known unpatched CVEs. The absence of raw SQL queries and file operations is also a strong indicator of secure coding in those areas.  However, significant concerns arise from the attack surface, with all six identified AJAX handlers lacking authentication checks. This creates a substantial risk of unauthorized actions being performed by unauthenticated users. Additionally, the taint analysis revealed three flows with unsanitized paths, although they did not reach critical or high severity, they still represent a potential vector for data manipulation or unintended behavior. The vulnerability history, while showing no currently unpatched issues, includes two past medium severity CVEs related to Improper Access Control and CSRF, suggesting a pattern of past security weaknesses that require ongoing vigilance.",[296,298,300,303,305],{"reason":297,"points":153},"6 AJAX handlers without authentication checks",{"reason":299,"points":194},"3 Taint flows with unsanitized paths",{"reason":301,"points":302},"Past medium severity CVEs (Improper Access Control, CSRF)",10,{"reason":304,"points":231},"Output escaping only 59% properly escaped",{"reason":306,"points":266},"Only 3 capability checks for 6 entry points","2026-03-16T17:46:06.954Z",{"wat":309,"direct":318},{"assetPaths":310,"generatorPatterns":313,"scriptPaths":314,"versionParams":315},[311,312],"\u002Fwp-content\u002Fplugins\u002Fclickcease-click-fraud-protection\u002Fclickcease-script.js","\u002Fwp-content\u002Fplugins\u002Fclickcease-click-fraud-protection\u002Fclickcease-styles.css",[],[311],[316,317],"clickcease-click-fraud-protection\u002Fclickcease-script.js?ver=","clickcease-click-fraud-protection\u002Fclickcease-styles.css?ver=",{"cssClasses":319,"htmlComments":321,"htmlAttributes":331,"restEndpoints":336,"jsGlobals":337,"shortcodeOutput":340},[320],"clickcease-container",[322,323,324,325,326,327,328,329,330],"\u003C!-- Clickcease - Click Fraud Protection -->","\u003C!-- Clickcease JS Script Start -->","\u003C!-- Clickcease JS Script End -->","\u003C!-- Clickcease CSS Script Start -->","\u003C!-- Clickcease CSS Script End -->","\u003C!-- Clickcease NoScript Tag Start -->","\u003C!-- Clickcease NoScript Tag End -->","\u003C!-- Clickcease iframe NoScript Tag Start -->","\u003C!-- Clickcease iframe NoScript Tag End -->",[332,333,334,335],"data-clickcease-id","data-clickcease-domain","data-clickcease-key","data-clickcease-api",[],[338,339],"clickcease_ajax_object","clickcease_wp_params",[]]