[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fi1aOfJ1Mo_aWLLi2-fj7TXvAGIfGl1osOvpJxt9t_VA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":52,"analysis":106,"fingerprints":252},"hide-real-download-path","Hide Real Download Path","1.6","Deepak S","https:\u002F\u002Fprofiles.wordpress.org\u002Fdeepaks\u002F","\u003Cp>Plugin helps you to hide real\u002Fdirect path of files hosted on your server for download and make your files secure from unauthorized download. It also maintains a log of all downloads done using it and provide capability to disallow direct linking (hot linking) to your files from other website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>You can:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allow or restrict hotlink (direct download) of your files from other website\u002Fexternal links.\u003C\u002Fli>\n\u003Cli>Restrict ‘download only’ from link on your website\u003C\u002Fli>\n\u003Cli>View log of individual download\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It support multiple files extensions including:\u003Cbr \u002F>\nzip \u002F pdf \u002F doc \u002F xls \u002F ppt \u002F exe \u002F gif \u002F png \u002F jpg \u002F jpeg \u002F mp3 \u002F wav \u002F mpeg \u002F mpg \u002F mpe \u002F mov \u002F avi \u002F xlsx\u003C\u002Fp>\n\u003Cp>*\u003Cstrong>Step by step configuration guideline\u003C\u002Fstrong> in Settings sections of plugin after activation\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Version 1.5 changes:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Corrupt file bug fixed\u003Cbr \u002F>\n– Easy step by step guide added in admin to configure plugin\u003Cbr \u002F>\n– Generate Root path dynamically\u003Cbr \u002F>\n– Support for xlsx added\u003C\u002Fp>\n","This plugin help to hide real download path of your files on server and allow file downloading using a common URL. Also maintain log of your downloads &hellip;",100,10370,76,14,"2014-10-20T09:55:00.000Z","4.0.38","3.5","",[20,21,4,22,23],"disable-direct-download","hide-download-path","hot-linking","secure-file","http:\u002F\u002Fxlab.biz\u002Fhide-download-path-of-file-wordpress-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhide-real-download-path.zip",63,1,"2025-09-05 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-58849","hide-real-download-path-cross-site-request-forgery","Hide Real Download Path \u003C= 1.6 - Cross-Site Request Forgery","The Hide Real Download Path plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-09-09 22:12:34",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9b2a9f5c-c9a0-4366-91ea-bec7839e951f?source=api-prod",{"slug":46,"display_name":7,"profile_url":8,"plugin_count":47,"total_installs":48,"avg_security_score":49,"avg_patch_time_days":50,"trust_score":49,"computed_at":51},"deepaks",5,250,81,30,"2026-04-04T11:24:03.618Z",[53,81],{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":63,"num_ratings":64,"last_updated":65,"tested_up_to":66,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":75,"download_link":76,"security_score":77,"vuln_count":78,"unpatched_count":79,"last_vuln_date":80,"fetched_at":29},"prevent-file-access","Prevent files \u002F folders access","2.6.1","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-media-restriction\" rel=\"nofollow ugc\">WordPress Prevent files\u002F folders\u003C\u002Fa> access provides the easiest way to protect WordPress files from public users so that your wordpress media library can be accessed only by \u003Cstrong>WordPress logged in\u003C\u002Fstrong> users or users with \u003Cstrong>specific roles\u002Fcapabilities\u003C\u002Fstrong>. Your \u003Cem>ebooks\u003C\u002Fem>, \u003Cem>pdfs\u003C\u002Fem>, \u003Cem>other important files\u003C\u002Fem>, etc., can be \u003Cstrong>protected from google indexing\u003C\u002Fstrong> so that data is protected from getting stolen. Control users access to media library, Control users access to the WordPress upload folder or sub folders, and restrict all the files published on your WordPress site.\u003C\u002Fp>\n\u003Cp>For restricted Content you can choose to redirect users to \u003Cstrong>403 forbidden page\u003C\u002Fstrong>, your \u003Cstrong>custom page\u003C\u002Fstrong>, \u003Cstrong>WordPress login page\u003C\u002Fstrong>, SSO login page (if you are using OAuth or SAML SSO).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No change required\u003C\u002Fstrong> or \u003Cstrong>no manual work\u003C\u002Fstrong> needed to create a private link to protect your wordpress media file. Our plugin takes care of your media library or via Media, Pages, or Posts.\u003C\u002Fp>\n\u003Cp>We support a level of security where you can choose either \u003Cem>\u003Cstrong>cookie-based\u003C\u002Fstrong>\u003C\u002Fem> restriction or \u003Cem>\u003Cstrong>session-based\u003C\u002Fstrong>\u003C\u002Fem> restriction.\u003Cbr \u002F>\nAlso, we support Apache and Nginx servers to prevent direct access to the WordPress media library and therefore protect the media library for public or restricted users.\u003C\u002Fp>\n\u003Cp>It prevents private download of the media files from public access and only the logged-in users or specific user roles can access and download the wordpress media files.\u003C\u002Fp>\n\u003Cp>We also support media\u002Ffiles\u002Ffolders Restriction based on NFT holding in the user crypto wallet. We support any level of customization according to your requirement.\u003C\u002Fp>\n\u003Ch3>File-Based Protection\u003C\u002Fh3>\n\u003Cp>WordPress Prevent file\u002Ffolder access is developed to allow you to protect wordpress media file in your customized way. It will prevent direct access from media library \u003Cstrong>based on their extension\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>You can protect file types below:\n\n* Images - Every type of image files can be protected. eg: jpeg, jpg, gif, png, bmp, webp, pfg, ico, psd, etc.\n* Videos - Every type of video files can be protected. eg: mp4, m4a, m4v, f4v, f4a, m4b, m4r, f4b, mov, 3gp, avi etc.\n* Documents - Every type of document files can be protected. eg: doc, docx, html, pdf, txt, ppt, xls, xlsx, pptx, odt.\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Redirect\u003C\u002Fh3>\n\u003Cp>WordPress Prevent file\u002Ffolder access provides \u003Cstrong>redirect options\u003C\u002Fstrong>. This allow you to redirect the restricted users to any WordPress page of your website.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>403 forbidden page\u003C\u002Fstrong> \u003Cem>(DEFAULT)\u003C\u002Fem> – \u003Cem>Users will be shown 403 forbidden pages with a restricted access message.\u003C\u002Fem>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Display custom page\u003C\u002Fstrong> – \u003Cem>We can redirect users to any WordPress custom page when they try to access restricted files or folders.\u003C\u002Fem>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress login\u003C\u002Fstrong> – \u003Cem>Users will be redirected to the WordPress default login page.\u003C\u002Fem>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IDP login\u003C\u002Fstrong> – \u003Cem>Users will redirect to the selected IDP (SAML\u002FOAuth) login page and after IdP authentication they can see the restricted content.\u003C\u002Fem>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Private Directory\u002FProtected folder\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Our plugin also gives you a \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-media-restriction#mediarestriction\" rel=\"nofollow ugc\">Private Directory\u003C\u002Fa> where you can add files of all extension types and restrictions will be applied to all files inside the private directory.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Membership Based Media Restriction.\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress Prevent files\u002F folder allows you to secure media library and control wp-content\u002Fuploads access based on the membership purchased by the user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Folder Based Protection\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress Prevent files\u002F folders access allows you to protect your folders too, the \u003Cstrong>wp-content or uploads\u003C\u002Fstrong> folder where all the wordpress media files like images, videos, and document files are stored will also be protected.\u003C\u002Fli>\n\u003Cli>Users have the option to \u003Cstrong>protect a particular month’s media files or sub folder in uploads directory.\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User-Based Restriction\u003C\u002Fstrong> – A particular user can access only a particular folder. (Admin would be able to access all the folders)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role Base folder access\u003C\u002Fstrong> – Uploads folder or subfolders can be restricted for public access and allowed folder access to users with specific role. (Admin would be able to access all the folders)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>We support \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">LearnDash\u003C\u002Fa>\u003C\u002Fstrong> and other LMS to restrict files and folders according to different groups and specific user roles.\u003C\u002Fp>\n\u003Cp>You can customize the restriction rules and use them as per your needs.\u003C\u002Fp>\n\u003Cp>This functionality operates at the server level, thus if the Apache server rules don’t work, or also the WP Engine, Siteground, and other servers like this run on an Nginx server, which requires the use of Nginx configuration rules. If you face any issues please email us at \u003Cem>info@xecurify.com\u003C\u002Fem> or \u003Cem>oauthsupport@xecurify.com\u003C\u002Fem>. We would recommend you to please ensure your PHP server and rules first which will work on your server before purchasing it or else \u003Cstrong>contact us we will help you to set up the plugin according to your requirements on your site.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>FREE VERSION FEATURES\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress Prevent Files\u002FFolder Access allows you to protect your wordpress media files, libraries and folders from public access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Extensions Restricted\u003C\u002Fstrong> – Can restrict five standard extensions (.png, .jpg, .gif, .pdf, .doc).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Redirection of non-logged-in users\u003C\u002Fstrong>: Can redirect non-logged-in users to any page of your WordPress site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected Folder\u003C\u002Fstrong>: Can keep selected files in a protected folder and they will be restricted from the public users.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supported Servers\u003C\u002Fstrong>: You can configure the plugin on the Apache server easily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Level Base\u003C\u002Fstrong>: Plugin will check if a user is logged in or not through Cookie.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PREMIUM VERSION FEATURES\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress Prevent Files\u002FFolder Access allows you to protect your media files and folders from public access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Extensions Restricted\u003C\u002Fstrong> – Media restricton to unlimited extensions is supported.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Redirection of non-logged-in users\u003C\u002Fstrong>: You can redirect the non-logged-in users to any page of your WordPress site or to the WordPress login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Folder Restriction\u003C\u002Fstrong>: Can restrict access to wordpress media library from non-logged-in users. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected Folder\u003C\u002Fstrong>: Can store unlimited files in a private directory\u002Fprotected folder and they will be restricted from the public users and indexing on search engine.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supported Servers\u003C\u002Fstrong>: You can configure plugins on Apache and NGINX servers easily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Level Base\u003C\u002Fstrong>: Plugin will check if a user is logged in or not through Cookie.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>ENTERPRISE VERSION FEATURES\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress Prevent Files\u002FFolder Access allows you to protect your WordPress media files and folders from public access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Extensions Restricted\u003C\u002Fstrong> – Media restriction to unlimited extensions is supported.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Redirection of non-logged-in users\u003C\u002Fstrong>: You can redirect non-logged-in users to any page of your WordPress site or to the WordPress login page or to SAML\u002FOAuth login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Folder Restriction\u003C\u002Fstrong>: Can restrict access to the WordPress uploads folder or any other folder in your WordPress instance from non-logged-in users by enabling user access restrictions. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected Folder\u003C\u002Fstrong>: Can keep unlimited files in a protected folder and they will be restricted from the public users to prevent direct access to specific user roles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supported Servers\u003C\u002Fstrong>: You can configure plugins on Apache and NGINX servers easily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Level Base\u003C\u002Fstrong>: Plugin will check if a user is logged in or not through Cookie or Session.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>ALL INCLUSIVE VERSION FEATURES\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress Prevent Files\u002FFolder Access allows you to protect your WordPress media files and folders from public access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Extensions Restricted\u003C\u002Fstrong> – Media restricton to unlimited extensions is supported.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Redirection of non-logged-in users\u003C\u002Fstrong>: You can redirect non-logged-in users to any page of your WordPress site or to the WordPress login page or to SAML\u002FOAuth login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Folder Restriction\u003C\u002Fstrong>: Can restrict access to the WordPress uploads folder or any other folder in your WordPress instance from non-logged-in users by enabling user access restrictions. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected Folder\u003C\u002Fstrong>: Can keep unlimited files in a protected folder and they will be restricted from the public users to prevent direct access to specific user roles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supported Servers\u003C\u002Fstrong>: You can configure plugins on Apache and NGINX servers easily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Level Base\u003C\u002Fstrong>: Plugin will check if a user is logged in or not through Cookie or Session.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Media Management\u003C\u002Fstrong>: You can create custom folders and subfolders to organize your media library and control access of the created folders and subfolders.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Download Logs\u003C\u002Fstrong>: You can view logs for uploading, downloading, and deleting files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Membership Based Media Restriction\u003C\u002Fstrong>: Compatible with Paid Memberships Pro, ARMember Membership, WordPress Membership, and WooCommerce Subscriptions.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>DOCUMENTATION AND SUPPORT\u003C\u002Fp>\n\u003Cul>\n\u003Cli>For documentation go to our \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-media-restriction#mediarestriction\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>If you have any questions or want to request new features, contact us via email at \u003Ca href=\"mailto:oauthsupport@xecurify.com\" rel=\"nofollow ugc\">oauthsupport@xecurify.com\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Prevent public access to WordPress files and folders. Protect downloads from public access, Role-based folder access, and User base folder access.",1000,34694,92,35,"2025-06-24T06:01:00.000Z","6.8.5","3.0.1","5.6",[70,71,72,73,74],"content-restriction","media-restriction","protect-uploads","protect-folders","secure-files","http:\u002F\u002Fminiorange.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprevent-file-access.2.6.1.zip",97,2,0,"2025-08-06 00:00:00",{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":89,"downloaded":90,"rating":91,"num_ratings":14,"last_updated":92,"tested_up_to":93,"requires_at_least":17,"requires_php":94,"tags":95,"homepage":101,"download_link":102,"security_score":103,"vuln_count":104,"unpatched_count":27,"last_vuln_date":105,"fetched_at":29},"filr-protection","Filr – Secure document library","1.2.14","WP Chill","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchill\u002F","\u003Ch3>Easily Create a Secure Document Library with Filr\u003C\u002Fh3>\n\u003Cp>Filr helps you safely upload, organize, and share documents on your site. Use direct links or show all files in a library for easy access.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FBlvBVbN2-2w?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent&listType=playlist&list=PLM2tOjfhVrZd3qpZiBogLE3ii3jyDo3bP\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch3>Filr Pro – advanced features available after making a purchase\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Enhanced File Security & Access Control\u003C\u002Fstrong>\u003Cbr \u002F>\n– Support for \u003Cstrong>external files\u003C\u002Fstrong>.\u003Cbr \u002F>\n– Restrict file access by \u003Cstrong>user email\u003C\u002Fstrong> or \u003Cstrong>user role\u003C\u002Fstrong>.\u003Cbr \u002F>\n– Encrypt filenames for extra privacy.\u003Cbr \u002F>\n– Password-protected ZIP files.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Flexible File Expiry Options\u003C\u002Fstrong>\u003Cbr \u002F>\n– Expire uploads after a \u003Cstrong>set number of downloads\u003C\u002Fstrong>.\u003Cbr \u002F>\n– Set an \u003Cstrong>expiration date\u003C\u002Fstrong> for files to auto-remove access.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Upload & Storage Management\u003C\u002Fstrong>\u003Cbr \u002F>\n– Upload multiple files at once and \u003Cstrong>automatically zip them\u003C\u002Fstrong>.\u003Cbr \u002F>\n– Store files in \u003Cstrong>custom directories\u003C\u002Fstrong> for better organization.\u003Cbr \u002F>\n– Manage folders efficiently with built-in \u003Cstrong>folder management\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Extended Shortcode Customization\u003C\u002Fstrong>\u003Cbr \u002F>\n– More options to \u003Cstrong>configure, style, and customize\u003C\u002Fstrong> document library shortcodes.\u003C\u002Fp>\n\u003Cp>Get it now on \u003Ca href=\"https:\u002F\u002Fwpdocumentlibrary.com\" rel=\"nofollow ugc\">wpdocumentlibrary.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Documentation\u003C\u002Fh3>\n\u003Cp>Learn more about this plugin [in our official documentation]](https:\u002F\u002Fwpdocumentlibrary.com\u002Fkb\u002F)\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Free users: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Ffilr-protection\u002F\" rel=\"ugc\">Ask in our forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Pro users: \u003Ca href=\"https:\u002F\u002Fwpdocumentlibrary.com\u002Fcontact-us\u002F?utm_source=wordpress.org&utm_medium=web&utm_campaign=description&utm_term=contact+us\" rel=\"nofollow ugc\">Get priority help\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Easily Create a Secure Document Library with Filr",800,30060,90,"2026-03-06T09:12:00.000Z","6.9.4","7.4",[96,97,98,99,100],"digital-downloads","document-library","document-management","file-manager","secure-file-sharing","https:\u002F\u002Fwpdocumentlibrary.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffilr-protection.1.2.14.zip",62,6,"2026-02-26 00:00:00",{"attackSurface":107,"codeSignals":123,"taintFlows":155,"riskAssessment":234,"analyzedAt":251},{"hooks":108,"ajaxHandlers":115,"restRoutes":116,"shortcodes":117,"cronEvents":122,"entryPointCount":27,"unprotectedCount":79},[109],{"type":110,"name":111,"callback":112,"file":113,"line":114},"action","admin_menu","ticker_menu","hide-download-path.php",55,[],[],[118],{"tag":119,"callback":120,"file":113,"line":121},"download_page","download_link_page",395,[],{"dangerousFunctions":124,"sqlUsage":125,"outputEscaping":136,"fileOperations":126,"externalRequests":79,"nonceChecks":79,"capabilityChecks":79,"bundledLibraries":154},[],{"prepared":78,"raw":126,"locations":127},3,[128,131,134],{"file":113,"line":129,"context":130},18,"$wpdb->get_var() with variable interpolation",{"file":113,"line":132,"context":133},45,"$wpdb->query() with variable interpolation",{"file":113,"line":135,"context":133},74,{"escaped":79,"rawEcho":137,"locations":138},7,[139,142,144,146,148,150,152],{"file":113,"line":140,"context":141},95,"raw output",{"file":113,"line":143,"context":141},102,{"file":113,"line":145,"context":141},119,{"file":113,"line":147,"context":141},121,{"file":113,"line":149,"context":141},138,{"file":113,"line":151,"context":141},140,{"file":113,"line":153,"context":141},359,[],[156,172,198,210],{"entryPoint":157,"graph":158,"unsanitizedCount":27,"severity":38},"download_settings_main (hide-download-path.php:77)",{"nodes":159,"edges":169},[160,164],{"id":161,"type":162,"label":163,"file":113,"line":151},"n0","source","$_SERVER['SERVER_NAME']",{"id":165,"type":166,"label":167,"file":113,"line":151,"wp_function":168},"n1","sink","echo() [XSS]","echo",[170],{"from":161,"to":165,"sanitized":171},false,{"entryPoint":173,"graph":174,"unsanitizedCount":126,"severity":38},"download_link_page (hide-download-path.php:185)",{"nodes":175,"edges":194},[176,179,183,185,190,192],{"id":161,"type":162,"label":177,"file":113,"line":178},"$_GET",290,{"id":165,"type":166,"label":180,"file":113,"line":181,"wp_function":182},"fopen() [File Access]",341,"fopen",{"id":184,"type":162,"label":177,"file":113,"line":178},"n2",{"id":186,"type":166,"label":187,"file":113,"line":188,"wp_function":189},"n3","header() [Header Injection]",347,"header",{"id":191,"type":162,"label":177,"file":113,"line":178},"n4",{"id":193,"type":166,"label":167,"file":113,"line":153,"wp_function":168},"n5",[195,196,197],{"from":161,"to":165,"sanitized":171},{"from":184,"to":186,"sanitized":171},{"from":191,"to":193,"sanitized":171},{"entryPoint":199,"graph":200,"unsanitizedCount":27,"severity":209},"updateSettings (hide-download-path.php:58)",{"nodes":201,"edges":207},[202,204],{"id":161,"type":162,"label":203,"file":113,"line":135},"$_POST['txtReferred']",{"id":165,"type":166,"label":205,"file":113,"line":135,"wp_function":206},"query() [SQLi]","query",[208],{"from":161,"to":165,"sanitized":171},"high",{"entryPoint":211,"graph":212,"unsanitizedCount":47,"severity":209},"\u003Chide-download-path> (hide-download-path.php:0)",{"nodes":213,"edges":228},[214,215,216,217,218,219,220,222,224,226],{"id":161,"type":162,"label":203,"file":113,"line":135},{"id":165,"type":166,"label":205,"file":113,"line":135,"wp_function":206},{"id":184,"type":162,"label":163,"file":113,"line":151},{"id":186,"type":166,"label":167,"file":113,"line":151,"wp_function":168},{"id":191,"type":162,"label":177,"file":113,"line":178},{"id":193,"type":166,"label":180,"file":113,"line":181,"wp_function":182},{"id":221,"type":162,"label":177,"file":113,"line":178},"n6",{"id":223,"type":166,"label":187,"file":113,"line":188,"wp_function":189},"n7",{"id":225,"type":162,"label":177,"file":113,"line":178},"n8",{"id":227,"type":166,"label":167,"file":113,"line":153,"wp_function":168},"n9",[229,230,231,232,233],{"from":161,"to":165,"sanitized":171},{"from":184,"to":186,"sanitized":171},{"from":191,"to":193,"sanitized":171},{"from":221,"to":223,"sanitized":171},{"from":225,"to":227,"sanitized":171},{"summary":235,"deductions":236},"The \"hide-real-download-path\" plugin v1.6 presents a mixed security posture. While it has a limited attack surface with no exposed AJAX handlers or REST API routes without permission checks, and no dangerous functions or external HTTP requests, significant concerns arise from its code analysis and vulnerability history. The plugin exhibits a complete lack of output escaping, meaning any data processed and displayed could be vulnerable to XSS attacks. Furthermore, the taint analysis reveals flows with unsanitized paths, with two high-severity issues, indicating potential vulnerabilities in how file paths are handled, which could lead to unauthorized file access or manipulation. The plugin's history of known CVEs, including a currently unpatched medium severity vulnerability, is a substantial red flag. The past occurrence of CSRF vulnerabilities suggests a pattern of incomplete security implementation, particularly in handling user actions.\n\nWhile the plugin demonstrates some good practices by using prepared statements for a portion of its SQL queries and limiting its direct attack surface, the critical deficiencies in output escaping and the presence of high-severity taint flows are serious risks. The unpatched vulnerability further exacerbates these concerns, indicating a lack of ongoing maintenance and security responsiveness. Users of this plugin should be aware of the potential for XSS and path traversal\u002Fmanipulation vulnerabilities, and the risk associated with an unpatched security flaw.",[237,240,243,245,247,249],{"reason":238,"points":239},"Unpatched CVE present",15,{"reason":241,"points":242},"High severity taint flows detected",20,{"reason":244,"points":242},"No output escaping",{"reason":246,"points":47},"SQL queries not fully prepared",{"reason":248,"points":47},"No nonce checks",{"reason":250,"points":47},"No capability checks","2026-03-16T21:09:13.667Z",{"wat":253,"direct":264},{"assetPaths":254,"generatorPatterns":256,"scriptPaths":257,"versionParams":260},[255],"\u002Fwp-content\u002Fplugins\u002Fhide-real-download-path\u002Fcss\u002Fstyle.css",[],[258,259],"\u002Fwp-content\u002Fplugins\u002Fhide-real-download-path\u002Fjs\u002Fjquery.js","\u002Fwp-content\u002Fplugins\u002Fhide-real-download-path\u002Fjs\u002Fdownload.js",[261,262,263],"hide-real-download-path\u002Fcss\u002Fstyle.css?ver=","hide-real-download-path\u002Fjs\u002Fjquery.js?ver=","hide-real-download-path\u002Fjs\u002Fdownload.js?ver=",{"cssClasses":265,"htmlComments":270,"htmlAttributes":271,"restEndpoints":281,"jsGlobals":282,"shortcodeOutput":283},[266,267,268,269],"download-text","table-heading","td-label","td-text",[],[272,273,274,275,276,277,278,279,280],"id=\"txtReferred\"","name=\"txtReferred\"","id=\"txtBaseDir\"","name=\"txtBaseDir\"","id=\"chk_log\"","name=\"chk_log\"","id=\"frm_settings\"","id=\"btn_saveSettings\"","name=\"btn_saveSettings\"",[],[],[]]