[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnRTZAIc-KnWjNOQm0MiVqr57VYQTa9eihd2cJxjMpmw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":22,"download_link":23,"security_score":24,"vuln_count":14,"unpatched_count":14,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":42,"crawl_stats":33,"alternatives":45,"analysis":108,"fingerprints":345},"gravitate-automated-tester","Gravitate Automated Tester","1.4.5","Gravitate","https:\u002F\u002Fprofiles.wordpress.org\u002Fgravitate\u002F","\u003Cp>Description: This Plugin allows you to easily run Tests against our PHP or JS code. It is mainly meant for Developers, but can be used by anyone.  Like checking that you made sure that the site is indexable by Search Engines in Production and vise-versa that it is not Indexable in Dev or Staging.\u003C\u002Fp>\n\u003Ch4>Pre-Installed Tests\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>PHP Errors – Check for PHP Errors, Warnings and Notices.\u003C\u002Fli>\n\u003Cli>Gravity Forms Honeypot – Check to make sure that Anti-Spam Honeypot is enabled on all forms.\u003C\u002Fli>\n\u003Cli>Checks Sitespeed against Google Site Speed Insights\u003C\u002Fli>\n\u003Cli>Checks for Sitemap Pages\u003C\u002Fli>\n\u003Cli>Checks for Favicon\u003C\u002Fli>\n\u003Cli>HTML Valid – Check that your Pages are HTML Valid (W3C)\u003C\u002Fli>\n\u003Cli>JS Console Logs – Check General Pages for Console Logs on Page Load\u003C\u002Fli>\n\u003Cli>JS Errors – Check General Pages for JS Errors on Page Load\u003C\u002Fli>\n\u003Cli>Plugins Updated – Make sure WordPress Plugins are the Latest Stable Version\u003C\u002Fli>\n\u003Cli>SEO Indexable – Allow search engines to index the site in Production\u003C\u002Fli>\n\u003Cli>SEO Remove Indexing – Disallow search engines to index the site in Dev and Staging\u003C\u002Fli>\n\u003Cli>WP Debug – Make sure WordPress Debug is set to false\u003C\u002Fli>\n\u003Cli>WP Head\u002FFooter – Check for wp_head() and wp_footer()\u003C\u002Fli>\n\u003Cli>\n\u003Cp>WP Updated – Make sure WordPress is Latest Stable Version\u003C\u002Fp>\n\u003Cp>More to come soon\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>jQuery\u003C\u002Fli>\n\u003Cli>WordPress 3.5 or above\u003C\u002Fli>\n\u003Cli>PHP 5.3+\u003C\u002Fli>\n\u003Cli>PHP cUrl\u003C\u002Fli>\n\u003C\u002Ful>\n","Run Automated PHP or JS Tests.",30,1914,100,1,"2016-06-24T16:51:00.000Z","4.5.33","3.5","",[20,21],"automated-testing","gravitate","http:\u002F\u002Fwww.gravitatedesign.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgravitate-automated-tester.zip",63,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",[28],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":33,"severity":35,"cvss_score":36,"cvss_vector":37,"vuln_type":38,"published_date":25,"updated_date":39,"references":40,"days_to_patch":33},"CVE-2025-58645","gravitate-automated-tester-authenticated-administrator-stored-cross-site-scripting","Gravitate Automated Tester \u003C= 1.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Gravitate Automated Tester plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=1.4.5","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-09-26 17:42:38",[41],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5da7875f-a429-41f3-a05d-81200991585f?source=api-prod",{"slug":21,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":24,"avg_patch_time_days":11,"trust_score":43,"computed_at":44},68,"2026-04-04T11:27:25.875Z",[46,68,88],{"slug":47,"name":48,"version":49,"author":50,"author_profile":51,"description":52,"short_description":53,"active_installs":54,"downloaded":55,"rating":13,"num_ratings":56,"last_updated":57,"tested_up_to":58,"requires_at_least":59,"requires_php":60,"tags":61,"homepage":65,"download_link":66,"security_score":13,"vuln_count":67,"unpatched_count":67,"last_vuln_date":33,"fetched_at":26},"editoria11y-accessibility-checker","Editoria11y Accessibility Checker","2.1.12","Editoria11y maintainers","https:\u002F\u002Fprofiles.wordpress.org\u002Feditoria11y\u002F","\u003Cp>Editoria11y (“editorial accessibility ally”) is a quality assurance tool built for an author’s workflow:\u003C\u002Fp>\n\u003Col>\n\u003Cli>It provides instant feedback in the post and page editors. Authors do not need to remember to press a button or visit a dashboard to check their work.\u003C\u002Fli>\n\u003Cli>It checks in context on pages, not just within the post editor, allowing it to test content edited in widgets or theme features.\u003C\u002Fli>\n\u003Cli>It focuses exclusively on \u003Cstrong>content\u003C\u002Fstrong> issues: assisting authors at improving the things that are their responsibility.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>This plugin is the WordPress adaptation of the open-source \u003Ca href=\"https:\u002F\u002Feditoria11y.princeton.edu\" rel=\"nofollow ugc\">Editoria11y library\u003C\u002Fa>. Tests run in the browser and findings are stored in your own database; nothing is sent to any third party. It is meant to \u003Cstrong>supplement\u003C\u002Fstrong>, not replace, \u003Ca href=\"https:\u002F\u002Fwebaim.org\u002Fresources\u002Fevalquickref\u002F\" rel=\"nofollow ugc\">testing your code and visual design\u003C\u002Fa> with developer-focused tools and testing practices.\u003C\u002Fp>\n\u003Ch3>The authoring experience\u003C\u002Fh3>\n\u003Cp>Check out a \u003Ca href=\"https:\u002F\u002Feditoria11y.princeton.edu\u002Fnext\" rel=\"nofollow ugc\">demo of the checker itself\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>When \u003Cstrong>logged-in authors and editors\u003C\u002Fstrong> are viewing pages, Editoria11y inserts tooltips marking any issues present on the current page. Issues are also highlighted while editing in the Block Editor (Gutenberg) and Classic Editor (TinyMCE).\u003C\u002Fli>\n\u003Cli>Tooltips explain each problem and what actions are needed to resolve it. Some issues are “manual checks,” which have buttons to ignore the check or mark the content as OK.\u003C\u002Fli>\n\u003Cli>Clicking the main toggle shows and hides the tooltips.\u003C\u002Fli>\n\u003Cli>The main toggle also allows authors to jump to the next issue, restore previously dismissed alerts, visualize text alternatives for images on the page (“alts”), view the document’s heading outline, and view site-wide detection lists.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>The admin experience\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Filterable reports let you explore recent issues, which pages have the most issues, which issues are most common, and which issues have been dismissed. These populate and update when published content is viewed by logged-in authors.\u003C\u002Fli>\n\u003Cli>Various settings are available to constrain checks to specific parts of the page and tweak the sensitivity of several tests.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>The tests\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Text alternatives for visual content\n\u003Cul>\n\u003Cli>Images with no alt text\u003C\u002Fli>\n\u003Cli>Images with a filename as alt text\u003C\u002Fli>\n\u003Cli>Images with very long alt text\u003C\u002Fli>\n\u003Cli>Images with fake alt text to get around field validation (e.g. “TBD”)\u003C\u002Fli>\n\u003Cli>Alt text that contains redundant text like “image of” or “photo of”\u003C\u002Fli>\n\u003Cli>Images in links with alt text that appears to be describing the image instead of the link destination\u003C\u002Fli>\n\u003Cli>Embedded visualizations that usually require a text alternative\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Meaningful links\n\u003Cul>\n\u003Cli>Links with no text\u003C\u002Fli>\n\u003Cli>Links titled with a filename\u003C\u002Fli>\n\u003Cli>Links only titled with generic text: “click here,” “learn more,” “download,” etc.\u003C\u002Fli>\n\u003Cli>Links that open in a new window without warning\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Document outline and structure\n\u003Cul>\n\u003Cli>Skipped heading levels\u003C\u002Fli>\n\u003Cli>Empty headings\u003C\u002Fli>\n\u003Cli>Very long headings\u003C\u002Fli>\n\u003Cli>Suspiciously short blockquotes that may actually be headings\u003C\u002Fli>\n\u003Cli>All-bold paragraphs with no punctuation that may actually be headings\u003C\u002Fli>\n\u003Cli>Suspicious formatting that should probably be converted to a list (sequences of sentences that start with asterisks, emoji or incrementing numbers\u002Fletters)\u003C\u002Fli>\n\u003Cli>Tables without headers\u003C\u002Fli>\n\u003Cli>Empty table header cells\u003C\u002Fli>\n\u003Cli>Tables with document headers (“Header 3”) instead of table headers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>General quality assurance\n\u003Cul>\n\u003Cli>LARGE QUANTITIES OF CAPS LOCK TEXT\u003C\u002Fli>\n\u003Cli>Links to PDFs and other documents, reminding the user to test the download for accessibility or provide an alternate, accessible format\u003C\u002Fli>\n\u003Cli>Video embeds, reminding the user to add closed captions\u003C\u002Fli>\n\u003Cli>Audio embeds, reminding the user to provide a transcript\u003C\u002Fli>\n\u003Cli>Social media embeds, reminding the user to provide alt attributes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Feditoria11y.princeton.edu\u002Fconfiguration\u002F#customtests\" rel=\"nofollow ugc\">Custom results\u003C\u002Fa> provided by your JS\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Credit\u003C\u002Fh3>\n\u003Cp>Editoria11y’s WordPress plugin is maintained by Princeton University’s \u003Ca href=\"https:\u002F\u002Fwds.princeton.edu\u002F\" rel=\"nofollow ugc\">Web Development Services\u003C\u002Fa> team:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fitmaybejj\" rel=\"nofollow ugc\">John Jameson\u003C\u002Fa>: Editoria11y JS and CMS integrations\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjasonpartyka\" rel=\"nofollow ugc\">Jason Partyka\u003C\u002Fa>: Devops\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbkosborne\" rel=\"nofollow ugc\">Brian Osborne\u003C\u002Fa>: Code review\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.drupal.org\u002Fu\u002Fnotmike\" rel=\"nofollow ugc\">Michael Muzzie\u003C\u002Fa>: Wapuu photos\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Editoria11y began as a fork of the Toronto Metropolitan University’s \u003Ca href=\"https:\u002F\u002Fsa11y.netlify.app\u002F\" rel=\"nofollow ugc\">Sa11y Accessibility Checker\u003C\u002Fa>, and our teams regularly pass new code and ideas back and forth.\u003C\u002Fp>\n","Content accessibility checker written to be intuitive and useful for non-technical authors and editors.",1000,19391,5,"2026-03-07T01:25:00.000Z","7.0","6.0","7.2",[62,20,63,64],"accessibility-checker","quality-assurance","seo","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Feditoria11y-accessibility-checker\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feditoria11y-accessibility-checker.2.1.12.zip",0,{"slug":69,"name":70,"version":71,"author":72,"author_profile":73,"description":74,"short_description":75,"active_installs":76,"downloaded":77,"rating":13,"num_ratings":14,"last_updated":78,"tested_up_to":79,"requires_at_least":80,"requires_php":60,"tags":81,"homepage":86,"download_link":87,"security_score":13,"vuln_count":67,"unpatched_count":67,"last_vuln_date":33,"fetched_at":26},"sa11y","Sa11y, the accessibility quality assurance assistant | Accessibility Checker","1.2.7","Adam Chaboryk","https:\u002F\u002Fprofiles.wordpress.org\u002Fadamchaboryk\u002F","\u003Cp>Sa11y is an accessibility quality assurance tool that visually highlights common accessibility and usability issues. Geared towards content authors, Sa11y straightforwardly identifies errors or warnings at the source with a simple tooltip on how to fix them.\u003C\u002Fp>\n\u003Cp>Sa11y works in \u003Cstrong>Preview\u003C\u002Fstrong> mode.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Over 80 checks.\u003C\u002Fli>\n\u003Cli>Concise tooltips explain issues right at the source.\u003C\u002Fli>\n\u003Cli>Automatically checks content once the page has loaded.\u003C\u002Fli>\n\u003Cli>Highly customizable. Turn off or hide irrelevant checks.\u003C\u002Fli>\n\u003Cli>Content editors can temporarily dismiss warnings.\u003C\u002Fli>\n\u003Cli>100% free and open source.\u003C\u002Fli>\n\u003Cli>Available in English, French, Spanish, Polish, Ukrainian, German, Swedish, and many more languages through machine translations.\u003C\u002Fli>\n\u003Cli>Supports Multisite: create global settings and custom defaults for all websites on your network.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Visit the \u003Ca href=\"https:\u002F\u002Fsa11y.netlify.app\u002F\" rel=\"nofollow ugc\">project website\u003C\u002Fa> for a demo or to learn more!\u003C\u002Fp>\n","Geared towards content authors, Sa11y straightforwardly identifies accessibility issues at the source.",300,14570,"2025-12-18T21:05:00.000Z","6.9.4","5.6",[82,83,62,84,85],"accessibility","accessibility-automated-testing","audit","wcag","https:\u002F\u002Fsa11y.netlify.app\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsa11y.1.2.7.zip",{"slug":89,"name":90,"version":91,"author":92,"author_profile":93,"description":94,"short_description":95,"active_installs":96,"downloaded":97,"rating":67,"num_ratings":67,"last_updated":98,"tested_up_to":99,"requires_at_least":100,"requires_php":101,"tags":102,"homepage":105,"download_link":106,"security_score":107,"vuln_count":67,"unpatched_count":67,"last_vuln_date":33,"fetched_at":26},"diffy","Diffy Visual Regression Testing","0.9.6","Yuriy Gerasymov","https:\u002F\u002Fprofiles.wordpress.org\u002Fygerasimov\u002F","\u003Cp>Diffy helps to verify plugin updates by taking screenshots of your site before and after update and comparing them.\u003C\u002Fp>\n\u003Cp>Ideally you expect zero changes after running updates.\u003C\u002Fp>\n\u003Ch3>Set up instructions\u003C\u002Fh3>\n\u003Cp>You need to have active Diffy (https:\u002F\u002Fdiffy.website) account in order to use this plugin. Plugin will also allow you to create an account and project for your site with one click.\u003C\u002Fp>\n\u003Cp>Diffy provides 2 weeks trial to cover up to 100 pages of your site.\u003C\u002Fp>\n\u003Cp>Your site should be publicly available. Diffy runs workers from AWS infrastructure by using single IP address 3.216.56.216. Whitelist it if needed.\u003C\u002Fp>\n\u003Cp>Once you registered an account, please create a project. You need to specify your site’s URL as Production environment. Add your site’s URLs to the project. Diffy can parse sitemaps if you like. Meanwhile you will want to have just key pages covered by visual regression testing and not every page of your site.\u003C\u002Fp>\n\u003Cp>After setting up the project, generate API key under My Account -> Keys.\u003C\u002Fp>\n\u003Cp>Enter project id and API Key to Diffy’s plugin settings page and you should be good to go.\u003C\u002Fp>\n\u003Ch3>How it works?\u003C\u002Fh3>\n\u003Cp>During plugins update process plugin will call Diffy via API to create set of screenshots before the update. Expect that it will make update process longer.\u003C\u002Fp>\n\u003Cp>After screenshots are ready update process will continue. Once updates are completed plugin will call Diffy once again to create second set of screenshots and compare them with your “before” version.\u003C\u002Fp>\n\u003Cp>You will receive an email notifications about screenshots and diffs being completed.\u003C\u002Fp>\n\u003Cp>Review the report and ensure that nothing got broken.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>Welcome to reach out to Diffy’s team via Intercom or by email info@diffy.website.\u003C\u002Fp>\n","Diffy helps to verify plugin updates by taking screenshots of your site before and after update and comparing them. Ideally you expect zero changes a &hellip;",10,1368,"2023-03-01T21:29:00.000Z","6.1.10","4.8","7.1",[20,103,104],"updates-verification","visual-regression-testing","https:\u002F\u002Fdiffy.website\u002Fwordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdiffy.zip",85,{"attackSurface":109,"codeSignals":156,"taintFlows":277,"riskAssessment":329,"analyzedAt":344},{"hooks":110,"ajaxHandlers":134,"restRoutes":151,"shortcodes":152,"cronEvents":153,"entryPointCount":154,"unprotectedCount":155},[111,117,121,124,127,129],{"type":112,"name":113,"callback":114,"file":115,"line":116},"action","admin_enqueue_scripts","add_sortable","gravitate-plugin-settings.php",12,{"type":112,"name":118,"callback":118,"file":119,"line":120},"admin_menu","gravitate-tester.php",37,{"type":112,"name":122,"callback":122,"file":119,"line":123},"init",38,{"type":112,"name":125,"callback":125,"priority":67,"file":119,"line":126},"wp_head",95,{"type":112,"name":128,"callback":128,"file":119,"line":13},"wp_footer",{"type":130,"name":131,"callback":132,"file":119,"line":133},"filter","show_admin_bar","__return_false",105,[135,141,145,147],{"action":136,"nopriv":137,"callback":138,"hasNonce":137,"hasCapCheck":139,"file":119,"line":140},"grav_run_test",false,"ajax_run_test",true,40,{"action":142,"nopriv":137,"callback":143,"hasNonce":137,"hasCapCheck":137,"file":119,"line":144},"grav_get_test_report","ajax_get_test_report",41,{"action":142,"nopriv":139,"callback":143,"hasNonce":137,"hasCapCheck":137,"file":119,"line":146},42,{"action":148,"nopriv":137,"callback":149,"hasNonce":137,"hasCapCheck":139,"file":119,"line":150},"grav_run_fix_test","ajax_run_fix_test",43,[],[],[],4,2,{"dangerousFunctions":157,"sqlUsage":158,"outputEscaping":160,"fileOperations":275,"externalRequests":275,"nonceChecks":14,"capabilityChecks":155,"bundledLibraries":276},[],{"prepared":67,"raw":67,"locations":159},[],{"escaped":161,"rawEcho":162,"locations":163},19,64,[164,167,168,170,171,173,175,177,178,180,181,183,184,186,187,189,191,193,194,195,196,198,199,201,203,205,207,209,211,213,215,217,218,220,222,224,225,227,229,231,233,234,235,236,237,238,239,241,243,245,247,249,251,253,255,257,259,261,262,265,266,268,270,272],{"file":115,"line":165,"context":166},236,"raw output",{"file":115,"line":165,"context":166},{"file":115,"line":169,"context":166},237,{"file":115,"line":169,"context":166},{"file":115,"line":172,"context":166},276,{"file":115,"line":174,"context":166},284,{"file":115,"line":176,"context":166},412,{"file":115,"line":176,"context":166},{"file":115,"line":179,"context":166},417,{"file":115,"line":179,"context":166},{"file":115,"line":182,"context":166},421,{"file":115,"line":182,"context":166},{"file":115,"line":185,"context":166},426,{"file":115,"line":185,"context":166},{"file":115,"line":188,"context":166},438,{"file":115,"line":190,"context":166},453,{"file":115,"line":192,"context":166},469,{"file":115,"line":192,"context":166},{"file":115,"line":192,"context":166},{"file":115,"line":192,"context":166},{"file":115,"line":197,"context":166},475,{"file":115,"line":197,"context":166},{"file":115,"line":200,"context":166},480,{"file":119,"line":202,"context":166},541,{"file":119,"line":204,"context":166},542,{"file":119,"line":206,"context":166},547,{"file":119,"line":208,"context":166},548,{"file":119,"line":210,"context":166},549,{"file":119,"line":212,"context":166},550,{"file":119,"line":214,"context":166},864,{"file":119,"line":216,"context":166},896,{"file":119,"line":216,"context":166},{"file":119,"line":219,"context":166},898,{"file":119,"line":221,"context":166},901,{"file":119,"line":223,"context":166},914,{"file":119,"line":223,"context":166},{"file":119,"line":226,"context":166},917,{"file":119,"line":228,"context":166},921,{"file":119,"line":230,"context":166},964,{"file":119,"line":232,"context":166},982,{"file":119,"line":232,"context":166},{"file":119,"line":232,"context":166},{"file":119,"line":232,"context":166},{"file":119,"line":232,"context":166},{"file":119,"line":232,"context":166},{"file":119,"line":232,"context":166},{"file":119,"line":240,"context":166},989,{"file":119,"line":242,"context":166},1005,{"file":119,"line":244,"context":166},1021,{"file":119,"line":246,"context":166},1032,{"file":119,"line":248,"context":166},1053,{"file":119,"line":250,"context":166},1070,{"file":119,"line":252,"context":166},1290,{"file":119,"line":254,"context":166},1385,{"file":119,"line":256,"context":166},1391,{"file":119,"line":258,"context":166},1413,{"file":119,"line":260,"context":166},1435,{"file":119,"line":260,"context":166},{"file":263,"line":264,"context":166},"grav_tests\\js_console_logs.php",75,{"file":263,"line":107,"context":166},{"file":263,"line":267,"context":166},93,{"file":269,"line":162,"context":166},"grav_tests\\js_errors.php",{"file":269,"line":271,"context":166},73,{"file":273,"line":274,"context":166},"grav_tests\\php_errors.php",46,6,[],[278,293,307,315],{"entryPoint":279,"graph":280,"unsanitizedCount":154,"severity":35},"admin (gravitate-tester.php:498)",{"nodes":281,"edges":291},[282,286],{"id":283,"type":284,"label":285,"file":119,"line":206},"n0","source","$_GET['section'] (x4)",{"id":287,"type":288,"label":289,"file":119,"line":206,"wp_function":290},"n1","sink","echo() [XSS]","echo",[292],{"from":283,"to":287,"sanitized":137},{"entryPoint":294,"graph":295,"unsanitizedCount":67,"severity":306},"save_settings (gravitate-plugin-settings.php:124)",{"nodes":296,"edges":304},[297,300],{"id":283,"type":284,"label":298,"file":115,"line":299},"$_POST",130,{"id":287,"type":288,"label":301,"file":115,"line":302,"wp_function":303},"update_option() [Settings Manipulation]",148,"update_option",[305],{"from":283,"to":287,"sanitized":139},"low",{"entryPoint":308,"graph":309,"unsanitizedCount":67,"severity":306},"\u003Cgravitate-plugin-settings> (gravitate-plugin-settings.php:0)",{"nodes":310,"edges":313},[311,312],{"id":283,"type":284,"label":298,"file":115,"line":299},{"id":287,"type":288,"label":301,"file":115,"line":302,"wp_function":303},[314],{"from":283,"to":287,"sanitized":139},{"entryPoint":316,"graph":317,"unsanitizedCount":67,"severity":306},"\u003Cgravitate-tester> (gravitate-tester.php:0)",{"nodes":318,"edges":326},[319,320,321,324],{"id":283,"type":284,"label":285,"file":119,"line":206},{"id":287,"type":288,"label":289,"file":119,"line":206,"wp_function":290},{"id":322,"type":284,"label":323,"file":119,"line":24},"n2","$_GET",{"id":325,"type":288,"label":289,"file":119,"line":232,"wp_function":290},"n3",[327,328],{"from":283,"to":287,"sanitized":139},{"from":322,"to":325,"sanitized":139},{"summary":330,"deductions":331},"The 'gravitate-automated-tester' plugin, version 1.0.0, presents a mixed security posture.  While it demonstrates good practices such as using prepared statements for all SQL queries and performing some capability checks, significant concerns exist, particularly regarding its attack surface and output escaping.  The presence of two AJAX handlers without authentication checks represents a critical entry point for potential attacks, especially when combined with a high percentage of improperly escaped output. The taint analysis also reveals flows with unsanitized paths, though no critical or high-severity issues were flagged in this specific analysis, suggesting that existing vulnerabilities might be more subtle or related to improper data handling. The plugin's vulnerability history, including a known medium-severity Cross-Site Scripting (XSS) vulnerability that is currently unpatched, is a major red flag. The fact that the last vulnerability occurred recently and remains unaddressed strongly indicates a lack of proactive security maintenance, increasing the risk of exploitation. In conclusion, while some security foundations are in place, the unpatched vulnerability and the exposed AJAX handlers, coupled with poor output sanitization, create a considerable risk profile for this plugin.",[332,335,337,340,342],{"reason":333,"points":334},"Unpatched CVE identified",15,{"reason":336,"points":96},"AJAX handlers without auth checks (2)",{"reason":338,"points":339},"Significant percentage of unescaped output",8,{"reason":341,"points":56},"Flows with unsanitized paths detected",{"reason":343,"points":56},"Only 1 nonce check on 4 entry points","2026-03-16T22:33:40.921Z",{"wat":346,"direct":354},{"assetPaths":347,"generatorPatterns":349,"scriptPaths":350,"versionParams":351},[348],"\u002Fwp-content\u002Fplugins\u002Fgravitate-automated-tester\u002F",[],[],[352,353],"gravitate-automated-tester\u002Fstyle.css?ver=","gravitate-automated-tester\u002Fscript.js?ver=",{"cssClasses":355,"htmlComments":356,"htmlAttributes":357,"restEndpoints":358,"jsGlobals":359,"shortcodeOutput":361},[],[],[],[],[360],"GRAV_TEST_AUTH_KEY",[]]