[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6SArg0M09_fenhwJFkDKvFGi5k1tQjEJ9NN5GSPbFyI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":20,"security_score":21,"vuln_count":22,"unpatched_count":23,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":54,"crawl_stats":32,"alternatives":61,"analysis":62,"fingerprints":104},"codepen-embedded-pen-shortcode","CodePen Embedded Pens Shortcode","1.0.3","Chris Coyier","https:\u002F\u002Fprofiles.wordpress.org\u002Fchriscoyier\u002F","\u003Cp>Allows the use of a special shortcode \u003Ccode>[codepen_embed]\u003C\u002Fcode> for embedding Pens from \u003Ca href=\"https:\u002F\u002Fcodepen.io\" rel=\"nofollow ugc\">CodePen\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>You can learn more about CodePen \u003Ca href=\"http:\u002F\u002Fcodepen.io\u002Fhello\" rel=\"nofollow ugc\">here\u003C\u002Fa> and about this plugin \u003Ca href=\"https:\u002F\u002Fblog.codepen.io\u002Fdocumentation\u002Ffeatures\u002Fwordpress-plugin\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Basic Usage\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>[codepen_embed height=300 theme_id=1 slug_hash='jwGBh' user='arasdesign' default_tab='html' animations='run']\n  See the Pen \u003Ca href='https:\u002F\u002Fcodepen.io\u002Farasdesign\u002Fpen\u002FjwGBh'>Flat minion\u003C\u002Fa> by Amin Poursaied (\u003Ca href='https:\u002F\u002Fcodepen.io\u002Farasdesign'>@arasdesign\u003C\u002Fa>) on \u003Ca href='https:\u002F\u002Fcodepen.io'>CodePen\u003C\u002Fa>\n[\u002Fcodepen_embed]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>The Point\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>You can use shortcodes in the “Visual” editor. CodePen Embeds are copy-and-paste HTML that don’t work when using the editor that way. If you ever use the Visual editor in WordPress, you’ll probably want to use this plugin.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>You can set a default theme, or override any theme set via Shortcode attribute.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Hopefully eventually this plugin will have more functionality. Like have a fancy UI for picking Pens to embed and more control over the HTML output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n","Allows the use of a special shortcode [codepen_embed] for embedding Pens from CodePen.",900,32606,86,6,"2024-10-01T17:43:00.000Z","6.6.5","2.6","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcodepen-embedded-pen-shortcode.zip",91,2,0,"2024-10-24 00:00:00","2026-03-15T15:16:48.613Z",[27,42],{"id":28,"url_slug":29,"title":30,"description":31,"plugin_slug":4,"theme_slug":32,"affected_versions":33,"patched_in_version":6,"severity":34,"cvss_score":35,"cvss_vector":36,"vuln_type":37,"published_date":24,"updated_date":38,"references":39,"days_to_patch":41},"CVE-2024-50440","codepen-embedded-pens-shortcode-authenticated-contributor-stored-cross-site-scripting","CodePen Embedded Pens Shortcode \u003C= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The CodePen Embedded Pens Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.0.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-10-31 09:22:28",[40],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F04325ba9-73d1-403a-a0be-fbb9eb3aaff9?source=api-prod",7,{"id":43,"url_slug":44,"title":45,"description":46,"plugin_slug":4,"theme_slug":32,"affected_versions":47,"patched_in_version":48,"severity":34,"cvss_score":35,"cvss_vector":36,"vuln_type":37,"published_date":49,"updated_date":50,"references":51,"days_to_patch":53},"CVE-2024-37960","codepen-embedded-pens-shortcode-authenticated-contributor-stored-cross-site-scripting-2","CodePen Embedded Pens Shortcode \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting","The CodePen Embedded Pens Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=1.0.0","1.0.1","2024-07-10 00:00:00","2024-07-19 14:11:45",[52],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc27f566a-913e-498e-90bb-113692b74612?source=api-prod",10,{"slug":55,"display_name":7,"profile_url":8,"plugin_count":22,"total_installs":56,"avg_security_score":57,"avg_patch_time_days":58,"trust_score":59,"computed_at":60},"chriscoyier",1600,85,9,84,"2026-04-05T21:50:27.855Z",[],{"attackSurface":63,"codeSignals":84,"taintFlows":92,"riskAssessment":93,"analyzedAt":103},{"hooks":64,"ajaxHandlers":75,"restRoutes":76,"shortcodes":77,"cronEvents":82,"entryPointCount":83,"unprotectedCount":23},[65,71],{"type":66,"name":67,"callback":68,"file":69,"line":70},"action","admin_menu","add_cp_embed_options_page","codepen.php",89,{"type":66,"name":72,"callback":73,"file":69,"line":74},"admin_init","page_init",90,[],[],[78],{"tag":79,"callback":80,"file":69,"line":81},"codepen_embed","createCodePenEmbed",76,[],1,{"dangerousFunctions":85,"sqlUsage":86,"outputEscaping":88,"fileOperations":23,"externalRequests":23,"nonceChecks":23,"capabilityChecks":23,"bundledLibraries":91},[],{"prepared":23,"raw":23,"locations":87},[],{"escaped":89,"rawEcho":23,"locations":90},8,[],[],[],{"summary":94,"deductions":95},"The \"codepen-embedded-pen-shortcode\" plugin version 1.0.3 exhibits a mixed security posture.  On the positive side, static analysis reveals excellent coding practices in several areas. There are no detected dangerous functions, all SQL queries utilize prepared statements, and all detected outputs are properly escaped. Furthermore, there are no file operations or external HTTP requests, which minimizes potential attack vectors. The plugin also has a very small attack surface with only one shortcode and no AJAX handlers or REST API routes exposed without authentication.\n\nHowever, a significant concern arises from its vulnerability history. The plugin has two known medium-severity vulnerabilities, both related to Cross-Site Scripting (XSS). The fact that these vulnerabilities exist, even if currently unpatched, indicates potential weaknesses in how user-supplied data is handled. The absence of nonce checks and capability checks, while acceptable for a plugin with a minimal attack surface and no apparent direct user input handling that requires strict authorization, could become a problem if the plugin's functionality or input handling were to evolve.\n\nIn conclusion, while the current version of \"codepen-embedded-pen-shortcode\" demonstrates strong secure coding principles in its static analysis, its past XSS vulnerabilities are a notable weakness. Users should be aware of this history and ensure they are running the latest patched version if available, or consider the potential for future vulnerabilities if the plugin's development does not adequately address past issues. The lack of specific authorization checks on its single entry point is a minor concern given its current limited functionality.",[96,98,101],{"reason":97,"points":53},"2 known medium vulnerabilities (XSS)",{"reason":99,"points":100},"0 nonce checks",5,{"reason":102,"points":100},"0 capability checks","2026-03-16T19:13:31.393Z",{"wat":105,"direct":111},{"assetPaths":106,"generatorPatterns":107,"scriptPaths":108,"versionParams":110},[],[],[109],"https:\u002F\u002Fcpwebassets.codepen.io\u002Fassets\u002Fembed\u002Fei.js",[],{"cssClasses":112,"htmlComments":114,"htmlAttributes":115,"restEndpoints":124,"jsGlobals":125,"shortcodeOutput":126},[113],"codepen",[],[116,117,118,119,120,121,122,123],"data-height","data-theme-id","data-slug-hash","data-default-tab","data-animations","data-editable","data-embed-version","data-preview",[],[],[127,128],"\u003Cp class='codepen'","The content of the shortcode is escaped HTML and stripped of tags, so it's safe to render directly."]