[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHaZ-D9VDGss0MreZUr9XQkjeOKbZTTlkEcAEi_XM_xM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":20,"download_link":21,"security_score":22,"vuln_count":23,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":55,"crawl_stats":33,"alternatives":62,"analysis":63,"fingerprints":161},"emergency-password-reset","Emergency password reset","9.4","andy_moyle","https:\u002F\u002Fprofiles.wordpress.org\u002Fandy_moyle\u002F","\u003Cp>This plugin does 3 things\u003Cbr \u002F>\n1) It will check you don’t have a username called “admin” which is asking to be hacked\u003Cbr \u002F>\n2) It will allow you to reset all passwords, with an password reset link sent to all users to warn them.\u003Cbr \u002F>\nFollowing a couple of reviews from v7.0 the plugin will allow you to set the email from address, name, subject and message\u003Cbr \u002F>\n3) You can also change the SALTS which forces a logout of all users.\u003C\u002Fp>\n","This plugin allows the admin to reset all the passwords and automatically email out the link to reset",800,28010,68,12,"2025-11-24T12:02:00.000Z","6.8.5","2.7.0","",[4],"http:\u002F\u002Fwww.themoyles.co.uk","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femergency-password-reset.zip",98,2,0,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",[28,43],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":6,"severity":35,"cvss_score":36,"cvss_vector":37,"vuln_type":38,"published_date":25,"updated_date":39,"references":40,"days_to_patch":42},"CVE-2025-57942","emergency-password-reset-cross-site-request-forgery-2","Emergency Password Reset \u003C= 9.3 - Cross-Site Request Forgery","The Emergency Password Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=9.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-11-24 19:38:25",[41],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fac532bb8-9190-4091-898e-fe23c855164d?source=api-prod",64,{"id":44,"url_slug":45,"title":46,"description":47,"plugin_slug":4,"theme_slug":33,"affected_versions":48,"patched_in_version":49,"severity":35,"cvss_score":36,"cvss_vector":37,"vuln_type":38,"published_date":50,"updated_date":51,"references":52,"days_to_patch":54},"CVE-2024-35648","emergency-password-reset-cross-site-request-forgery","Emergency Password Reset \u003C= 8.0 - Cross-Site Request Forgery","The Emergency Password Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0. This is due to missing or incorrect nonce validation in the index.php file. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C=8.0","9.0","2024-06-03 00:00:00","2024-06-11 18:53:34",[53],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F90752d8a-2e0c-4d46-8a49-778fe06361bd?source=api-prod",9,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":56,"total_installs":57,"avg_security_score":58,"avg_patch_time_days":59,"trust_score":60,"computed_at":61},5,1830,97,249,77,"2026-04-04T15:14:57.094Z",[],{"attackSurface":64,"codeSignals":89,"taintFlows":112,"riskAssessment":149,"analyzedAt":160},{"hooks":65,"ajaxHandlers":85,"restRoutes":86,"shortcodes":87,"cronEvents":88,"entryPointCount":24,"unprotectedCount":24},[66,72,77,81],{"type":67,"name":68,"callback":69,"file":70,"line":71},"action","admin_menu","add_emergency_password_reset_menu_item","index.php",16,{"type":73,"name":74,"callback":75,"file":70,"line":76},"filter","wp_mail_from_name","emergency_password_reset_from_name",283,{"type":73,"name":78,"callback":79,"file":70,"line":80},"wp_mail_from","emergency_password_reset_from_email",284,{"type":73,"name":82,"callback":83,"file":70,"line":84},"wp_mail_content_type","emergency_password_reset_set_html_mail_content_type",285,[],[],[],[],{"dangerousFunctions":90,"sqlUsage":91,"outputEscaping":103,"fileOperations":92,"externalRequests":24,"nonceChecks":56,"capabilityChecks":110,"bundledLibraries":111},[],{"prepared":24,"raw":92,"locations":93},3,[94,97,100],{"file":70,"line":95,"context":96},90,"$wpdb->query() with variable interpolation",{"file":70,"line":98,"context":99},141,"$wpdb->get_var() with variable interpolation",{"file":70,"line":101,"context":102},221,"$wpdb->get_results() with variable interpolation",{"escaped":104,"rawEcho":105,"locations":106},34,1,[107],{"file":70,"line":108,"context":109},288,"raw output",4,[],[113,138],{"entryPoint":114,"graph":115,"unsanitizedCount":24,"severity":137},"emergency_password_reset_main (index.php:23)",{"nodes":116,"edges":133},[117,121,126,129],{"id":118,"type":119,"label":120,"file":70,"line":95},"n0","source","$_POST['admin']",{"id":122,"type":123,"label":124,"file":70,"line":95,"wp_function":125},"n1","sink","query() [SQLi]","query",{"id":127,"type":119,"label":120,"file":70,"line":128},"n2",92,{"id":130,"type":123,"label":131,"file":70,"line":128,"wp_function":132},"n3","echo() [XSS]","echo",[134,136],{"from":118,"to":122,"sanitized":135},true,{"from":127,"to":130,"sanitized":135},"low",{"entryPoint":139,"graph":140,"unsanitizedCount":24,"severity":137},"\u003Cindex> (index.php:0)",{"nodes":141,"edges":146},[142,143,144,145],{"id":118,"type":119,"label":120,"file":70,"line":95},{"id":122,"type":123,"label":124,"file":70,"line":95,"wp_function":125},{"id":127,"type":119,"label":120,"file":70,"line":128},{"id":130,"type":123,"label":131,"file":70,"line":128,"wp_function":132},[147,148],{"from":118,"to":122,"sanitized":135},{"from":127,"to":130,"sanitized":135},{"summary":150,"deductions":151},"The 'emergency-password-reset' plugin v9.4 exhibits a generally strong security posture regarding its attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected.  The static analysis also shows a commendable 97% of output being properly escaped and a good number of nonce and capability checks. Taint analysis reveals no critical or high severity unsanitized paths, indicating a low risk of direct code injection or data leakage through those vectors. However, the vulnerability history is a significant concern.  The presence of two medium severity CVEs, even if currently patched, suggests a past tendency for exploitable flaws. The fact that the last vulnerability was in 2025 indicates a recent history of issues, and the common type being Cross-Site Request Forgery (CSRF) points to potential weaknesses in how user actions are validated.",[152,155,158],{"reason":153,"points":154},"3 medium severity CVEs (even if patched)",20,{"reason":156,"points":157},"SQL queries not using prepared statements",15,{"reason":159,"points":56},"File operations present","2026-03-16T19:18:11.374Z",{"wat":162,"direct":170},{"assetPaths":163,"generatorPatterns":165,"scriptPaths":166,"versionParams":167},[164],"\u002Fwp-content\u002Fplugins\u002Femergency-password-reset\u002Fjs\u002Femergency-password-reset.js",[],[164],[168,169],"emergency-password-reset\u002Fjs\u002Femergency-password-reset.js?ver=","emergency-password-reset\u002Femergency-password-reset.css?ver=",{"cssClasses":171,"htmlComments":172,"htmlAttributes":174,"restEndpoints":180,"jsGlobals":181,"shortcodeOutput":182},[],[173],"\u003C!-- translators: 1 new username -->",[175,176,177,178,179],"name=\"epr-settings\"","name=\"emergency_accept\"","name=\"admin_change\"","name=\"admin\"","value=\"yes\"",[],[],[]]