[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdIE9N803gtiblaKIrKX6Vx3A-FUCDh_8m8lCY58fksI":3,"$fQaJnNRnWBOK3k7l7GQPpp_ey9nHySQALZmBGHohB6Yo":179,"$fR9IEvFctsdCbAD1eIeIbf4uKvkrDdtoJt5u7DaqSLGU":183},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":36,"analysis":37,"fingerprints":151},"graded-cards-system","Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup","2.2","Richard Psytes","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebvinestudio\u002F","\u003Cp>The \u003Cstrong>Graded Cards System\u003C\u002Fstrong> provides a powerful, yet easy way for \u003Cstrong>collectors\u003C\u002Fstrong> to manage their \u003Cstrong>graded card collections\u003C\u002Fstrong> directly within WordPress. This is a complete solution for building a digital portfolio, adding instant credibility, and allowing visitors to verify card details.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features for Collectors and Hobby Shops:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Card Management:\u003C\u002Fstrong> A simple admin interface to add, view, and delete your \u003Cstrong>graded cards\u003C\u002Fstrong> with details like \u003Cstrong>certificate numbers\u003C\u002Fstrong>, grades, and images.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Certificate Lookup Search:\u003C\u002Fstrong> Use the \u003Ccode>[graded_cards_search]\u003C\u002Fcode> shortcode to add a dedicated search bar that allows users to \u003Cstrong>verify certificate numbers\u003C\u002Fstrong> instantly against your database.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Display Your Collection:\u003C\u002Fstrong> Use the \u003Ccode>[graded_cards_list]\u003C\u002Fcode> shortcode to showcase your entire \u003Cstrong>trading card\u003C\u002Fstrong> or \u003Cstrong>sports card\u003C\u002Fstrong> collection in a beautiful, responsive grid or a clean table layout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Service Compatible:\u003C\u002Fstrong> Perfect for cards graded by services like \u003Cstrong>PSA, BGS, SGC\u003C\u002Fstrong>, and others.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Media Uploader Integration:\u003C\u002Fstrong> Uses the native WordPress Media Uploader for a seamless image-adding experience.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lightweight & Efficient:\u003C\u002Fstrong> Built to be fast and not slow down your website.\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and effective system for collectors to manage, display, and verify their graded cards (PSA, BGS, SGC) with a certificate lookup feature.",0,222,"2025-09-27T18:24:00.000Z","6.8.5","5.8","7.4",[18,19,20,21,22],"certificate-lookup","graded-card-system","graded-collectibles-manager","graded-sports-cards","trading-card-database","https:\u002F\u002Fwebvinemarketing.com\u002Fgraded-cards-system\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgraded-cards-system.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"webvinestudio",2,30,94,"2026-05-19T20:55:58.221Z",[],{"attackSurface":38,"codeSignals":73,"taintFlows":84,"riskAssessment":144,"analyzedAt":150},{"hooks":39,"ajaxHandlers":61,"restRoutes":62,"shortcodes":63,"cronEvents":72,"entryPointCount":32,"unprotectedCount":11},[40,46,50,54,58],{"type":41,"name":42,"callback":43,"file":44,"line":45},"action","admin_enqueue_scripts","gcsys_admin_enqueue_scripts_styles","graded-cards-system.php",56,{"type":41,"name":47,"callback":48,"file":44,"line":49},"wp_enqueue_scripts","gcsys_frontend_enqueue_styles",64,{"type":41,"name":51,"callback":52,"file":44,"line":53},"admin_menu","gcsys_admin_menu",76,{"type":41,"name":55,"callback":56,"file":44,"line":57},"admin_init","gcsys_register_settings",104,{"type":41,"name":55,"callback":59,"file":44,"line":60},"gcsys_handle_admin_actions",184,[],[],[64,68],{"tag":65,"callback":66,"file":44,"line":67},"graded_cards_search","gcsys_search_shortcode",289,{"tag":69,"callback":70,"file":44,"line":71},"graded_cards_list","gcsys_list_shortcode",338,[],{"dangerousFunctions":74,"sqlUsage":75,"outputEscaping":78,"fileOperations":11,"externalRequests":11,"nonceChecks":81,"capabilityChecks":82,"bundledLibraries":83},[],{"prepared":76,"raw":11,"locations":77},13,[],{"escaped":79,"rawEcho":11,"locations":80},125,[],3,1,[],[85,113,134],{"entryPoint":86,"graph":87,"unsanitizedCount":11,"severity":112},"gcsys_search_shortcode (graded-cards-system.php:280)",{"nodes":88,"edges":108},[89,94,100,103],{"id":90,"type":91,"label":92,"file":44,"line":93},"n0","source","$_GET (x4)",282,{"id":95,"type":96,"label":97,"file":44,"line":98,"wp_function":99},"n1","sink","echo() [XSS]",284,"echo",{"id":101,"type":91,"label":102,"file":44,"line":93},"n2","$_GET",{"id":104,"type":96,"label":105,"file":44,"line":106,"wp_function":107},"n3","get_row() [SQLi]",285,"get_row",[109,111],{"from":90,"to":95,"sanitized":110},true,{"from":101,"to":104,"sanitized":110},"low",{"entryPoint":114,"graph":115,"unsanitizedCount":11,"severity":112},"\u003Cgraded-cards-system> (graded-cards-system.php:0)",{"nodes":116,"edges":130},[117,119,123,125,126,128],{"id":90,"type":91,"label":102,"file":44,"line":118},205,{"id":95,"type":96,"label":120,"file":44,"line":121,"wp_function":122},"get_results() [SQLi]",213,"get_results",{"id":101,"type":91,"label":124,"file":44,"line":93},"$_GET (x9)",{"id":104,"type":96,"label":97,"file":44,"line":98,"wp_function":99},{"id":127,"type":91,"label":102,"file":44,"line":93},"n4",{"id":129,"type":96,"label":105,"file":44,"line":106,"wp_function":107},"n5",[131,132,133],{"from":90,"to":95,"sanitized":110},{"from":101,"to":104,"sanitized":110},{"from":127,"to":129,"sanitized":110},{"entryPoint":135,"graph":136,"unsanitizedCount":82,"severity":143},"gcsys_admin_page_callback (graded-cards-system.php:189)",{"nodes":137,"edges":140},[138,139],{"id":90,"type":91,"label":102,"file":44,"line":118},{"id":95,"type":96,"label":120,"file":44,"line":121,"wp_function":122},[141],{"from":90,"to":95,"sanitized":142},false,"high",{"summary":145,"deductions":146},"The 'graded-cards-system' v2.2 plugin demonstrates a strong security posture with several positive attributes. Notably, all SQL queries are prepared, outputs are properly escaped, and there are no file operations or external HTTP requests, significantly reducing common attack vectors. The presence of nonce and capability checks, while limited in number, indicates an awareness of security best practices for handling user input and actions.\n\nHowever, the taint analysis reveals a concern. One flow with an unsanitized path has been identified with a high severity, suggesting a potential for attackers to exploit this weakness to manipulate data or gain unauthorized access. While the static analysis did not find any dangerous functions or unprotected entry points, this single high-severity taint flow warrants attention. The complete lack of past vulnerabilities is a positive indicator, implying the developers are generally attentive to security, but it does not negate the current findings from the static and taint analysis.\n\nIn conclusion, the plugin has a solid foundation in secure coding practices. The primary weakness lies in a single high-severity unsanitized path identified in the taint analysis. This, combined with a relatively small attack surface and good SQL\u002Foutput handling, leads to a moderate overall risk. Addressing the identified taint flow should be the priority to further strengthen the plugin's security.",[147],{"reason":148,"points":149},"High severity taint flow with unsanitized path",15,"2026-04-16T13:36:54.243Z",{"wat":152,"direct":163},{"assetPaths":153,"generatorPatterns":157,"scriptPaths":158,"versionParams":159},[154,155,156],"\u002Fwp-content\u002Fplugins\u002Fgraded-cards-system\u002Fassets\u002Fcss\u002Fadmin-styles.css","\u002Fwp-content\u002Fplugins\u002Fgraded-cards-system\u002Fassets\u002Fjs\u002Fadmin-scripts.js","\u002Fwp-content\u002Fplugins\u002Fgraded-cards-system\u002Fassets\u002Fcss\u002Ffrontend-styles.css",[],[155],[160,161,162],"graded-cards-system\u002Fassets\u002Fcss\u002Fadmin-styles.css?ver=","graded-cards-system\u002Fassets\u002Fjs\u002Fadmin-scripts.js?ver=","graded-cards-system\u002Fassets\u002Fcss\u002Ffrontend-styles.css?ver=",{"cssClasses":164,"htmlComments":165,"htmlAttributes":171,"restEndpoints":175,"jsGlobals":176,"shortcodeOutput":177},[],[166,167,168,169,170],"Dear Reviewer: A direct database call with dbDelta is the standard, recommended\n    method for creating\u002Fupdating custom tables in WordPress.","Dear Reviewer, The following `isset` check is a false positive for \"Processing form data without nonce verification\".\n    The nonce (`_wpnonce`) is correctly verified with `wp_verify_nonce()` immediately inside this conditional block before any data is processed.","Dear Reviewer: This is a direct database call, which is necessary to interact with the plugin's custom table.","Dear Reviewer, This `isset` check is a false positive for \"Processing form data without nonce verification\".\n    The nonce (`gcsys_add_card_nonce`) is correctly verified with `wp_verify_nonce()` immediately inside this conditional block.","Dear Reviewer: This is a direct database call, which is necessary to insert data into the plugin's custom table.",[172,173,174],"name=\"gcsys_list_layout\"","value=\"grid\"","value=\"table\"",[],[],[178],"[graded_cards_list]",{"error":110,"url":180,"statusCode":181,"statusMessage":182,"message":182},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fgraded-cards-system\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":11,"versions":184},[]]