[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faRhctyFCHESUdbOC5WonzZv3fD4hfTJiMLSYOw_HbOw":3,"$fg9fMyj3H_NFfk0sn4dT1gDLvRiaeii5-wLhu_8MX460":217},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":36,"analysis":37,"fingerprints":200},"extended-theme-option","Extended Theme Option","1.0.1","Vipin P.G","https:\u002F\u002Fprofiles.wordpress.org\u002Fvipinpg\u002F","\u003Cp>Extended Theme Option is an advanced plugin which will helps to add more fields in the site where the field values can be displayed in the theme by using auto generated functions. The functions are created automatically in the name of fields itself. This plugin is more useful when custom html template is used where user wants to add more fields in the theme. As many fields can be added using this plugin. It is also simple to use.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>— Features —\u003C\u002Fp>\n\u003Cp>Easly Configurable.\u003C\u002Fp>\n\u003Cp>Add as many fields.\u003C\u002Fp>\n\u003Cp>Auto generated functions for the fields.\u003C\u002Fp>\n\u003Cp>Simply call the function to get the value.\u003C\u002Fp>\n\u003Cp>Unlimited number of fields.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>If you need help, visit the Extended Theme Option support page at:\u003Cbr \u002F>\nhttp:\u002F\u002Fwww.casperweb.in\u002Fwordpress\u002Fplugins\u002Fextended-theme-option\u002F\u003C\u002Fp>\n\u003Cp>Version 1.0.1, Released 2013-01-24\u003Cbr \u002F>\nCopyright (C) 2013-2014 Vipin P.G – http:\u002F\u002Fwww.casperweb.in\u002F\u003C\u002Fp>\n","Extended Theme Option is an advanced plugin to add more fields in the site. Field values can be retrived by using auto generated functions.",10,2491,100,1,"2013-01-25T15:39:00.000Z","3.5.2","2.7","",[20,21,22,23],"add-more-fields","dynamic-function-for-custom-fields","dynamic-functions-for-fields","extend-theme-fields","http:\u002F\u002Fwww.casperweb.in\u002Fwordpress\u002Fplugins\u002Fextended-theme-option\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fextended-theme-option.zip",85,0,null,"2026-04-06T09:54:40.288Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"vipinpg",30,84,"2026-04-08T08:53:21.389Z",[],{"attackSurface":38,"codeSignals":63,"taintFlows":111,"riskAssessment":185,"analyzedAt":199},{"hooks":39,"ajaxHandlers":59,"restRoutes":60,"shortcodes":61,"cronEvents":62,"entryPointCount":27,"unprotectedCount":27},[40,46,50,54],{"type":41,"name":42,"callback":43,"file":44,"line":45},"action","admin_menu","wpeto_addpages","wp-extend-theme.php",42,{"type":41,"name":47,"callback":48,"file":44,"line":49},"init","wpeto_addcss",43,{"type":41,"name":51,"callback":52,"file":44,"line":53},"plugins_loaded","wpeto_Set",44,{"type":55,"name":56,"callback":57,"priority":11,"file":44,"line":58},"filter","plugin_action_links","add_wpeto_settings_link",110,[],[],[],[],{"dangerousFunctions":64,"sqlUsage":65,"outputEscaping":82,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":14,"bundledLibraries":110},[],{"prepared":66,"raw":67,"locations":68},4,5,[69,72,75,78,80],{"file":44,"line":70,"context":71},69,"$wpdb->get_var() with variable interpolation",{"file":44,"line":73,"context":74},227,"$wpdb->query() with variable interpolation",{"file":76,"line":66,"context":77},"wpeto-function\\wpeto-function.php","$wpdb->get_results() with variable interpolation",{"file":76,"line":79,"context":77},17,{"file":76,"line":81,"context":77},61,{"escaped":27,"rawEcho":83,"locations":84},14,[85,88,90,92,94,96,98,100,102,103,104,106,107,108],{"file":44,"line":86,"context":87},153,"raw output",{"file":44,"line":89,"context":87},154,{"file":44,"line":91,"context":87},155,{"file":44,"line":93,"context":87},156,{"file":44,"line":95,"context":87},157,{"file":44,"line":97,"context":87},164,{"file":44,"line":99,"context":87},192,{"file":44,"line":101,"context":87},194,{"file":44,"line":101,"context":87},{"file":44,"line":101,"context":87},{"file":44,"line":105,"context":87},197,{"file":44,"line":105,"context":87},{"file":44,"line":105,"context":87},{"file":44,"line":109,"context":87},212,[],[112,148,161],{"entryPoint":113,"graph":114,"unsanitizedCount":146,"severity":147},"wpeto_config_page (wp-extend-theme.php:112)",{"nodes":115,"edges":140},[116,121,125,131,135,138],{"id":117,"type":118,"label":119,"file":44,"line":120},"n0","source","$_POST",117,{"id":122,"type":123,"label":124,"file":44,"line":120},"n1","transform","→ add_wpeto_field()",{"id":126,"type":127,"label":128,"file":76,"line":129,"wp_function":130},"n2","sink","query() [SQLi]",47,"query",{"id":132,"type":118,"label":133,"file":44,"line":134},"n3","$_REQUEST['del_id']",120,{"id":136,"type":123,"label":137,"file":44,"line":134},"n4","→ delete_wpeto_field()",{"id":139,"type":127,"label":128,"file":76,"line":70,"wp_function":130},"n5",[141,143,144,145],{"from":117,"to":122,"sanitized":142},false,{"from":122,"to":126,"sanitized":142},{"from":132,"to":136,"sanitized":142},{"from":136,"to":139,"sanitized":142},2,"high",{"entryPoint":149,"graph":150,"unsanitizedCount":14,"severity":147},"wpeto_options_page (wp-extend-theme.php:173)",{"nodes":151,"edges":158},[152,154,156],{"id":117,"type":118,"label":119,"file":44,"line":153},179,{"id":122,"type":123,"label":155,"file":44,"line":153},"→ update_wpeto_fields()",{"id":126,"type":127,"label":128,"file":76,"line":157,"wp_function":130},20,[159,160],{"from":117,"to":122,"sanitized":142},{"from":122,"to":126,"sanitized":142},{"entryPoint":162,"graph":163,"unsanitizedCount":184,"severity":147},"\u003Cwp-extend-theme> (wp-extend-theme.php:0)",{"nodes":164,"edges":177},[165,166,167,168,169,170,171,173,175],{"id":117,"type":118,"label":119,"file":44,"line":120},{"id":122,"type":123,"label":124,"file":44,"line":120},{"id":126,"type":127,"label":128,"file":76,"line":129,"wp_function":130},{"id":132,"type":118,"label":133,"file":44,"line":134},{"id":136,"type":123,"label":137,"file":44,"line":134},{"id":139,"type":127,"label":128,"file":76,"line":70,"wp_function":130},{"id":172,"type":118,"label":119,"file":44,"line":153},"n6",{"id":174,"type":123,"label":155,"file":44,"line":153},"n7",{"id":176,"type":127,"label":128,"file":76,"line":157,"wp_function":130},"n8",[178,179,180,181,182,183],{"from":117,"to":122,"sanitized":142},{"from":122,"to":126,"sanitized":142},{"from":132,"to":136,"sanitized":142},{"from":136,"to":139,"sanitized":142},{"from":172,"to":174,"sanitized":142},{"from":174,"to":176,"sanitized":142},3,{"summary":186,"deductions":187},"The \"extended-theme-option\" plugin v1.0.1 exhibits a concerning security posture despite a clean vulnerability history. While the plugin has no known CVEs and a seemingly small attack surface (0 AJAX handlers, REST API routes, shortcodes, or cron events), the static analysis reveals significant weaknesses. A critical concern is the complete lack of output escaping (0% properly escaped), which makes any dynamic content rendered by the plugin highly susceptible to Cross-Site Scripting (XSS) attacks. The taint analysis further exacerbates this, showing 3 flows with unsanitized paths, all classified as high severity. This indicates that data processed by the plugin is not being adequately cleaned before being used, potentially leading to code injection or other malicious actions through these unsanitized flows.\n\nThe absence of nonces on AJAX handlers and the limited capability checks (only 1) suggest that even if an attack vector were found, user authentication and authorization might not be sufficiently enforced. The fact that 4 out of 9 SQL queries are not using prepared statements also introduces a risk of SQL injection vulnerabilities, although this is less severe than the XSS and taint flow issues. The lack of any recorded vulnerabilities in its history might lead to complacency, but the current static analysis findings present substantial risks that need immediate attention.",[188,190,193,195,197],{"reason":189,"points":157},"All output is unescaped (0%)",{"reason":191,"points":192},"3 high severity taint flows with unsanitized paths",15,{"reason":194,"points":67},"44% of SQL queries not using prepared statements",{"reason":196,"points":67},"0 nonce checks on AJAX handlers",{"reason":198,"points":184},"Only 1 capability check found","2026-03-17T00:48:24.925Z",{"wat":201,"direct":207},{"assetPaths":202,"generatorPatterns":204,"scriptPaths":205,"versionParams":206},[203],"\u002Fwp-content\u002Fplugins\u002Fwp-extend-theme\u002Fcss\u002Fwpeto-style.css",[],[],[],{"cssClasses":208,"htmlComments":212,"htmlAttributes":213,"restEndpoints":214,"jsGlobals":215,"shortcodeOutput":216},[209,210,211],"field_title","admn_err_msg","footer_developer",[],[],[],[],[],{"slug":4,"current_version":6,"total_versions":14,"versions":218},[219],{"version":6,"download_url":220,"svn_tag_url":221,"released_at":28,"has_diff":142,"diff_files_changed":222,"diff_lines":28,"trac_diff_url":28,"vulnerabilities":223,"is_current":224},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fextended-theme-option.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fextended-theme-option\u002Ftags\u002F1.0.1\u002F",[],[],true]