[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmQ_dk3whYiQvpHzxhp6-WltEklEZha8788JoK58UW9s":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":22,"download_link":23,"security_score":13,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":34,"analysis":134,"fingerprints":182},"gnu-terry-pratchett","GNU Terry Pratchett","0.4.1","Nick C","https:\u002F\u002Fprofiles.wordpress.org\u002Fmodernnerd\u002F","\u003Cp>The GNU Terry Pratchett plugin transmits an “X-Clacks-Overhead” header reading, “GNU Terry Pratchett” so that Terry’s name is whispered forevermore in the Internet’s “overhead”.\u003C\u002Fp>\n\u003Cp>In Pratchett’s “Going Postal”, workers who die in the line of duty have their names transmitted up and down the Discworld’s telegraph system as a tribute.\u003C\u002Fp>\n\u003Cp>This plugin makes it easy for WordPress users to do the same for Terry Pratchett, without having to modify their server configuration.\u003C\u002Fp>\n\u003Ch4>The GNU Terry Pratchett headers\u003C\u002Fh4>\n\u003Cp>The plugin adds the GNU Terry Pratchett header in two ways:\u003C\u002Fp>\n\u003Col>\n\u003Cli>As an HTTP header (if you don’t use a WordPress page caching plugin).\u003C\u002Fli>\n\u003Cli>As a meta tag in your HTML with the http-equiv attribute.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Settings\u003C\u002Fh4>\n\u003Cp>The text sent in HTTP headers and meta tags is “GNU Terry Pratchett” by default.\u003C\u002Fp>\n\u003Cp>Change this by visiting Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> GNU Terry Pratchett in your WordPress admin area and editing the “X-Clacks-Overhead header” field.\u003C\u002Fp>\n\u003Cp>This option lets you honor other people you would like to remember by making them a small part of your site’s content forever.\u003C\u002Fp>\n\u003Ch4>Checking the HTTP header is sent\u003C\u002Fh4>\n\u003Cp>There are several ways to check that the HTTP header is appearing for your site:\u003C\u002Fp>\n\u003Col>\n\u003Cli>With your terminal (\u003Ccode>curl -I example.com\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>With Chrome’s Network tab.\u003C\u002Fli>\n\u003Cli>With the \u003Ca href=\"https:\u002F\u002Fchrome.google.com\u002Fwebstore\u002Fdetail\u002Fclacks-overhead-gnu-terry\u002Flnndfmobdoobjfcalkmfojmanbeoegab\" rel=\"nofollow ugc\">Clacks Overhead\u003C\u002Fa> Chrome plugin or the \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fgnu_terry_pratchett\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett Firefox extension\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Using the \u003Ca href=\"http:\u002F\u002Ftools.seobook.com\u002Fserver-header-checker\u002F\" rel=\"nofollow ugc\">Server Header Checker\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Note that the HTTP header is not sent if you use a page caching plugin. To send the HTTP header and continue to use a caching plugin, add the header at the server level. See http:\u002F\u002Fwww.gnuterrypratchett.com\u002F for options.\u003C\u002Fp>\n\u003Ch4>Checking the meta tag is added\u003C\u002Fh4>\n\u003Cp>You can check that the meta tag is visible by viewing your site’s HTML source and searching for “GNU Terry Pratchett”.\u003C\u002Fp>\n\u003Cp>The \u003Ca href=\"https:\u002F\u002Fchrome.google.com\u002Fwebstore\u002Fdetail\u002Fclacks-overhead-gnu-terry\u002Flnndfmobdoobjfcalkmfojmanbeoegab\" rel=\"nofollow ugc\">Clacks Overhead plugin\u003C\u002Fa> for Chrome and the \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fgnu_terry_pratchett\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett extension\u003C\u002Fa> for Firefox both light up when they detect the HTML meta tag or HTTP header.\u003C\u002Fp>\n\u003Ch4>Credits and contributions\u003C\u002Fh4>\n\u003Cp>Inspired by \u003Ca href=\"http:\u002F\u002Fwww.reddit.com\u002Fr\u002Fbestof\u002Fcomments\u002F2yyop7\u002Frdiscworld_redditors_with_web_servers_start\u002F\" rel=\"nofollow ugc\">this reddit post\u003C\u002Fa>, \u003Ca href=\"http:\u002F\u002Fboingboing.net\u002F2015\u002F03\u002F15\u002Fsending-terry-pratchett-home-w.html\" rel=\"nofollow ugc\">boingboing’s report\u003C\u002Fa>, and the \u003Ca href=\"http:\u002F\u002Fwww.gnuterrypratchett.com\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett\u003C\u002Fa> website.\u003C\u002Fp>\n\u003Cp>Contributions welcome at the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnickcernis\u002Fgnu-terry-pratchett\" rel=\"nofollow ugc\">GitHub repo\u003C\u002Fa>.\u003C\u002Fp>\n","Add an X-Clacks-Overhead header with “GNU Terry Pratchett” to all non-admin pages.",1000,18229,100,13,"2025-12-02T20:30:00.000Z","6.9.4","4.6","5.6",[20,21],"http-headers","terry-pratchett","https:\u002F\u002Fgithub.com\u002Fnickcernis\u002Fgnu-terry-pratchett","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgnu-terry-pratchett.0.4.1.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":11,"avg_security_score":13,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},"modernnerd",1,30,94,"2026-04-04T07:02:16.307Z",[35,60,79,96,114],{"slug":20,"name":36,"version":37,"author":38,"author_profile":39,"description":40,"short_description":41,"active_installs":42,"downloaded":43,"rating":44,"num_ratings":45,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":55,"download_link":56,"security_score":57,"vuln_count":58,"unpatched_count":24,"last_vuln_date":59,"fetched_at":26},"HTTP Headers","1.19.2","Dimitar Ivanov","https:\u002F\u002Fprofiles.wordpress.org\u002Fzinoui\u002F","\u003Cp>HTTP Headers gives your control over the http headers returned by your blog or website.\u003C\u002Fp>\n\u003Cp>Headers supported by HTTP Headers includes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Access-Control-Allow-Origin\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Credentials\u003C\u002Fli>\n\u003Cli>Access-Control-Max-Age\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Methods\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Headers\u003C\u002Fli>\n\u003Cli>Access-Control-Expose-Headers\u003C\u002Fli>\n\u003Cli>Age \u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cache-Control\u003C\u002Fli>\n\u003Cli>Clear-Site-Data\u003C\u002Fli>\n\u003Cli>Connection\u003C\u002Fli>\n\u003Cli>Content-Encoding\u003C\u002Fli>\n\u003Cli>Content-Type\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Resource-Policy\u003C\u002Fli>\n\u003Cli>Expect-CT\u003C\u002Fli>\n\u003Cli>Expires\u003C\u002Fli>\n\u003Cli>Feature-Policy\u003C\u002Fli>\n\u003Cli>NEL\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003Cli>Pragma\u003C\u002Fli>\n\u003Cli>P3P\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>Report-To\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Timing-Allow-Origin\u003C\u002Fli>\n\u003Cli>Vary\u003C\u002Fli>\n\u003Cli>WWW-Authenticate\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-DNS-Prefetch-Control\u003C\u002Fli>\n\u003Cli>X-Download-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-Permitted-Cross-Domain-Policies\u003C\u002Fli>\n\u003Cli>X-Powered-By\u003C\u002Fli>\n\u003Cli>X-Robots-Tag\u003C\u002Fli>\n\u003Cli>X-UA-Compatible\u003C\u002Fli>\n\u003Cli>X-XSS-Protection\u003C\u002Fli>\n\u003C\u002Ful>\n","HTTP Headers adds CORS & security HTTP headers to your website.",50000,715994,86,70,"2024-12-22T11:49:00.000Z","6.7.5","3.2","5.3",[51,52,53,20,54],"cors-headers","csp-header","custom-headers","security-headers","https:\u002F\u002Fgithub.com\u002Friverside\u002Fhttp-headers","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhttp-headers.1.19.2.zip",91,4,"2023-07-13 00:00:00",{"slug":61,"name":62,"version":63,"author":64,"author_profile":65,"description":66,"short_description":67,"active_installs":13,"downloaded":68,"rating":13,"num_ratings":69,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":73,"tags":74,"homepage":73,"download_link":77,"security_score":78,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"simple-iframe-buster","Simple Iframe Buster","1.1.1","Mikel King","https:\u002F\u002Fprofiles.wordpress.org\u002Fvizkr\u002F","\u003Cp>Provides a method of adding X-Frame-Options to the http headers for sites hosted in an environment that does not grant access to\u003Cbr \u002F>\nthe webserver config, .htaccess or lack mod_headers type facility.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Sets X-Frame-Options to SAMEORIGIN\u003C\u002Fli>\n\u003Cli>Enqueue iframe blocking javascript\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n\u003Cp>This is my arbitrary section. There’s really nothing special to add because this is truly a simple plugin with no settings or configuration. Turn it on and block the iframe content thieves. Much of this can also be achieve by working with a good hosting provider. If you are board then head over to my content site \u003Ca href=\"https:\u002F\u002Fwww.jafdip.com\" rel=\"nofollow ugc\">JAFDIP\u003C\u002Fa>.\u003C\u002Fp>\n","Provides a method of setting the X-Frame-Options header to SAMEORIGIN. Also enqueues a javascript based iframe blocker.",6274,2,"2021-08-13T21:10:00.000Z","5.7.15","3.9","",[20,75,76],"iframe","x-frame-options","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-iframe-buster.zip",85,{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":87,"downloaded":88,"rating":24,"num_ratings":24,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":73,"tags":92,"homepage":94,"download_link":95,"security_score":78,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"wp-secure-http-headers","WP Secure HTTP Headers","1.1","WP Academic","https:\u002F\u002Fprofiles.wordpress.org\u002Feastsidecode\u002F","\u003Cp>This WordPress Plugin add secure headers to you WordPress site.\u003C\u002Fp>\n\u003Cp>The Following Headers are included:\u003Cbr \u002F>\n– Strict-Transport-Security: Enforces SSL if your website is using SSL (which it should be)\u003Cbr \u002F>\n– X-Frame-Options: Prevents Clickjacking\u003Cbr \u002F>\n– X-XSS-Protection: Prevents XSS attacks\u003Cbr \u002F>\n– X-Content-Type-Options: set to ‘nosniff to prevent MIME-type sniffing\u003Cbr \u002F>\n– Referrer-Policy: set to ‘no-referrer-when-downgrade’\u003C\u002Fp>\n\u003Cul>\n\u003Cli>No setup required!\u003C\u002Fli>\n\u003C\u002Ful>\n","License: GPLv2 or later WordPress plugin to add secure headers to your website.",40,1195,"2019-06-17T12:37:00.000Z","5.2.24","4.3",[20,93],"security","https:\u002F\u002Feastsidecode.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-secure-http-headers.zip",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":31,"downloaded":104,"rating":24,"num_ratings":24,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":73,"tags":108,"homepage":112,"download_link":113,"security_score":78,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"eazy-http-headers","Eazy HTTP Headers","1.1.0","Rob Scott","https:\u002F\u002Fprofiles.wordpress.org\u002Fr0bsc0tt\u002F","\u003Cp>Eazy HTTP Headers provides three check boxes for settings on the general settings page.\u003Cbr \u002F>\nTwo of the check boxes, activate two functions built into WordPress, send_frame_options_header() & send_nosniff_header(), while the other sets a header for X-XSS Protection.\u003Cbr \u002F>\nThis allows you to control your sites HTTP Headers for X-Frame-Options & X-Content-Type-Options using functions built into WordPress functions.\u003C\u002Fp>\n","Provides settings to activate three HTTP header settings for X-Frame-Options, X-XSS Protection & X-Content-Type-Options.",2100,"2018-01-02T20:12:00.000Z","4..9.1","4.5",[20,109,93,110,111],"nosniff","x-content","x-frame","http:\u002F\u002Frobjscott.com\u002Fwordpress\u002Fplugins\u002Feazy-http-headers","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feazy-http-headers.zip",{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":32,"num_ratings":124,"last_updated":125,"tested_up_to":126,"requires_at_least":127,"requires_php":128,"tags":129,"homepage":132,"download_link":133,"security_score":78,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"sea-sp-community-edition","SeaSP Community Edition","1.8.3","bluetriangle","https:\u002F\u002Fprofiles.wordpress.org\u002Fbluetriangle\u002F","\u003Cp>SeaSP Community Edition is an automated \u003Cstrong>Content Security Policy Manager\u003C\u002Fstrong>. SeaSP allows you to create, configure, manage, and deploy a Content Security Policy for your site.\u003C\u002Fp>\n\u003Cp>The WordPress SeaSP Community Edition plugin catalogs the domains that appear on your site. Categorize and filter out unwanted domains. Add a layer of WordPress security site from Magecart and other cross-site scripting attacks to keep your WordPress site safe.\u003C\u002Fp>\n\u003Cp>SeaSP installs a strict non-blocking CSP to collect violation data and provide a violation report. Violation data flows into the WordPress database as a PHP option within the plugin options schema. Violations can be approved by domains and categorized by directives (CSS, fonts, images, JS, etc.). You can also approve base domains and subdomains. The SeaSP UI helps users by explaining what each directive does, and how to use them to create a CSP.\u003C\u002Fp>\n\u003Cp>After configuring the domain and directive settings switch the CSP to blocking mode. Once the CSP goes into blocking mode, the site’s protected from any unrecognized code. SeaSP Community Edition helps secure your site.\u003C\u002Fp>\n\u003Ch3>Upgrade Notice for 1.4 only\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>When you install this version you will need to rebuild your CSP\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Once installed, a strict non-blocking report-only CSP is implemented on your site. Visit each page of your site to collect CSP violations.\u003Cbr \u002F>\nVisit the Current Violations page of the plugin to review domains that have violated a directive in the CSP.\u003Cbr \u002F>\nReview each of the domains carefully and check for misspellings of common domains like adobee.com instead of adobe.com as this is a common way hackers inject content into your site.\u003Cbr \u002F>\nIf you feel confident that the domain belongs on your site and it should be serving the file type stated, click the toggle to approve the domain to include it in the CSP.\u003Cbr \u002F>\nIf you want to allow subdomains of that domain to be able to serve that type of content, click the Manage subdomains button to view the subdomains.\u003Cbr \u002F>\nAfter this process, you might still see CSP violations regarding inline scripts, inline styles, blobs, or data.\u003Cbr \u002F>\nTo allow these this type of content in the community version you must navigate to the Directive Settings page, find the offending directive, then toggle the appropriate option.\u003Cbr \u002F>\nFor convenience, each option has a tooltip explaining what it allows in your CSP.\u003C\u002Fp>\n\u003Ch3>Walk Through\u003C\u002Fh3>\n\u003Cp>A walk through video can be found on YouTube \u003Ca href=\"https:\u002F\u002Fyoutu.be\u002FXdJNh6LEKJw\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FXdJNh6LEKJw?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch3>Contributing\u003C\u002Fh3>\n\u003Cp>Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.\u003Cbr \u002F>\nThis project has been tested on WordPress up to version 5.8 on both single and multi-site instances.\u003Cbr \u002F>\nThe project can be found on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fblue-triangle-tech\u002Fsea-sp-community-edition\" rel=\"nofollow ugc\">github\u003C\u002Fa>.\u003Cbr \u002F>\nThis project is sponsored by \u003Ca href=\"www.bluetriangle.com\" rel=\"nofollow ugc\">Blue Triangle\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Third Party Libraries\u003C\u002Fh3>\n\u003Cp>We use \u003Ca href=\"https:\u002F\u002Fgetbootstrap.com\u002F\" rel=\"nofollow ugc\">Bootstrap\u003C\u002Fa> for the UI of our plugin to make the interface clean and simple.\u003Cbr \u002F>\nBootstraps license can be found \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftwbs\u002Fbootstrap\u002Fblob\u002Fmain\u002FLICENSE\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>We use \u003Ca href=\"https:\u002F\u002Fwww.bootstraptoggle.com\u002F\" rel=\"nofollow ugc\">bootstrap toggle\u003C\u002Fa> because simple check boxes can be confusing and we wanted our CSP mangers UI to feel easy. This code was developed for The New York Times by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fminhur\" rel=\"nofollow ugc\">Min Hur\u003C\u002Fa> and is licensed under \u003Ca href=\"https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT\" rel=\"nofollow ugc\">MIT\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fchoosealicense.com\u002Flicenses\u002Fgpl-3.0\u002F\" rel=\"nofollow ugc\">GNU\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Opt In usage data collection\u003C\u002Fh3>\n\u003Cp>As of version 1.5 users will be able to opt-in for data collection to help us determine how many people are using our plugin and what features we should be working on in future version. This can be managed in the Usage Data Settings page. We collect and send the following data:\u003Cbr \u002F>\n1. wordpress version\u003Cbr \u002F>\n2. wordpress debug mode\u003Cbr \u002F>\n3. wordpress multisite\u003Cbr \u002F>\n4. the base url that the plugin is on ex; www.bluetriangle.com\u003Cbr \u002F>\nThis data is only accessible to the Blue Triangle organization and will be used to determine our user base and feature planning.\u003C\u002Fp>\n","SeaSP Community Edition is an automated Content Security Policy Manager. SeaSP allows you to create, configure, manage, and deploy a Content Security  &hellip;",20,4225,3,"2021-07-19T19:09:00.000Z","5.8.13","5.1","7.0",[130,131,20,93],"content-security-policy","csp","https:\u002F\u002Fbluetrianglemarketing.github.io\u002FSeaSP-Community-Edition\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsea-sp-community-edition.1.8.3.zip",{"attackSurface":135,"codeSignals":160,"taintFlows":170,"riskAssessment":171,"analyzedAt":181},{"hooks":136,"ajaxHandlers":156,"restRoutes":157,"shortcodes":158,"cronEvents":159,"entryPointCount":24,"unprotectedCount":24},[137,143,148,153],{"type":138,"name":139,"callback":140,"file":141,"line":142},"filter","wp_headers","gnu_terry_pratchett_header","gnu-terry-pratchett.php",18,{"type":144,"name":145,"callback":146,"file":141,"line":147},"action","wp_head","gnu_terry_pratchett_meta",32,{"type":144,"name":149,"callback":150,"file":151,"line":152},"admin_menu","gnu_terry_pratchett_add_options_page","options.php",19,{"type":144,"name":154,"callback":155,"file":151,"line":122},"admin_init","gnu_terry_pratchett_options_page_init",[],[],[],[],{"dangerousFunctions":161,"sqlUsage":162,"outputEscaping":164,"fileOperations":24,"externalRequests":24,"nonceChecks":24,"capabilityChecks":24,"bundledLibraries":169},[],{"prepared":24,"raw":24,"locations":163},[],{"escaped":58,"rawEcho":30,"locations":165},[166],{"file":151,"line":167,"context":168},89,"raw output",[],[],{"summary":172,"deductions":173},"The \"gnu-terry-pratchett\" plugin version 0.4.1 exhibits a strong security posture based on the static analysis. The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the plugin's attack surface. Furthermore, the code shows adherence to good security practices by not using dangerous functions, performing file operations, or making external HTTP requests. The SQL queries are all prepared, and while there are some output operations, the majority are properly escaped, indicating a good effort to prevent XSS vulnerabilities. The lack of any registered vulnerabilities in its history is also a positive indicator.\n\nHowever, the static analysis did reveal some areas for improvement. The complete absence of nonce checks and capability checks is a notable concern. While the attack surface is currently zero, if any entry points were to be introduced in the future without proper authentication or authorization checks, it could lead to significant security risks. The 20% of outputs that are not properly escaped, while not a critical flaw in isolation, still represent a potential vector for cross-site scripting (XSS) vulnerabilities, especially as the plugin evolves and potentially gains more functionality. The current lack of taint analysis results is also inconclusive; it might indicate a small code base or the absence of complex data flows, but it doesn't definitively confirm the absence of all taint-related issues.\n\nIn conclusion, the \"gnu-terry-pratchett\" plugin currently appears to be a low-risk plugin due to its minimal attack surface and adherence to some best practices like prepared SQL statements. The main weaknesses lie in the complete absence of nonces and capability checks, which could become critical if new features are added. The unescaped outputs, while not a critical finding, should be addressed to ensure a more robust security profile. The plugin's history of zero vulnerabilities is encouraging, but continuous vigilance and addressing the identified gaps are essential for long-term security.",[174,177,179],{"reason":175,"points":176},"Missing nonce checks",10,{"reason":178,"points":176},"Missing capability checks",{"reason":180,"points":58},"Unescaped output present (20%)","2026-03-16T19:04:21.843Z",{"wat":183,"direct":188},{"assetPaths":184,"generatorPatterns":185,"scriptPaths":186,"versionParams":187},[],[],[],[],{"cssClasses":189,"htmlComments":190,"htmlAttributes":191,"restEndpoints":193,"jsGlobals":194,"shortcodeOutput":195},[],[],[192],"http-equiv=\"X-Clacks-Overhead\"",[],[],[]]