[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0CoT_hBz5WpUqW2mBmtWLE5TmRdjFnQajy5yX7769R8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":52,"analysis":74,"fingerprints":175},"e-namad-shamed-logo-manager","E-namad & Shamed Logo Manager","2.2","Hamid Reza Yazdani","https:\u002F\u002Fprofiles.wordpress.org\u002Fyazdaniwp\u002F","\u003Cp>This plugin uses shortcodes and widgets to help you put the Enamad, Shamed and Zarrinpal logos in any part of your website that you like.\u003C\u002Fp>\n","This plugin helps you to easily put the logo of E-namad, Shamed and Zarrinpal on your website",3000,26035,88,7,"2020-08-20T00:32:00.000Z","5.5.18","4.7","7.0",[20,21,22,23],"enamad","enamad-logo","resaneh-logo","shamed-logo","http:\u002F\u002Fyazdaniwp.com\u002Fplugins\u002Fenamad-shamed-logo\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fe-namad-shamed-logo-manager.2.2.zip",63,1,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-57998","e-namad-amp-shamed-logo-manager-authenticated-administrator-stored-cross-site-scripting","E-namad & Shamed Logo Manager \u003C= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting","The E-namad & Shamed Logo Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=2.2","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-09-26 17:26:50",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1c1ca3cc-544a-4d75-aaf3-e26e2fc5ce5a?source=api-prod",{"slug":46,"display_name":7,"profile_url":8,"plugin_count":47,"total_installs":11,"avg_security_score":48,"avg_patch_time_days":49,"trust_score":50,"computed_at":51},"yazdaniwp",2,78,30,79,"2026-04-04T02:29:41.139Z",[53],{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":13,"num_ratings":14,"last_updated":63,"tested_up_to":64,"requires_at_least":65,"requires_php":66,"tags":67,"homepage":66,"download_link":70,"security_score":71,"vuln_count":47,"unpatched_count":72,"last_vuln_date":73,"fetched_at":29},"logo-manager-for-enamad","Logo Manager For Enamad","0.7.4","Omid Shamloo","https:\u002F\u002Fprofiles.wordpress.org\u002Fgoback2\u002F","\u003Cp>just for Iranian sites who uses enamad.ir service\u003C\u002Fp>\n\u003Cp>با این پلاگین به‌صورت خودکار کد نماد الکترونیکی سایت را مدیریت می کنید\u003C\u002Fp>\n\u003Cp>This plugin is licensed under the \u003Ca href=\"http:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0\" rel=\"nofollow ugc\">Apache License, Version 2.0\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>0.7.4\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>small fix (نمایش خودکار با اینکه غیرفعال بود اما باز نمایش داده میشد.)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.7.3\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>escape $title var in widget output\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.7.2\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>xss in admin widget area – fixed\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.7.1\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>wp-nonce implemented\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.7\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>امکان لود عکس ثابت به جای اینماد اصلی برا افزایش سرعت سایت\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.6\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>بروزرسانی توابع منقضی\u003C\u002Fli>\n\u003Cli>افزودن امکان نمادهای دیگر در قالب ابزارک و کدکوتاه\u003C\u002Fli>\n\u003Cli>هماهنگی با ویژوآل کامپوزر\u003C\u002Fli>\n\u003Cli>افزدن امکان غیرفعال سازی در حالت موبایل\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>0.5\u003C\u002Fh3>\n\u003Cp>سازگاری با نسخه های جدید php\u003C\u002Fp>\n\u003Ch3>0.4\u003C\u002Fh3>\n\u003Cp>حل مشکل غیر فعال شدن ابزارک با غیرفعال کردن نمایش خودکار\u003C\u002Fp>\n\u003Ch3>0.3\u003C\u002Fh3>\n\u003Cp>حل مشکل زیر قسمت های سایت مخفی شدن\u003C\u002Fp>\n\u003Ch3>0.2\u003C\u002Fh3>\n\u003Cp>سازگاری با تغییرات جدید سایت نماد الکترونیکی \u002F تنظیمات کد در مدیرت برای نسخه جدید فراموش نشود.\u003C\u002Fp>\n\u003Ch4>0.1\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>ver 0.1 released.\u003C\u002Fli>\n\u003C\u002Ful>\n","جهت قراردادن خودکار لوگوی نماد الکترونیکی( اینماد ) در سایت| قابلیت کدکوتاه و ابزارک برای ای نماد | شامد | نماد های دیگر",6000,80291,"2025-01-29T15:13:00.000Z","6.7.5","3.0","",[20,21,68,23,69],"shamed","wordpress-enamad-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogo-manager-for-enamad.zip",91,0,"2024-08-27 00:00:00",{"attackSurface":75,"codeSignals":124,"taintFlows":160,"riskAssessment":161,"analyzedAt":174},{"hooks":76,"ajaxHandlers":103,"restRoutes":104,"shortcodes":105,"cronEvents":122,"entryPointCount":123,"unprotectedCount":72},[77,83,87,93,97,99,101],{"type":78,"name":79,"callback":80,"file":81,"line":82},"action","admin_menu","ywp_esl_option_page","index.php",35,{"type":78,"name":84,"callback":85,"file":81,"line":86},"admin_init","ywp_esl_register_settings",38,{"type":88,"name":89,"callback":90,"priority":91,"file":81,"line":92},"filter","wp_targeted_link_rel","ywp_avoid_text_widget_rel",99,50,{"type":78,"name":94,"callback":95,"file":96,"line":47},"widgets_init","closure","widget\\class-widget-all.php",{"type":78,"name":94,"callback":95,"file":98,"line":47},"widget\\class-widget-enamad.php",{"type":78,"name":94,"callback":95,"file":100,"line":47},"widget\\class-widget-shamed.php",{"type":78,"name":94,"callback":95,"file":102,"line":47},"widget\\class-widget-zarrin.php",[],[],[106,110,114,118],{"tag":107,"callback":108,"file":81,"line":109},"enamadlogo_shortcode","ywp_enamad_logo",44,{"tag":111,"callback":112,"file":81,"line":113},"shamedlogo_shortcode","ywp_shamed_logo",45,{"tag":115,"callback":116,"file":81,"line":117},"zarrinpallogo_shortcode","ywp_zarrinpal_logo",46,{"tag":119,"callback":120,"file":81,"line":121},"ywp_esl_logos","ywp_esl_all_logos",47,[],4,{"dangerousFunctions":125,"sqlUsage":126,"outputEscaping":128,"fileOperations":72,"externalRequests":72,"nonceChecks":72,"capabilityChecks":72,"bundledLibraries":159},[],{"prepared":72,"raw":72,"locations":127},[],{"escaped":129,"rawEcho":130,"locations":131},26,14,[132,136,138,140,142,144,146,147,149,151,153,155,157,158],{"file":133,"line":134,"context":135},"templates\\option-page.php",10,"raw output",{"file":133,"line":137,"context":135},17,{"file":133,"line":139,"context":135},24,{"file":133,"line":141,"context":135},52,{"file":96,"line":143,"context":135},40,{"file":96,"line":145,"context":135},43,{"file":96,"line":117,"context":135},{"file":96,"line":148,"context":135},48,{"file":96,"line":150,"context":135},64,{"file":96,"line":152,"context":135},69,{"file":96,"line":154,"context":135},74,{"file":98,"line":156,"context":135},25,{"file":100,"line":156,"context":135},{"file":102,"line":156,"context":135},[],[],{"summary":162,"deductions":163},"The e-namad-shamed-logo-manager plugin v2.2 exhibits a mixed security posture.  While the static analysis shows positive signs like 100% of SQL queries using prepared statements and no detected dangerous functions or file operations, there are significant concerns. The plugin has a known medium severity Cross-Site Scripting (XSS) vulnerability that is currently unpatched, indicating a potential for attackers to inject malicious scripts into the application.  Furthermore, the absence of nonce checks and capability checks across its entry points is a critical weakness, as it allows unauthorized users to trigger actions or access data that should be protected. The 65% proper output escaping suggests that some content displayed to users might be vulnerable to XSS attacks if not handled carefully by the remaining 35% of outputs.\n\nThe vulnerability history clearly points to a recurring issue with XSS vulnerabilities, and the presence of an unpatched medium severity CVE is a direct and immediate risk. The static analysis, while highlighting some good practices in database interaction, fails to identify any taint flows, which might be due to the analysis scope or a lack of complex data handling. However, the lack of authorization checks on all entry points (shortcodes in this case) is a glaring omission that attackers can readily exploit. The total attack surface is small, but the lack of security on these entry points negates this advantage.\n\nIn conclusion, despite some positive coding practices in handling SQL and avoiding dangerous functions, the e-namad-shamed-logo-manager plugin v2.2 poses a significant risk due to an unpatched XSS vulnerability and a complete lack of authorization checks on its shortcodes. The history of XSS vulnerabilities further exacerbates this risk, suggesting a potential for ongoing security issues. Immediate patching of the known CVE and implementation of proper authorization and nonce checks on all entry points are strongly recommended.",[164,167,169,171],{"reason":165,"points":166},"Unpatched medium severity CVE",15,{"reason":168,"points":134},"Lack of nonce checks on entry points",{"reason":170,"points":134},"Lack of capability checks on entry points",{"reason":172,"points":173},"Insufficient output escaping (35%)",5,"2026-03-16T18:27:00.432Z",{"wat":176,"direct":188},{"assetPaths":177,"generatorPatterns":183,"scriptPaths":184,"versionParams":185},[178,179,180,181,182],"\u002Fwp-content\u002Fplugins\u002Fe-namad-shamed-logo-manager\u002Fwidget\u002Fclass-widget-all.php","\u002Fwp-content\u002Fplugins\u002Fe-namad-shamed-logo-manager\u002Fwidget\u002Fclass-widget-enamad.php","\u002Fwp-content\u002Fplugins\u002Fe-namad-shamed-logo-manager\u002Fwidget\u002Fclass-widget-shamed.php","\u002Fwp-content\u002Fplugins\u002Fe-namad-shamed-logo-manager\u002Fwidget\u002Fclass-widget-zarrin.php","\u002Fwp-content\u002Fplugins\u002Fe-namad-shamed-logo-manager\u002Ftemplates\u002Foption-page.php",[],[],[186,187],"e-namad-shamed-logo-manager\u002Fstyle.css?ver=","e-namad-shamed-logo-manager\u002Fscript.js?ver=",{"cssClasses":189,"htmlComments":191,"htmlAttributes":192,"restEndpoints":196,"jsGlobals":197,"shortcodeOutput":199},[190],"ywp-esl-logo-container",[],[193,194,195],"data-enamad-logo","data-shamed-logo","data-zarrinpal-logo",[],[198],"window.ywp_esl_logos_data",[200,201,202,203],"[enamadlogo_shortcode]","[shamedlogo_shortcode]","[zarrinpallogo_shortcode]","[ywp_esl_logos]"]