[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fV07J4vhihSaTYTGZIXNjHX6Fn7JSNZO7D9a0t9Tm-IU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":19,"download_link":20,"security_score":21,"vuln_count":13,"unpatched_count":13,"last_vuln_date":22,"fetched_at":23,"vulnerabilities":24,"developer":25,"crawl_stats":22,"alternatives":32,"analysis":33,"fingerprints":233},"connect","App Connect","0.1-dev","Ryan McCue","https:\u002F\u002Fprofiles.wordpress.org\u002Frmccue\u002F","\u003Cp>Connect apps to your WordPress site.\u003C\u002Fp>\n\u003Cp>App Connect includes code from \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FOAuth2\" rel=\"nofollow ugc\">OAuth 2.0 for WordPress\u003C\u002Fa>. OAuth 2.0 for WordPress is copyright 2018 the contributors. See \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FOAuth2\u002Fgraphs\u002Fcontributors\" rel=\"nofollow ugc\">the full list of contributors\u003C\u002Fa> for further details.\u003C\u002Fp>\n","Connect apps to your WordPress site. Ssshh, this plugin is still in pre-release, keep it just to yourself for now.",10,2115,0,"2018-09-18T10:07:00.000Z","4.9.29","4.9","5.4.0",[],"https:\u002F\u002Fapps.wp-api.org\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fconnect.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":21,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"rmccue",4,10190,30,84,"2026-04-05T12:04:56.033Z",[],{"attackSurface":34,"codeSignals":104,"taintFlows":149,"riskAssessment":222,"analyzedAt":232},{"hooks":35,"ajaxHandlers":87,"restRoutes":88,"shortcodes":101,"cronEvents":102,"entryPointCount":103,"unprotectedCount":103},[36,42,47,51,54,57,60,63,67,70,73,76,78,80,82,84],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","rest_index","anonymous","inc\\namespace.php",26,{"type":43,"name":44,"callback":39,"priority":45,"file":40,"line":46},"filter","oauth2.redirect_args.authorized",5,27,{"type":37,"name":48,"callback":39,"file":49,"line":50},"show_user_profile","oauth2\\inc\\admin\\profile\\namespace.php",16,{"type":37,"name":52,"callback":39,"file":49,"line":53},"edit_user_profile",17,{"type":37,"name":55,"callback":39,"file":49,"line":56},"all_admin_notices",18,{"type":37,"name":58,"callback":39,"priority":11,"file":49,"line":59},"personal_options_update",19,{"type":37,"name":61,"callback":39,"priority":11,"file":49,"line":62},"edit_user_profile_update",20,{"type":37,"name":55,"callback":64,"file":65,"line":66},"closure","oauth2\\inc\\admin\\profile\\personaltokens\\namespace.php",83,{"type":37,"name":68,"callback":39,"file":69,"line":11},"init","oauth2\\inc\\namespace.php",{"type":43,"name":71,"callback":39,"priority":72,"file":69,"line":72},"determine_current_user",11,{"type":43,"name":74,"callback":39,"file":69,"line":75},"rest_authentication_errors",14,{"type":43,"name":38,"callback":39,"file":69,"line":77},15,{"type":37,"name":79,"callback":39,"file":69,"line":50},"rest_api_init",{"type":43,"name":81,"callback":39,"priority":13,"file":69,"line":59},"oauth2.grant_types",{"type":37,"name":68,"callback":39,"file":69,"line":83},22,{"type":37,"name":85,"callback":39,"file":69,"line":86},"admin_menu",23,[],[89,96],{"namespace":90,"route":91,"methods":92,"callback":94,"permissionCallback":22,"file":95,"line":77},"oauth2","\u002Faccess_token",[93],"POST","exchange_token","oauth2\\inc\\endpoints\\class-token.php",{"namespace":90,"route":97,"methods":98,"callback":39,"permissionCallback":22,"file":100,"line":53},"\u002Fauthorize",[99],"GET","oauth2\\inc\\endpoints\\namespace.php",[],[],2,{"dangerousFunctions":105,"sqlUsage":106,"outputEscaping":109,"fileOperations":13,"externalRequests":107,"nonceChecks":11,"capabilityChecks":147,"bundledLibraries":148},[],{"prepared":107,"raw":13,"locations":108},1,[],{"escaped":110,"rawEcho":50,"locations":111},58,[112,116,118,120,122,124,126,128,130,132,134,136,138,140,142,145],{"file":113,"line":114,"context":115},"oauth2\\inc\\admin\\namespace.php",116,"raw output",{"file":113,"line":117,"context":115},123,{"file":113,"line":119,"context":115},125,{"file":113,"line":121,"context":115},349,{"file":113,"line":123,"context":115},358,{"file":113,"line":125,"context":115},366,{"file":113,"line":127,"context":115},379,{"file":113,"line":129,"context":115},399,{"file":113,"line":131,"context":115},415,{"file":49,"line":133,"context":115},150,{"file":49,"line":135,"context":115},151,{"file":49,"line":137,"context":115},154,{"file":49,"line":139,"context":115},170,{"file":49,"line":141,"context":115},173,{"file":143,"line":144,"context":115},"oauth2\\theme\\oauth2-authorize.php",73,{"file":143,"line":146,"context":115},114,9,[],[150,174,190,211],{"entryPoint":151,"graph":152,"unsanitizedCount":107,"severity":173},"handle_connect (inc\\namespace.php:155)",{"nodes":153,"edges":169},[154,159,163],{"id":155,"type":156,"label":157,"file":40,"line":158},"n0","source","$_GET",165,{"id":160,"type":161,"label":162,"file":40,"line":158},"n1","transform","→ validate_request_with_broker()",{"id":164,"type":165,"label":166,"file":40,"line":167,"wp_function":168},"n2","sink","wp_remote_get() [SSRF]",227,"wp_remote_get",[170,172],{"from":155,"to":160,"sanitized":171},false,{"from":160,"to":164,"sanitized":171},"medium",{"entryPoint":175,"graph":176,"unsanitizedCount":103,"severity":173},"\u003Cnamespace> (inc\\namespace.php:0)",{"nodes":177,"edges":186},[178,180,181,182,184],{"id":155,"type":156,"label":157,"file":40,"line":179},156,{"id":160,"type":165,"label":166,"file":40,"line":167,"wp_function":168},{"id":164,"type":156,"label":157,"file":40,"line":158},{"id":183,"type":161,"label":162,"file":40,"line":158},"n3",{"id":185,"type":165,"label":166,"file":40,"line":167,"wp_function":168},"n4",[187,188,189],{"from":155,"to":160,"sanitized":171},{"from":164,"to":183,"sanitized":171},{"from":183,"to":185,"sanitized":171},{"entryPoint":191,"graph":192,"unsanitizedCount":107,"severity":173},"\u003Cnamespace> (oauth2\\inc\\admin\\profile\\personaltokens\\namespace.php:0)",{"nodes":193,"edges":206},[194,197,201,203,205],{"id":155,"type":156,"label":195,"file":65,"line":196},"$_REQUEST",38,{"id":160,"type":165,"label":198,"file":65,"line":199,"wp_function":200},"echo() [XSS]",188,"echo",{"id":164,"type":156,"label":195,"file":65,"line":202},174,{"id":183,"type":161,"label":204,"file":65,"line":202},"→ render_create_success()",{"id":185,"type":165,"label":198,"file":65,"line":199,"wp_function":200},[207,209,210],{"from":155,"to":160,"sanitized":208},true,{"from":164,"to":183,"sanitized":171},{"from":183,"to":185,"sanitized":171},{"entryPoint":212,"graph":213,"unsanitizedCount":13,"severity":221},"\u003Coauth2-authorize> (oauth2\\theme\\oauth2-authorize.php:0)",{"nodes":214,"edges":219},[215,218],{"id":155,"type":156,"label":216,"file":143,"line":217},"$_SERVER (x2)",13,{"id":160,"type":165,"label":198,"file":143,"line":110,"wp_function":200},[220],{"from":155,"to":160,"sanitized":208},"low",{"summary":223,"deductions":224},"The \"connect\" v0.1-dev plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of its SQL queries using prepared statements and a relatively high percentage of output escaping (78%). The absence of any known vulnerabilities in its history is also a strong indicator of a stable codebase. However, significant concerns arise from the static analysis. The plugin has a total of 2 entry points, both of which are unprotected REST API routes. This presents a direct and accessible attack surface that could be exploited without any authentication or authorization checks. The taint analysis revealed 3 flows with unsanitized paths, though fortunately, none were classified as critical or high severity. This suggests a potential for data mishandling, even if the immediate impact is not severe. The presence of nonce checks and capability checks in other parts of the code indicates an awareness of security best practices, but their absence on the exposed REST API routes is a critical oversight.\n\nIn conclusion, while the \"connect\" plugin has some solid security foundations, the unprotected REST API routes are a major vulnerability. The unsanitized taint flows, though not critical, further elevate the risk. The lack of historical vulnerabilities is a positive sign, but it doesn't negate the immediate risks identified in the current code. It's crucial to address the exposed REST API endpoints and thoroughly review the unsanitized taint flows to mitigate potential security threats. The plugin's current state is moderately risky due to the exposed entry points.",[225,227,229],{"reason":226,"points":11},"Unprotected REST API routes",{"reason":228,"points":45},"Flows with unsanitized paths",{"reason":230,"points":231},"Low version number indicating potential immaturity",3,"2026-03-17T00:27:47.136Z",{"wat":234,"direct":240},{"assetPaths":235,"generatorPatterns":236,"scriptPaths":237,"versionParams":239},[],[],[238],"\u002Fwp-content\u002Fplugins\u002Fconnect\u002Foauth2\u002Fplugin.php",[],{"cssClasses":241,"htmlComments":242,"htmlAttributes":243,"restEndpoints":244,"jsGlobals":247,"shortcodeOutput":248},[],[],[],[245,246],"\u002Fwp-json\u002Foauth2\u002Faccess_token","\u002Fwp-json\u002Foauth2\u002Fauthorize",[90],[]]