[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmzOQQkKmJ5wCuDRAiTsFLNPDQzsUxphyheVE49hZGu4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":14,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":64,"crawl_stats":37,"alternatives":72,"analysis":73,"fingerprints":214},"hero-banner-ultimate","Hero Banner Ultimate","1.4.6","Essential Plugin","https:\u002F\u002Fprofiles.wordpress.org\u002Fessentialplugin\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fdemo.essentialplugin.com\u002Fhero-banner-ultimate-demo\u002F?utm_source=WP&utm_medium=Hero_Banner&utm_campaign=Read-Me\" rel=\"nofollow ugc\">Explore Hero Banner Features\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fessentialplugin.com\u002Fpricing\u002F?utm_source=WP&utm_medium=Hero_Banner&utm_campaign=Read-Me\" rel=\"nofollow ugc\">Annual or Lifetime Bundle Deal\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Add \u003Ca href=\"https:\u002F\u002Fessentialplugin.com\u002Fwordpress-plugin\u002Fhero-banner-ultimate\u002F?utm_source=WP&utm_medium=Hero_Banner&utm_campaign=Read-Me\" rel=\"nofollow ugc\">hero banner\u003C\u002Fa> with the help of background image OR background color OR background video. Hero Banner Ultimate comes with 4 types of layouts where you can manage you hero banner design.\u003C\u002Fp>\n\u003Cp>Also work with Gutenberg shortcode block.\u003C\u002Fp>\n\u003Ch4>Plugin shortcode\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>[hbupro_banner id=\"XX\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can also display popup in template\u002Fphp file:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php echo do_shortcode('[hbupro_banner id=\"XX\"]'); ?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Where id is the banner id.\u003C\u002Fp>\n\u003Cp>In web design, a hero banner is a large web banner image, prominently placed on a web page, generally in the front and center. The hero banner is often the first visual a visitor encounters on the site; it presents an overview of the site’s most important content. A hero image often consists of background image OR background color OR background video and text.\u003C\u002Fp>\n\u003Cp>Large fullscreen backgrounds and hero banners can be used in single page designs with ease.\u003C\u002Fp>\n\u003Ch4>Hero Banner Ultimate Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Background image\u003C\u002Fli>\n\u003Cli>Background color\u003C\u002Fli>\n\u003Cli>Background video\u003C\u002Fli>\n\u003Cli>Title and sub title font size\u003C\u002Fli>\n\u003Cli>Title and sub title font color\u003C\u002Fli>\n\u003Cli>Banner inner padding\u003C\u002Fli>\n\u003Cli>Banner overlay setting\u003C\u002Fli>\n\u003Cli>Call to Action Setting\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>PRO Features :\u003C\u002Fh4>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Premium Version\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>10 cool layouts.\u003C\u002Fli>\n\u003Cli>Gradient OR Plain Background Color Option\u003C\u002Fli>\n\u003Cli>Added lots of options\u003C\u002Fli>\n\u003Cli>Extra Setting for Mobile View \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.essentialplugin.com\u002Fwordpress-plugin\u002Fhero-banner-ultimate\u002F?utm_source=WP&utm_medium=Hero_Banner&utm_campaign=Read-Me\" rel=\"nofollow ugc\">Explore and check pro feature\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cp>We take security seriously. If you discover a security vulnerability, please send an email to support@essentialplugin.com. All security vulnerabilities will be promptly addressed.\u003C\u002Fp>\n","Add hero banner with the help of background image OR background color OR background video.  Also work with Gutenberg shortcode block.",1000,52954,100,2,"2026-02-20T18:33:00.000Z","6.9.4","4.0","",[20,21,22,23,24],"hero-banner-image","hero-header-video","hero-video-background","vimeo-video-background","youtube-video-background","https:\u002F\u002Fessentialplugin.com\u002Fwordpress-plugin\u002Fhero-banner-ultimate\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhero-banner-ultimate.1.4.6.zip",98,0,"2025-01-06 00:00:00","2026-03-15T15:16:48.613Z",[32,48],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2025-22305","hero-banner-ultimate-authenticated-author-local-file-inclusion","Hero Banner Ultimate \u003C= 1.4.4 - Authenticated (Author+) Local File Inclusion","The Hero Banner Ultimate plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.4.4. This makes it possible for authenticated attackers, with author-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.",null,"\u003C=1.4.4","1.4.5","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2025-06-25 13:41:01",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9cfd5cfa-9075-4408-bfb1-fb0c3494f61e?source=api-prod",171,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":37,"affected_versions":53,"patched_in_version":54,"severity":55,"cvss_score":56,"cvss_vector":57,"vuln_type":58,"published_date":59,"updated_date":60,"references":61,"days_to_patch":63},"CVE-2022-45818","hero-banner-ultimate-authenticated-contributor-stored-cross-site-scripting-via-shortcodes","Hero Banner Ultimate \u003C= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes","The Hero Banner Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting possibly via unspecified shortcodes in versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=1.3.4","1.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2023-02-22 00:00:00","2024-01-22 19:56:02",[62],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8defdd2e-e191-498e-826a-b73c6b4f2f57?source=api-prod",335,{"slug":65,"display_name":7,"profile_url":8,"plugin_count":66,"total_installs":67,"avg_security_score":68,"avg_patch_time_days":69,"trust_score":70,"computed_at":71},"essentialplugin",33,204710,99,219,78,"2026-04-04T03:54:02.172Z",[],{"attackSurface":74,"codeSignals":134,"taintFlows":198,"riskAssessment":199,"analyzedAt":213},{"hooks":75,"ajaxHandlers":124,"restRoutes":125,"shortcodes":126,"cronEvents":132,"entryPointCount":133,"unprotectedCount":28},[76,82,86,90,96,100,104,109,112,116,119],{"type":77,"name":78,"callback":79,"file":80,"line":81},"action","plugins_loaded","hbu_load_textdomain","hero-banner-ultimate.php",81,{"type":77,"name":83,"callback":84,"file":80,"line":85},"update_option_active_plugins","hbu_deactivate_free_version",114,{"type":77,"name":87,"callback":88,"file":80,"line":89},"admin_notices","hbu_admin_notice",176,{"type":77,"name":91,"callback":92,"priority":93,"file":94,"line":95},"admin_menu","hbu_register_menu",9,"includes\\admin\\class-hbu-admin.php",20,{"type":77,"name":97,"callback":98,"file":94,"line":99},"add_meta_boxes","hbu_post_sett_metabox",23,{"type":77,"name":101,"callback":102,"file":94,"line":103},"admin_init","hbu_register_settings",29,{"type":77,"name":105,"callback":106,"file":107,"line":108},"wp_enqueue_scripts","hbu_front_style","includes\\class-hbu-script.php",19,{"type":77,"name":105,"callback":110,"file":107,"line":111},"hbu_front_script",22,{"type":77,"name":113,"callback":114,"file":107,"line":115},"admin_enqueue_scripts","hbu_admin_style",25,{"type":77,"name":113,"callback":117,"file":107,"line":118},"hbu_admin_script",28,{"type":77,"name":120,"callback":121,"file":122,"line":123},"init","hbu_register_post_type","includes\\hbu-post-types.php",51,[],[],[127],{"tag":128,"callback":129,"file":130,"line":131},"hbupro_banner","hbu_shortcode","includes\\shortcode\\hbu-banner-shortcode.php",190,[],1,{"dangerousFunctions":135,"sqlUsage":136,"outputEscaping":138,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":133,"bundledLibraries":197},[],{"prepared":28,"raw":28,"locations":137},[],{"escaped":139,"rawEcho":140,"locations":141},295,27,[142,145,148,150,152,154,156,158,160,162,164,166,168,170,172,174,175,176,178,180,182,184,186,188,191,193,195],{"file":80,"line":143,"context":144},165,"raw output",{"file":146,"line":147,"context":144},"includes\\admin\\metabox\\hbu-post-sett-metabox.php",89,{"file":146,"line":149,"context":144},108,{"file":146,"line":151,"context":144},122,{"file":146,"line":153,"context":144},143,{"file":146,"line":155,"context":144},153,{"file":146,"line":157,"context":144},157,{"file":146,"line":159,"context":144},163,{"file":146,"line":161,"context":144},180,{"file":146,"line":163,"context":144},193,{"file":146,"line":165,"context":144},212,{"file":146,"line":167,"context":144},233,{"file":146,"line":169,"context":144},258,{"file":146,"line":171,"context":144},297,{"file":146,"line":173,"context":144},318,{"file":146,"line":63,"context":144},{"file":146,"line":63,"context":144},{"file":146,"line":177,"context":144},427,{"file":146,"line":179,"context":144},461,{"file":146,"line":181,"context":144},484,{"file":146,"line":183,"context":144},496,{"file":146,"line":185,"context":144},510,{"file":130,"line":187,"context":144},173,{"file":189,"line":190,"context":144},"templates\\layout-1.php",17,{"file":192,"line":190,"context":144},"templates\\layout-2.php",{"file":194,"line":190,"context":144},"templates\\layout-3.php",{"file":196,"line":190,"context":144},"templates\\layout-4.php",[],[],{"summary":200,"deductions":201},"The 'hero-banner-ultimate' plugin version 1.4.6 presents a mixed security profile.  The static analysis indicates generally good coding practices, with a large percentage of outputs being properly escaped and all SQL queries utilizing prepared statements. The absence of dangerous functions, file operations, and external HTTP requests is also a positive sign. However, the low number of identified entry points (only one shortcode) and the lack of any detected taint flows might be misleading, as zero taint flows doesn't inherently guarantee security, especially if the analyzed code paths were limited or the plugin's functionality is minimal.\n\nThe plugin's vulnerability history is a significant concern. With two known CVEs, one high and one medium severity, and past vulnerabilities involving critical types like PHP Remote File Inclusion and Cross-Site Scripting, there is a clear pattern of past exploitable weaknesses. The fact that none are currently unpatched is a relief, but it highlights a history of exploitable flaws that require careful monitoring for future versions.  The lack of nonce checks and capability checks on the single identified shortcode, while not explicitly flagged as an issue in the static analysis (likely due to limited entry points or analysis depth), could be a potential oversight if the shortcode handles sensitive data or performs actions that require authorization.\n\nIn conclusion, while the current version shows improvements in secure coding practices like output escaping and prepared statements, the historical prevalence of severe vulnerabilities warrants caution. The plugin has demonstrated a history of significant security flaws, suggesting that past development may have had gaps in secure coding. Users should remain vigilant, ensure the plugin is always updated to the latest version, and consider the historical risk profile when evaluating its use.",[202,204,207,210],{"reason":203,"points":95},"High and Medium severity CVEs in vulnerability history",{"reason":205,"points":206},"History of critical vulnerability types (RFI, XSS)",15,{"reason":208,"points":209},"No nonce checks identified",10,{"reason":211,"points":212},"Limited capability checks identified",5,"2026-03-16T18:44:48.792Z",{"wat":215,"direct":228},{"assetPaths":216,"generatorPatterns":221,"scriptPaths":222,"versionParams":223},[217,218,219,220],"\u002Fwp-content\u002Fplugins\u002Fhero-banner-ultimate\u002Fassets\u002Fcss\u002Fhbu-public-style.min.css","\u002Fwp-content\u002Fplugins\u002Fhero-banner-ultimate\u002Fassets\u002Fjs\u002Fhbu-ultimate-bg.min.js","\u002Fwp-content\u002Fplugins\u002Fhero-banner-ultimate\u002Fassets\u002Fjs\u002Fhbu-public-script.js","\u002Fwp-content\u002Fplugins\u002Fhero-banner-ultimate\u002Fassets\u002Fcss\u002Fhbu-admin-style.css",[],[],[224,225,226,227],"hero-banner-ultimate\u002Fassets\u002Fcss\u002Fhbu-public-style.min.css?ver=","hero-banner-ultimate\u002Fassets\u002Fjs\u002Fhbu-ultimate-bg.min.js?ver=","hero-banner-ultimate\u002Fassets\u002Fjs\u002Fhbu-public-script.js?ver=","hero-banner-ultimate\u002Fassets\u002Fcss\u002Fhbu-admin-style.css?ver=",{"cssClasses":229,"htmlComments":232,"htmlAttributes":233,"restEndpoints":234,"jsGlobals":235,"shortcodeOutput":243},[230,231],"hbu-public-style","hbu-admin-style",[],[],[],[236,237,238,239,240,241,242],"HBU_VERSION","HBU_DIR","HBU_URL","HBU_POST_TYPE","HBU_META_PREFIX","HBU_PLUGIN_LINK_UNLOCK","HBU_PLUGIN_LINK_UPGRADE",[]]