[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f--uzTyK2mml8k51z5CLM9w4RTaNbhgnOtp8RC1a6i_8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":21,"security_score":22,"vuln_count":23,"unpatched_count":23,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":41,"crawl_stats":32,"alternatives":48,"analysis":49,"fingerprints":72},"filepicker-media-uploader","Filestack","2.0.8","shanaver","https:\u002F\u002Fprofiles.wordpress.org\u002Fshanaver\u002F","\u003Cp>Use Filestack to upload files directly from Facebook, Instagram, Google Images and more for your WordPress site, without ever leaving WordPress.\u003C\u002Fp>\n","Use Filestack to upload files directly from Facebook, Instagram, Google Images and more for your WordPress site, without ever leaving WordPress.",20,3686,80,3,"2016-11-21T20:09:00.000Z","4.7.32","3.0.1","",[20],"filestack-filepicker-filepicker-io-media-uploads-facebook-dropbox-google-drive-box-skydrive-instagram-picasa-instagram-flickr-github-evernote-alfresco","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffilepicker-media-uploader.2.0.8.zip",63,1,"2026-02-17 16:17:30","2026-03-15T15:16:48.613Z",[27],{"id":28,"url_slug":29,"title":30,"description":31,"plugin_slug":4,"theme_slug":32,"affected_versions":33,"patched_in_version":32,"severity":34,"cvss_score":35,"cvss_vector":36,"vuln_type":37,"published_date":24,"updated_date":38,"references":39,"days_to_patch":32},"CVE-2025-13959","filestack-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Filestack \u003C= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2.0.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 04:35:42",[40],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2777794d-2c0a-4843-bed8-78e607d4e796?source=api-prod",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":42,"total_installs":43,"avg_security_score":44,"avg_patch_time_days":45,"trust_score":46,"computed_at":47},2,40,64,30,69,"2026-04-04T05:57:34.714Z",[],{"attackSurface":50,"codeSignals":57,"taintFlows":64,"riskAssessment":65,"analyzedAt":71},{"hooks":51,"ajaxHandlers":52,"restRoutes":53,"shortcodes":54,"cronEvents":55,"entryPointCount":56,"unprotectedCount":56},[],[],[],[],[],0,{"dangerousFunctions":58,"sqlUsage":59,"outputEscaping":61,"fileOperations":56,"externalRequests":56,"nonceChecks":56,"capabilityChecks":56,"bundledLibraries":63},[],{"prepared":56,"raw":56,"locations":60},[],{"escaped":56,"rawEcho":56,"locations":62},[],[],[],{"summary":66,"deductions":67},"The static analysis of filepicker-media-uploader v2.0.8 reveals an exceptionally clean codebase, with no identified dangerous functions, SQL injection vulnerabilities, unescaped output, file operations, or external HTTP requests.  The absence of any identified taint flows further reinforces this positive picture, indicating that data handled by the plugin is likely processed securely. Furthermore, the plugin boasts zero entry points that lack authentication checks and no shortcodes, cron events, or REST API routes that bypass permission callbacks, which is a strong indicator of good security design.\n\nHowever, the plugin's vulnerability history presents a significant concern. The presence of one unpatched medium-severity CVE, specifically related to Cross-site Scripting (XSS), overshadows the otherwise robust static analysis. This indicates a potential for attackers to exploit this known flaw to inject malicious scripts, leading to compromised user sessions or data theft. The recency of this last vulnerability further underscores the immediate need for attention.\n\nIn conclusion, while filepicker-media-uploader v2.0.8 demonstrates excellent secure coding practices in its static analysis, the existence of an unpatched XSS vulnerability is a critical weakness that poses a real risk to users. The plugin's strengths lie in its secure handling of data and limited attack surface, but the unpatched vulnerability necessitates immediate action to mitigate potential exploitation.",[68],{"reason":69,"points":70},"Unpatched medium severity CVE",15,"2026-03-16T22:53:11.167Z",{"wat":73,"direct":88},{"assetPaths":74,"generatorPatterns":80,"scriptPaths":81,"versionParams":82},[75,76,77,78,79],"\u002Fwp-content\u002Fplugins\u002Ffilepicker-media-uploader\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Ffilepicker-media-uploader\u002Fcss\u002Fwp_media.css","\u002Fwp-content\u002Fplugins\u002Ffilepicker-media-uploader\u002Fjs\u002Ffilepicker.js","\u002Fwp-content\u002Fplugins\u002Ffilepicker-media-uploader\u002Fjs\u002Ffilepicker_wp_media.js","\u002Fwp-content\u002Fplugins\u002Ffilepicker-media-uploader\u002Fjs\u002Fjquery.filepicker.js",[],[77,78,79],[83,84,85,86,87],"filepicker-media-uploader\u002Fcss\u002Fstyle.css?ver=","filepicker-media-uploader\u002Fcss\u002Fwp_media.css?ver=","filepicker-media-uploader\u002Fjs\u002Ffilepicker.js?ver=","filepicker-media-uploader\u002Fjs\u002Ffilepicker_wp_media.js?ver=","filepicker-media-uploader\u002Fjs\u002Fjquery.filepicker.js?ver=",{"cssClasses":89,"htmlComments":94,"htmlAttributes":95,"restEndpoints":118,"jsGlobals":120,"shortcodeOutput":122},[90,91,92,93],"filepicker-upload-button","filepicker-media-upload-form","filepicker-media-preview","filepicker-media-input",[],[96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117],"data-fp-apikey","data-fp-button-text","data-fp-button-class","data-fp-container","data-fp-multi-select","data-fp-modal","data-fp-store-url","data-fp-store-path","data-fp-store-location","data-fp-services","data-fp-mimetype","data-fp-max-size","data-fp-max-files","data-fp-dragdrop","data-fp-onclose","data-fp-onpick","data-fp-onupload","data-fp-upload-multiple","data-fp-crop-ratio","data-fp-crop-force","data-fp-crop-}{-width","data-fp-crop-}{-height",[119],"\u002Fwp-json\u002Ffilepicker\u002Fv1\u002Fupload",[121],"window.Filepicker",[123],"[filepicker]"]