[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEzASOgRjVUHQiTDRU4e2xkTC2udMka7oTkflD-80Qv0":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":61,"crawl_stats":35,"alternatives":69,"analysis":176,"fingerprints":277},"connector-civicrm-mcrestface","Connector to CiviCRM with CiviMcRestFace","1.0.12","Jaap Jansma","https:\u002F\u002Fprofiles.wordpress.org\u002Fjaapjansma\u002F","\u003Cp>This plugin provides a connector to connect to a local or remote CiviCRM. This connector can then be reused by other plugins such as the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf-civicrm-formprocessor\u002F\" rel=\"ugc\">Integration of CiviCRM’s Form Processor with Caldera Forms\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Configuration\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Configuration can be done under \u003Cstrong>Settings > CiviCRM McRestFace Connections\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Plugins using the CiviCRM McRestFace Connector\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf-civicrm-formprocessor\u002F\" rel=\"ugc\">Integration of CiviCRM’s Form Processor with Caldera Forms\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Funded by\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fartfulrobot.uk\" rel=\"nofollow ugc\">Artfulrobot\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.civicoop.org\" rel=\"nofollow ugc\">CiviCooP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fciviservice.de\u002F\" rel=\"nofollow ugc\">Civiservice.de GmbH\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.soziokultur.de\u002F\" rel=\"nofollow ugc\">Bundesverband Soziokultur e.V.\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.article19.org\u002F\" rel=\"nofollow ugc\">Article 19\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Provides an API connector to a local or remote CiviCRM installation. This connector could be used by other plugins. Funded by Artfulrobot, CiviCoop, c &hellip;",200,5514,0,"2025-06-17T09:59:00.000Z","6.4.8","5.2","7.2",[19,20,21,22],"api","civicrm","connector","rest","https:\u002F\u002Fgithub.com\u002FCiviMRF\u002Fcivimcrestface-wordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fconnector-civicrm-mcrestface.1.0.12.zip",98,2,"2025-04-09 00:00:00","2026-03-15T15:16:48.613Z",[30,46],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":37,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":45},"CVE-2025-32551","connector-to-civicrm-with-civimcrestface-reflected-cross-site-scripting","Connector to CiviCRM with CiviMcRestFace \u003C= 1.0.8 - Reflected Cross-Site Scripting","The Connector to CiviCRM with CiviMcRestFace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.0.8","1.0.9","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-05-21 13:45:26",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3708ce44-987f-4e73-b1cb-899349c8e0d4?source=api-prod",43,{"id":47,"url_slug":48,"title":49,"description":50,"plugin_slug":4,"theme_slug":35,"affected_versions":51,"patched_in_version":52,"severity":38,"cvss_score":53,"cvss_vector":54,"vuln_type":55,"published_date":56,"updated_date":57,"references":58,"days_to_patch":60},"CVE-2025-31618","connector-to-civicrm-with-civimcrestface-missing-authorization","Connector to CiviCRM with CiviMcRestFace \u003C= 1.0.10 - Missing Authorization","The Connector to CiviCRM with CiviMcRestFace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.","\u003C=1.0.10","1.0.11",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-03-31 00:00:00","2025-06-18 16:28:31",[59],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4bb9f98e-c223-4ee4-a2da-b1a62d995410?source=api-prod",80,{"slug":62,"display_name":7,"profile_url":8,"plugin_count":63,"total_installs":64,"avg_security_score":65,"avg_patch_time_days":66,"trust_score":67,"computed_at":68},"jaapjansma",6,540,91,62,82,"2026-04-05T01:56:34.297Z",[70,90,109,134,156],{"slug":71,"name":72,"version":73,"author":74,"author_profile":75,"description":76,"short_description":77,"active_installs":13,"downloaded":78,"rating":13,"num_ratings":13,"last_updated":79,"tested_up_to":80,"requires_at_least":81,"requires_php":82,"tags":83,"homepage":87,"download_link":88,"security_score":89,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"brillocraft-connector","Brillocraft Connector","1.0.0","Brillocraft","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrillocraft\u002F","\u003Cp>Brillocraft Connector enables secure communication between your WooCommerce store and the Brillocraft mobile app builder.\u003Cbr \u002F>\nThis plugin automatically provides the REST API endpoints required for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Customer login\u003C\u002Fli>\n\u003Cli>Password reset\u003C\u002Fli>\n\u003Cli>Account deletion\u003C\u002Fli>\n\u003Cli>Store verification (ping endpoint)\u003C\u002Fli>\n\u003Cli>WooCommerce connection onboarding\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin also bundles small helper components required for compatibility and automatically installs them when necessary.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Secure REST API endpoints for authentication\u003C\u002Fli>\n\u003Cli>Auto-installation of required helper plugins\u003C\u002Fli>\n\u003Cli>Store “ping” verification for onboarding\u003C\u002Fli>\n\u003Cli>WooCommerce-ready OAuth support (connection initiated from Brillocraft dashboard)\u003C\u002Fli>\n\u003Cli>Lightweight and optimized — no frontend scripts added\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2.\u003Cbr \u002F>\nSee license.txt for full terms.\u003C\u002Fp>\n","A secure connector plugin that enables WooCommerce stores to integrate with the Brillocraft mobile app builder platform.",124,"2025-12-15T12:31:00.000Z","6.9.4","5.0","7.4",[21,84,85,86],"mobile-app","rest-api","woocommerce","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbrillocraft-connector.zip",100,{"slug":91,"name":92,"version":93,"author":94,"author_profile":95,"description":96,"short_description":97,"active_installs":98,"downloaded":99,"rating":100,"num_ratings":101,"last_updated":102,"tested_up_to":87,"requires_at_least":103,"requires_php":82,"tags":104,"homepage":106,"download_link":107,"security_score":108,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"woocommerce-legacy-rest-api","WooCommerce Legacy REST API","1.0.5","Automattic","https:\u002F\u002Fprofiles.wordpress.org\u002Fautomattic\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fdeveloper.woocommerce.com\u002F2023\u002F10\u002F03\u002Fthe-legacy-rest-api-will-move-to-a-dedicated-extension-in-woocommerce-9-0\u002F\" rel=\"nofollow ugc\">The Legacy REST API will no longer part of WooCommerce as of version 9.0\u003C\u002Fa>. This plugin restores the full functionality of the removed Legacy REST API code in WooCommerce 9.0 and later versions.\u003C\u002Fp>\n\u003Cp>For all intents and purposes, having this plugin installed and active in WooCommerce 9.0 and newer versions is equivalent to enabling the Legacy REST API in WooCommerce 8.9 and older versions (via WooCommerce – Settings – Advanced – Legacy API). All the endpoints work the same way, and existing user keys also continue working.\u003C\u002Fp>\n\u003Cp>On the other hand, installing this plugin together with WooCommerce 8.9 or an older version is safe: the plugin detects that the Legacy REST API is still part of WooCommerce and doesn’t initialize itself as to not interfere with the built-in code.\u003C\u002Fp>\n\u003Cp>Please note that \u003Cstrong>the Legacy REST API is not compatible with \u003Ca href=\"https:\u002F\u002Fwoocommerce.com\u002Fdocument\u002Fhigh-performance-order-storage\u002F\" rel=\"nofollow ugc\">High-Performance Order Storage\u003C\u002Fa>\u003C\u002Fstrong>. Upgrading the code that relies on the Legacy REST API to use the current WooCommerce REST API instead is highly recommended.\u003C\u002Fp>\n","The WooCommerce Legacy REST API, which is now part of WooCommerce itself but will be removed in WooCommerce 9.0.",400000,2304709,30,27,"2025-01-23T18:59:00.000Z","6.2",[85,105,86],"woo","https:\u002F\u002Fgithub.com\u002Fwoocommerce\u002Fwoocommerce-legacy-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-legacy-rest-api.1.0.5.zip",92,{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":117,"downloaded":118,"rating":119,"num_ratings":120,"last_updated":121,"tested_up_to":80,"requires_at_least":122,"requires_php":123,"tags":124,"homepage":87,"download_link":130,"security_score":131,"vuln_count":132,"unpatched_count":13,"last_vuln_date":133,"fetched_at":28},"advanced-access-manager","Advanced Access Manager – Access Governance for WordPress","7.1.0","AAM Plugin","https:\u002F\u002Fprofiles.wordpress.org\u002Fvasyltech\u002F","\u003Cp>\u003Cstrong>Advanced Access Manager (AAM)\u003C\u002Fstrong> introduces \u003Cstrong>Access Governance for WordPress\u003C\u002Fstrong> – a systematic approach to securing your site by controlling who can access what, when, and why.\u003C\u002Fp>\n\u003Cp>Most WordPress security plugins focus on external threats like malware, firewalls, and brute-force attacks. AAM addresses the \u003Cstrong>root cause of the #1 WordPress security risk: broken access controls, excessive privileges, and misconfigured roles\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Instead of reacting to attacks, AAM helps you \u003Cstrong>design security into your WordPress site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>What Access Governance means in practice\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Mitigate Broken Access Controls\u003C\u002Fstrong>. Ensure roles, users, and permissions are correctly configured to prevent unauthorized actions and privilege escalation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Eliminate Excessive Privileges\u003C\u002Fstrong>. Identify overpowered users and reduce access to critical functionality, admin areas, and APIs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure Content by Design\u003C\u002Fstrong>. Control who can view, edit, publish, or delete posts, pages, media, taxonomies, and custom content types.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Govern Access with Policy\u003C\u002Fstrong>. Define access rules using JSON Access Policies — portable, auditable, and automation-friendly.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Build Custom Security Logic\u003C\u002Fstrong>. Use the AAM PHP Framework to create advanced, programmatic access controls tailored to your application.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security Audit\u003C\u002Fstrong>. Detect risky role assignments, misconfigurations, and compromised accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular Access Control\u003C\u002Fstrong>. Manage permissions for any user, role, or visitor with precision.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role & Capability Management\u003C\u002Fstrong>. Customize WordPress roles and capabilities beyond defaults.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin & Menu Control\u003C\u002Fstrong>. Restrict dashboard areas and tailor the admin experience per user or role.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>API & Endpoint Protection\u003C\u002Fstrong>. Secure REST and XML-RPC access with fine-grained controls.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Authentication Options\u003C\u002Fstrong>. Support passwordless and secure login flows.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer-Ready Framework\u003C\u002Fstrong>. Extend WordPress security using AAM’s powerful SDK.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ad-Free & Transparent\u003C\u002Fstrong>. – No ads, no tracking, no bloat.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Built for Security-Conscious WordPress Users\u003C\u002Fh4>\n\u003Cp>AAM is trusted by \u003Cstrong>150,000+ websites\u003C\u002Fstrong> to deliver enterprise-grade access control without unnecessary complexity. Whether you’re a site owner, agency, developer, or security professional, AAM gives you \u003Cstrong>full control over WordPress access — by design\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Most core features are free. Advanced capabilities are available via premium add-ons.\u003C\u002Fp>\n\u003Cp>No hidden tracking. No data collection. No unwanted changes.\u003Cbr \u002F>\nJust \u003Cstrong>security you can reason about, audit, and trust\u003C\u002Fstrong>.\u003C\u002Fp>\n","Access Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.",100000,7384389,84,420,"2026-03-08T15:53:00.000Z","5.8.0","5.6.0",[125,126,127,128,129],"access-governance","api-security","restricted-content","security","user-roles","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-access-manager.7.1.0.zip",95,11,"2024-03-20 00:00:00",{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":142,"downloaded":143,"rating":144,"num_ratings":145,"last_updated":146,"tested_up_to":147,"requires_at_least":148,"requires_php":149,"tags":150,"homepage":153,"download_link":154,"security_score":155,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"disable-json-api","Disable REST API","1.8","Dave McHale","https:\u002F\u002Fprofiles.wordpress.org\u002Fdmchale\u002F","\u003Cp>The most comprehensive plugin for controlling access to the WordPress REST API!\u003C\u002Fp>\n\u003Cp>Works as a “set it and forget it” install. Just upload and activate, and the entire REST API will be inaccessible to your general site visitors.\u003C\u002Fp>\n\u003Cp>But if you do need to grant access to some endpoints, you can do that too. Go to the Settings page and you can quickly whitelist individual endpoints (or entire branches of endpoints) in the REST API.\u003C\u002Fp>\n\u003Cp>You can even do this on a per-user-role basis, so your unauthenticated users have one set of rules while WooCommerce customers have another while Subscribers and Editors and Admins all have their own. NOTE: Out of the box, all defined user roles will still be granted full access to the REST API until you choose to manage those settings.\u003C\u002Fp>\n\u003Cp>For most versions of WordPress, this plugin will return an authentication error if a user is not allowed to access an endpoint. For legacy support, WordPress 4.4, 4.5, and 4.6 use the provided \u003Ccode>rest_enabled\u003C\u002Fcode> filter to disable the entire REST API.\u003C\u002Fp>\n","Disable the use of the REST API on your website to site users. Now with User Role support!",90000,753897,96,38,"2023-09-14T00:26:00.000Z","6.3.8","4.9","5.6",[151,19,152,22,85],"admin","json","http:\u002F\u002Fwww.binarytemplar.com\u002Fdisable-json-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-json-api.zip",85,{"slug":157,"name":158,"version":159,"author":160,"author_profile":161,"description":162,"short_description":163,"active_installs":164,"downloaded":165,"rating":166,"num_ratings":167,"last_updated":168,"tested_up_to":80,"requires_at_least":81,"requires_php":17,"tags":169,"homepage":87,"download_link":172,"security_score":173,"vuln_count":174,"unpatched_count":13,"last_vuln_date":175,"fetched_at":28},"integromat-connector","Make Connector","1.6.6","Make","https:\u002F\u002Fprofiles.wordpress.org\u002Fintegromat\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Make\u003C\u002Fa> is a visual platform that lets you design, build, and automate anything – from simple tasks to complex workflows – in minutes. With Make, you can send information between WordPress and thousands of apps to drive traffic and improve sales potential. It’s fast and easy to use, visually intuitive and requires zero coding expertise.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Here are some of the ways to use WordPress with Make:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add new WordPress users to your CMR and marketing tools, like Salesforce, ActiveCampaign, or Mailchimp\u003C\u002Fli>\n\u003Cli>Create new WordPress posts from incoming webhook data, Google Forms responses, or FreeScout conversations\u003C\u002Fli>\n\u003Cli>Share your WordPress posts on Facebook, Pinterest, or other social media platforms\u003C\u002Fli>\n\u003Cli>Send a message about new WordPress posts to messaging apps, like Slack, Telegram, or Microsoft Teams\u003C\u002Fli>\n\u003Cli>Create database items from your WordPress posts in Notion, MySQL, or any other database app\u003C\u002Fli>\n\u003Cli>Or choose a \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Ftemplates?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">template\u003C\u002Fa> to help you get started. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How to get started:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fregister?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Sign up for Make\u003C\u002Fa>, and enjoy a free account forever. Or, choose a monthly or yearly plan with advanced features.\u003C\u002Fli>\n\u003Cli>Check \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fhelp\u002Fapps\u002Fwebsite-building\u002Fwordpress#connecting-wordpress-to-make-968742?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Make’s documentation on how to connect WordPress\u003C\u002Fa>. \u003C\u002Fli>\n\u003Cli>Install the plugin, and \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fintegrations\u002Fwordpress?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">start building WordPress integrations on Make\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Get help from \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fticket?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-program\" rel=\"nofollow ugc\">Make’s Support\u003C\u002Fa> team.\u003Cbr \u002F>\nMake’s \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fterms-and-conditions?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Terms of use\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwww.make.com\u002Fen\u002Fprivacy-notice?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make\" rel=\"nofollow ugc\">Privacy policy\u003C\u002Fa>.\u003C\u002Fp>\n","Make Connector. Make lets you design, build, and automate by connecting with WordPress in just a few clicks.",80000,472783,54,25,"2026-02-09T10:29:00.000Z",[19,170,171,22,85],"integromat","make","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fintegromat-connector.1.6.6.zip",94,3,"2025-09-03 21:08:50",{"attackSurface":177,"codeSignals":205,"taintFlows":264,"riskAssessment":265,"analyzedAt":276},{"hooks":178,"ajaxHandlers":201,"restRoutes":202,"shortcodes":203,"cronEvents":204,"entryPointCount":13,"unprotectedCount":13},[179,185,188,193,197],{"type":180,"name":181,"callback":182,"file":183,"line":184},"action","admin_init","clear_cache","CMRF\\Wordpress\\Admin\\AdminPage.php",14,{"type":180,"name":186,"callback":186,"file":183,"line":187},"admin_menu",15,{"type":189,"name":190,"callback":190,"priority":191,"file":183,"line":192},"filter","plugin_action_links",10,16,{"type":180,"name":194,"callback":194,"file":195,"line":196},"init","wpcmrf.php",37,{"type":180,"name":198,"callback":199,"file":195,"line":200},"wpmu_new_blog","wpcmrf_new_blog",148,[],[],[],[],{"dangerousFunctions":206,"sqlUsage":207,"outputEscaping":232,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":262,"bundledLibraries":263},[],{"prepared":208,"raw":191,"locations":209},4,[210,213,214,217,219,221,223,225,227,230],{"file":183,"line":211,"context":212},73,"$wpdb->get_results() with variable interpolation",{"file":183,"line":119,"context":212},{"file":183,"line":215,"context":216},104,"$wpdb->get_row() with variable interpolation",{"file":183,"line":218,"context":212},110,{"file":183,"line":220,"context":216},121,{"file":183,"line":222,"context":212},127,{"file":183,"line":224,"context":216},155,{"file":226,"line":211,"context":212},"CMRF\\Wordpress\\Core.php",{"file":228,"line":191,"context":229},"uninstall.php","$wpdb->query() with variable interpolation",{"file":228,"line":231,"context":229},12,{"escaped":233,"rawEcho":187,"locations":234},23,[235,238,239,241,243,244,246,248,250,253,254,256,257,259,261],{"file":236,"line":191,"context":237},"views\\calllog.php","raw output",{"file":236,"line":101,"context":237},{"file":236,"line":240,"context":237},28,{"file":236,"line":242,"context":237},29,{"file":236,"line":100,"context":237},{"file":236,"line":245,"context":237},31,{"file":236,"line":247,"context":237},32,{"file":236,"line":249,"context":237},33,{"file":251,"line":252,"context":237},"views\\form.php",13,{"file":251,"line":187,"context":237},{"file":255,"line":191,"context":237},"views\\profiles.php",{"file":255,"line":233,"context":237},{"file":255,"line":258,"context":237},24,{"file":255,"line":260,"context":237},26,{"file":255,"line":101,"context":237},1,[],[],{"summary":266,"deductions":267},"The plugin 'connector-civicrm-mcrestface' v1.0.12 exhibits a mixed security posture.  While the static analysis shows a remarkably small attack surface with no identified unprotected entry points (AJAX, REST API, shortcodes, cron), and no dangerous functions or file operations, there are concerning areas related to input sanitization and authorization.\n\nThe code analysis reveals that a significant portion of SQL queries (71%) are not using prepared statements, which is a major risk for SQL injection vulnerabilities. Furthermore, only 61% of output is properly escaped, leaving room for Cross-Site Scripting (XSS) attacks. The absence of any nonce checks is a significant security oversight, particularly for any potential, even if currently undetected, AJAX operations.\n\nThe vulnerability history is particularly worrying, with two medium-severity CVEs previously recorded for Cross-site Scripting and Missing Authorization. The fact that these vulnerabilities have been patched is positive, but the recurring nature of these common vulnerability types suggests a historical pattern of insecure coding practices that could resurface. The plugin's last vulnerability was in April 2025, which is in the future, suggesting potential data entry error or an indicator of a known but not yet exploited vulnerability. Overall, the lack of identified vulnerabilities in the current static analysis is offset by the historical data and the identified weaknesses in SQL and output handling.",[268,270,272,274],{"reason":269,"points":187},"SQL queries not using prepared statements",{"reason":271,"points":231},"Output escaping is not properly handled",{"reason":273,"points":191},"Missing nonce checks",{"reason":275,"points":191},"Two past medium severity vulnerabilities","2026-03-16T20:31:11.228Z",{"wat":278,"direct":289},{"assetPaths":279,"generatorPatterns":286,"scriptPaths":287,"versionParams":288},[280,281,282,283,284,285],"\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FCore.php","\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FAdmin\u002FAdminPage.php","\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FConnection\u002FCurl.php","\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FConnection\u002FCurlAuthX.php","\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FConnection\u002FLocal.php","\u002Fwp-content\u002Fplugins\u002Fconnector-civicrm-mcrestface\u002FCMRF\u002FWordpress\u002FCall.php",[],[],[],{"cssClasses":290,"htmlComments":291,"htmlAttributes":292,"restEndpoints":293,"jsGlobals":295,"shortcodeOutput":297},[],[],[],[294],"\u002Fwp-json\u002Fwpcmrf\u002F",[296],"wpcmrf_api",[]]