[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSgHc2B4pKIiWhz95HnJEXdIIt3RX2G4T7C1SNwjYKBs":3,"$fe8EZtItPNOkadmRRLEJDitkOsW5KoCJxoiRv4P0Bqzs":186,"$fgdPso-nUyY-uOqS4T2rumesismghaP82ztI0lSCb9i8":190},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":21,"download_link":22,"security_score":23,"vuln_count":11,"unpatched_count":11,"last_vuln_date":24,"fetched_at":25,"discovery_status":26,"vulnerabilities":27,"developer":28,"crawl_stats":24,"alternatives":35,"analysis":36,"fingerprints":160},"csvmapper","CSVMapper","1.0","Sorin Marta","https:\u002F\u002Fprofiles.wordpress.org\u002Fsorinmarta\u002F","\u003Cp>CSVMapper allows you to insert data from CSV files into your WordPress site. You can create posts, add user meta, add post meta, or even add data to database tables directly.\u003C\u002Fp>\n\u003Cp>You can add data through the upload wizard which doesn’t require any programming skills or manual data entry.\u003C\u002Fp>\n\u003Cp>You can simply map the fields to their CSV columns and press submit.\u003C\u002Fp>\n","Feed data from CSV files to the WordPress database. Create posts or add post meta, user meta or even add data to custom tables.",0,634,"2025-06-16T11:12:00.000Z","6.6.5","6.2","8.0",[18,19,20,4],"add-data-to-custom-tables-from-csv","create-posts-with-csv","csv-mapping","https:\u002F\u002Fcsvmapper.io","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsvmapper.1.0.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":11,"avg_security_score":31,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"sorinmarta",2,96,30,91,"2026-05-20T02:51:08.281Z",[],{"attackSurface":37,"codeSignals":83,"taintFlows":105,"riskAssessment":148,"analyzedAt":159},{"hooks":38,"ajaxHandlers":78,"restRoutes":79,"shortcodes":80,"cronEvents":81,"entryPointCount":11,"unprotectedCount":11},[39,45,49,53,57,60,64,69,74],{"type":40,"name":41,"callback":42,"file":43,"line":44},"action","admin_post_csvm-settings","settings_form_callback","includes\u002Fadmin\u002Fclass-csvm-forms.php",26,{"type":40,"name":46,"callback":47,"file":43,"line":48},"admin_post_csvm-file-upload","upload_form_callback",27,{"type":40,"name":50,"callback":51,"file":43,"line":52},"admin_post_csvm-table-mapping","table_map_callback",28,{"type":40,"name":54,"callback":55,"file":43,"line":56},"admin_post_csvm-meta-mapping","meta_map_callback",29,{"type":40,"name":58,"callback":59,"file":43,"line":32},"admin_post_csvm-last-step","last_step_callback",{"type":40,"name":61,"callback":62,"file":63,"line":44},"admin_menu","pages","includes\u002Fadmin\u002Fclass-csvm-menu.php",{"type":40,"name":65,"callback":66,"file":67,"line":68},"admin_enqueue_scripts","admin_scripts","includes\u002Fcore\u002Fclass-csvm-asset-manager.php",22,{"type":40,"name":70,"callback":71,"file":72,"line":73},"csvm_import_lookout","lookout_callback","includes\u002Fcore\u002Fclass-csvm-cron.php",23,{"type":75,"name":76,"callback":76,"file":72,"line":77},"filter","cron_schedules",24,[],[],[],[82],{"hook":70,"callback":70,"file":72,"line":48},{"dangerousFunctions":84,"sqlUsage":97,"outputEscaping":100,"fileOperations":30,"externalRequests":11,"nonceChecks":103,"capabilityChecks":11,"bundledLibraries":104},[85,90,94],{"fn":86,"file":87,"line":88,"context":89},"unserialize","includes\u002Fabstracts\u002Fclass-csvm-base-model.php",128,"$import = unserialize( $data );",{"fn":86,"file":91,"line":92,"context":93},"includes\u002Fmodels\u002Fclass-csvm-run.php",141,"$data = unserialize( $run->option_value );",{"fn":86,"file":91,"line":95,"context":96},144,"$data = unserialize( $data );",{"prepared":98,"raw":11,"locations":99},8,[],{"escaped":101,"rawEcho":11,"locations":102},201,[],11,[],[106,131],{"entryPoint":107,"graph":108,"unsanitizedCount":30,"severity":130},"add_notifications (includes\u002Fcore\u002Fclass-csvm-view.php:74)",{"nodes":109,"edges":126},[110,116,120],{"id":111,"type":112,"label":113,"file":114,"line":115},"n0","source","$_COOKIE (x2)","includes\u002Fcore\u002Fclass-csvm-view.php",80,{"id":117,"type":118,"label":119,"file":114,"line":115},"n1","transform","→ show_redirect_message()",{"id":121,"type":122,"label":123,"file":114,"line":124,"wp_function":125},"n2","sink","echo() [XSS]",98,"echo",[127,129],{"from":111,"to":117,"sanitized":128},false,{"from":117,"to":121,"sanitized":128},"medium",{"entryPoint":132,"graph":133,"unsanitizedCount":30,"severity":130},"\u003Cclass-csvm-view> (includes\u002Fcore\u002Fclass-csvm-view.php:0)",{"nodes":134,"edges":143},[135,137,138,139,141],{"id":111,"type":112,"label":113,"file":114,"line":136},77,{"id":117,"type":122,"label":123,"file":114,"line":124,"wp_function":125},{"id":121,"type":112,"label":113,"file":114,"line":115},{"id":140,"type":118,"label":119,"file":114,"line":115},"n3",{"id":142,"type":122,"label":123,"file":114,"line":124,"wp_function":125},"n4",[144,146,147],{"from":111,"to":117,"sanitized":145},true,{"from":121,"to":140,"sanitized":128},{"from":140,"to":142,"sanitized":128},{"summary":149,"deductions":150},"The 'csvmapper' v1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping all output. The absence of known vulnerabilities in its history is also a strong indicator of stable, well-maintained code. The static analysis reports a clean attack surface with no exposed AJAX handlers, REST API routes, or shortcodes. \n\nHowever, there are significant concerns. The presence of three 'unserialize' function calls is a critical red flag, as unserialization of untrusted input is a well-known vector for remote code execution vulnerabilities. Furthermore, the taint analysis revealed two flows with unsanitized paths, which, while not classified as critical or high severity by the tool, could still represent potential security weaknesses if not handled with extreme care. The absence of capability checks across all entry points is another area of concern, suggesting that actions triggered by the cron event might not be adequately protected against unauthorized execution. \n\nIn conclusion, while the plugin benefits from a lack of historical vulnerabilities and good data handling practices in SQL and output, the risks associated with 'unserialize' and unsanitized paths cannot be ignored. The lack of capability checks on the cron event further exacerbates this. Immediate attention should be given to sanitizing the data used in 'unserialize' calls and thoroughly reviewing the identified taint flows.",[151,154,157],{"reason":152,"points":153},"Dangerous function: unserialize found",15,{"reason":155,"points":156},"Flows with unsanitized paths found",10,{"reason":158,"points":156},"No capability checks found","2026-04-16T14:27:05.877Z",{"wat":161,"direct":178},{"assetPaths":162,"generatorPatterns":169,"scriptPaths":170,"versionParams":171},[163,164,165,166,167,168],"\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fcss\u002Fadmin\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fjs\u002Fadmin\u002Fsettings.js","\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fjs\u002Fadmin\u002Ffirst-step.js","\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fjs\u002Fadmin\u002Fmapping.js","\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fjs\u002Fadmin\u002Fmeta-map.js","\u002Fwp-content\u002Fplugins\u002Fcsvmapper\u002Fassets\u002Fjs\u002Fadmin\u002Fthird-step.js",[],[164,165,166,167,168],[172,173,174,175,176,177],"csvmapper-admin-stylesheet?ver=","csvmapper-settings?ver=","csvmapper-first-step?ver=","csvmapper-mapping?ver=","csvmapper-meta-map?ver=","csvmapper-third-step?ver=",{"cssClasses":179,"htmlComments":180,"htmlAttributes":181,"restEndpoints":182,"jsGlobals":183,"shortcodeOutput":185},[],[],[],[],[184],"csvm_ajax",[],{"error":145,"url":187,"statusCode":188,"statusMessage":189,"message":189},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fcsvmapper\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":191,"versions":192},1,[193],{"version":6,"download_url":22,"svn_tag_url":194,"released_at":24,"has_diff":128,"diff_files_changed":195,"diff_lines":24,"trac_diff_url":24,"vulnerabilities":196,"is_current":145},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fcsvmapper\u002Ftags\u002F1.0\u002F",[],[]]