[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffSaLaXYnvjupPVnXh3EZQiFYQ0v4wgQSFSpi8BJXmQE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":7,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":36,"analysis":131,"fingerprints":300},"hikari-unicornified-gravatars","Hikari Unicornified Gravatars","0.00.02","","https:\u002F\u002Fprofiles.wordpress.org\u002Fshidouhikari\u002F","\u003Cp>\u003Cstrong>Hikari Unicornified Gravatars\u003C\u002Fstrong> converts avatars from people that don’t have a Gravatar, into customized unicorns.\u003C\u002Fp>\n\u003Cp>Commenters that have their email registered in Gravatar service are kept with their original Gravatars. But people not registered in Gravatar, instead of having a default avatar that always look the same, are provided with a variety of unicorns avatars, that are related and specific to their email.\u003C\u002Fp>\n\u003Cp>And those anonymous commenters that don’t provide any email, they receive randomized unicorns avatars, which change on every page load!!\u003C\u002Fp>\n\u003Cp>That’s possible thanks to \u003Ca href=\"http:\u002F\u002Fmeta.stackoverflow.com\u002Fquestions\u002F37328\u002Fmy-godits-full-of-unicorns\" rel=\"nofollow ugc\">StackOverflow\u003C\u002Fa>, which developed a Gravatar-compatible algorithm that generates \u003Ca href=\"http:\u002F\u002Fblog.gravatar.com\u002F2010\u002F04\u002F01\u002Funicorn-gravatars-stack-overflow\u002F\" rel=\"nofollow ugc\">unicorns avatars\u003C\u002Fa> in place of standard Gravatar ones.\u003C\u002Fp>\n\u003Cp>I dedicate Hikari Unicornified Gravatars to \u003Cstrong>Ju\u003C\u002Fstrong>, my beloved frient ^-^\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Works instantly on any place where WordPress \u003Ccode>get_avatar()\u003C\u002Fcode> function is used\u003C\u002Fli>\n\u003Cli>Uses \u003Ca href=\"http:\u002F\u002Funicornify.appspot.com\u002Fuse-it\" rel=\"nofollow ugc\">Unicornify\u003C\u002Fa> service to grab unicornified avatars, the same way Gravatar works\u003C\u002Fli>\n\u003Cli>Emails registered in Gravatar service are not changed, and their Gravatar is preserved\u003C\u002Fli>\n\u003Cli>Emails not registered in Gravatar, instead of showing a default avatar, show a unicorn related to their specific email\u003C\u002Fli>\n\u003Cli>When email is not provided (generally in anonymous comments), random unicorns are used, which change on every page reload\u003C\u002Fli>\n\u003Cli>Of course, emails are preserved inside WordPress and never sent outside of it, privacy FTW 😉\u003C\u002Fli>\n\u003C\u002Ful>\n","Hikari Unicornified Gravatars converts avatars from people that don't have a Gravatar, into customized unicorns.",10,2535,0,"2010-04-09T04:52:00.000Z","2.9.2","2.8.0",[18,19,20,21,22],"avatar","comment","comments","gravatar","unicorn","http:\u002F\u002FHikari.ws\u002Funicornified-gravatar\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhikari-unicornified-gravatars.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":30,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"shidouhikari",6,350,30,84,"2026-04-05T15:28:11.275Z",[37,57,76,98,115],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":7,"tags":52,"homepage":55,"download_link":56,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"easygravatars","Easy Gravatars","1.3","Dougal Campbell","https:\u002F\u002Fprofiles.wordpress.org\u002Fdougal\u002F","\u003Cp>This plugin allows you to automatically add Gravatars for commenters to your\u003Cbr \u002F>\ntheme, if your theme does not already support them.\u003C\u002Fp>\n\u003Cp>According to the Gravatar.com website, Gravatars are Globally Recognized\u003Cbr \u002F>\nAvatars, or an “avatar image that follows you from weblog to weblog\u003Cbr \u002F>\nappearing beside your name when you comment on gravatar enabled sites.”\u003Cbr \u002F>\nYou register with the Gravatar server, and upload an image which you will\u003Cbr \u002F>\nuse as your avatar. The gravatar image is keyed to your email address, so\u003Cbr \u002F>\nthat it is unique to you.\u003C\u002Fp>\n\u003Cp>This plugin will display gravatars for the people who comment on your posts.\u003Cbr \u002F>\nYou do not need to modify any of your template files — just activate the\u003Cbr \u002F>\nplugin, and it will add gravatars to your comments template automatically.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Based on a code snippet from Matt Mullenweg:\u003Cbr \u002F>\n  http:\u002F\u002Fphotomatt.net\u002F2007\u002F10\u002F20\u002Fgravatar-enabled\u002F\u003Cbr \u002F>\n  http:\u002F\u002Fpastebin.ca\u002F743979\u003C\u002Fp>\n\u003Cp>Props to David Potter for pointing out that Gravatar normalizes email\u003Cbr \u002F>\naddresses to lowercase before hashing with MD5:\u003Cbr \u002F>\n  http:\u002F\u002Fdpotter.net\u002FTechnical\u002Findex.php\u002F2007\u002F10\u002F22\u002Fintegrating-gravatar-support\u002F\u003C\u002Fp>\n","Add Gravatars to your comments without modifying any template files. Just activate, and you're done!",200,64590,100,1,"2010-01-14T15:36:00.000Z","3.0.5","2.0.4",[18,53,20,21,54],"avatars","gravatars","http:\u002F\u002Fdougal.gunters.org\u002Fplugins\u002Feasy-gravatars","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasygravatars.1.3.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":45,"downloaded":65,"rating":47,"num_ratings":66,"last_updated":67,"tested_up_to":68,"requires_at_least":69,"requires_php":7,"tags":70,"homepage":74,"download_link":75,"security_score":47,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"top-commentators-widget","Top Commentators Widget","1.7","Lorna Timbah","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebgrrrl\u002F","\u003Cp>This plugin creates a widget to show the top commentators in your WP site. Always go back to the Widget settings after each version update to Save your settings. Demo can be found at http:\u002F\u002Fdemo.webgrrrl.net\u003C\u002Fp>\n\u003Cp>The Top Commentators Widget plugin is adapted from Show Top Commentators plugin at Personal Financial Advice, this widget is easier to manage via the control form (no need to edit the PHP file); additional options are also available to make it more flexible. Read the FAQ section on how to customize the widget. Read the Changelog as well as http:\u002F\u002Fwebgrrrl.net\u002Ftags\u002Ftcw for the latest news on this widget.\u003C\u002Fp>\n\u003Cp>This widget is extensively tested with the following settings: Google Chrome 13.0.782.215 m, PHP 5.2.13, Apache 2.2.15 (Win32), MySQL 5.0.51a, WordPress 3.2.1. Further testing and bug report on this widget is greatly welcomed and appreciated.\u003C\u002Fp>\n","Adds a sidebar widget to show the top commentators in your WP site. Demo: http:\u002F\u002Fdemo.webgrrrl.net",156008,2,"2025-12-20T13:00:00.000Z","6.6.5","2.8",[20,21,71,72,73],"seo","sidebar","widget","http:\u002F\u002Fwebgrrrl.net\u002Farchives\u002Fmy-top-commentators-widget-quick-dirty.htm","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftop-commentators-widget.1.7.zip",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":47,"downloaded":84,"rating":85,"num_ratings":31,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":7,"tags":89,"homepage":95,"download_link":96,"security_score":97,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"polygon-recent-comments-with-avatar","Polygon Recent Comments With Avatar","1.0.4","polyxgo","https:\u002F\u002Fprofiles.wordpress.org\u002Fsanddesert88\u002F","\u003Cp>Display recent comments in the sidebar with user avatar\u002FGravatar support, styles, information, and an active scrollbar for handling numerous comments.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpolygon-recent-comments-with-avatar\u002Ffaq\u002F\" rel=\"ugc\">FAQ\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwikipoly.com\u002Fen\u002Fpoly-comments\u002F\" rel=\"nofollow ugc\">Support and request additional features as needed\u003C\u002Fa>\u003C\u002Fp>\n","Polygon Recent Comments With Avatar: Recent comments with avatar support, including Gravatar, date, username, user link, and scrollbar.",5262,94,"2024-05-24T22:52:00.000Z","6.5.8","4.1",[90,91,92,93,94],"display-recent-comments","recent-comment-with-author-gravatar","recent-comments","recent-comments-information","recent-comments-with-avatar","https:\u002F\u002Fpolyxgo.vn","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpolygon-recent-comments-with-avatar.1.0.4.zip",92,{"slug":99,"name":100,"version":101,"author":102,"author_profile":103,"description":104,"short_description":105,"active_installs":106,"downloaded":107,"rating":47,"num_ratings":66,"last_updated":108,"tested_up_to":109,"requires_at_least":110,"requires_php":7,"tags":111,"homepage":113,"download_link":114,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"default-gravatar-sans","Default Gravatar Sans","1.1.2","raohmaru","https:\u002F\u002Fprofiles.wordpress.org\u002Fraohmaru\u002F","\u003Cp>Disables default Gravatar.com avatar and redirection to gravatar.com servers, and allows to define a local default avatar image for users without avatar in his profile.\u003C\u002Fp>\n\u003Ch3>1.1.2\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Bug fixes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>1.1.1\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Bug fixes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>1.1\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Compatible with WordPress 4.8.\u003C\u002Fli>\n\u003Cli>Support for high resolution avatar images\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>1.0\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Initial release.\u003C\u002Fli>\n\u003C\u002Ful>\n","Disables Gravatar.com avatar, and allows one local default avatar image for users without avatar in his profile.",50,4197,"2017-10-03T12:01:00.000Z","4.8.28","3.0",[18,20,21,112],"users","http:\u002F\u002Fraohmaru.com\u002Fblog\u002Fwordpress\u002Fdefault-gravatar-sans\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdefault-gravatar-sans.1.1.2.zip",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":47,"num_ratings":48,"last_updated":125,"tested_up_to":126,"requires_at_least":127,"requires_php":7,"tags":128,"homepage":129,"download_link":130,"security_score":47,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"mirror-gravatar","Mirror Gravatar","1.5","jwz","https:\u002F\u002Fprofiles.wordpress.org\u002Fjwz\u002F","\u003Cp>Locally mirrors commenters’ Gravatar, Libravatar and Mastodon avatars and serves them from your site, rather than loading them from a third-party web site upon each page load.\u003C\u002Fp>\n\u003Cp>This has several effects:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>If most of the comments on a post have no avatar, those turn into \u003Cem>one\u003C\u002Fem> load of a shared image, instead of one for each comment, that happens to return the same “mystery” image.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>You will be serving more (small) images.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>If a commenter’s URL looks like a link to a Mastodon \u002F ActivityPub profile, their Mastodon account’s avatar will be displayed.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>When commenting, a live preview of the avatar tracks the contents of the “Email” field.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.gravatar.com\u002F\" rel=\"nofollow ugc\">gravatar.com\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwww.libravatar.org\u002F\" rel=\"nofollow ugc\">libravatar.org\u003C\u002Fa> no longer have a web-bug on your blog that is loaded by each viewer.  Instead of being loaded at every page view, the avatar is loaded just once, on the server-side, at the time each new comment is posted.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>If someone changes or deletes their avatar, your site continues displaying the image that was their avatar at the time that they last posted.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Likewise, the user’s Gravatar or Mastodon profile is saved along with their comment, viewable by admins even if they later change or delete it.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security and Privacy\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.libravatar.org\u002F\" rel=\"nofollow ugc\">Libravatar\u003C\u002Fa> is open source. Gravatar is \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGravatar\" rel=\"nofollow ugc\">owned by WordPress\u003C\u002Fa>, and their \u003Ca href=\"https:\u002F\u002Fautomattic.com\u002Fprivacy\u002F\" rel=\"nofollow ugc\">privacy policy\u003C\u002Fa> says that they don’t monetize that info.  But hey, corporate policies change, subpoenas exist, and domain names get sold.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Should you trust Gravatar with user data? Well, in 2024, Gravatar announced that they are \u003Ca href=\"https:\u002F\u002Fjwz.org\u002Fb\u002FykXF\" rel=\"nofollow ugc\">pivoting to blockchain\u003C\u002Fa>, whatever that means, so that’s fairly disqualifying. See also \u003Ca href=\"https:\u002F\u002Fjwz.org\u002Fb\u002FykPk\" rel=\"nofollow ugc\">WordPress “growth hacking”\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fjwz.org\u002Fb\u002FykNg\" rel=\"nofollow ugc\">WordPress sells users’ data to train AI tools\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>There used to be a potential issue due to \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGravatar#Security_concerns_and_data_breaches\" rel=\"nofollow ugc\">Gravatars using MD5 hashes\u003C\u002Fa>, but these days they use SHA256, so I assume that’s no longer a problem.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Locally mirror commenters' Gravatar or Mastodon profile images.",20,1723,"2025-07-31T00:10:00.000Z","6.8.5","2.7",[20,21],"https:\u002F\u002Fwww.jwz.org\u002Fmirror-gravatar\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmirror-gravatar.1.5.zip",{"attackSurface":132,"codeSignals":158,"taintFlows":253,"riskAssessment":287,"analyzedAt":299},{"hooks":133,"ajaxHandlers":154,"restRoutes":155,"shortcodes":156,"cronEvents":157,"entryPointCount":13,"unprotectedCount":13},[134,140,144,148],{"type":135,"name":136,"callback":137,"file":138,"line":139},"action","plugins_loaded","startup","hikari-tools.php",33,{"type":135,"name":141,"callback":142,"file":138,"line":143},"admin_init","options_init",292,{"type":135,"name":145,"callback":146,"file":138,"line":147},"admin_menu","menuPrepare",293,{"type":149,"name":150,"callback":151,"priority":11,"file":152,"line":153},"filter","get_avatar","unicorn_avatar","hikari-unicornified-gravatar-core.php",21,[],[],[],[],{"dangerousFunctions":159,"sqlUsage":160,"outputEscaping":162,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":252},[],{"prepared":13,"raw":13,"locations":161},[],{"escaped":48,"rawEcho":163,"locations":164},53,[165,168,170,172,173,174,175,176,178,180,182,183,184,185,186,188,190,192,194,195,197,199,201,202,203,205,206,208,210,212,213,214,216,217,219,220,222,224,226,228,230,232,233,235,237,239,241,243,244,246,248,249,250],{"file":138,"line":166,"context":167},98,"raw output",{"file":138,"line":169,"context":167},423,{"file":138,"line":171,"context":167},425,{"file":138,"line":171,"context":167},{"file":138,"line":171,"context":167},{"file":138,"line":171,"context":167},{"file":138,"line":171,"context":167},{"file":138,"line":177,"context":167},427,{"file":138,"line":179,"context":167},443,{"file":138,"line":181,"context":167},445,{"file":138,"line":181,"context":167},{"file":138,"line":181,"context":167},{"file":138,"line":181,"context":167},{"file":138,"line":181,"context":167},{"file":138,"line":187,"context":167},447,{"file":138,"line":189,"context":167},456,{"file":138,"line":191,"context":167},458,{"file":138,"line":193,"context":167},464,{"file":138,"line":193,"context":167},{"file":138,"line":196,"context":167},469,{"file":138,"line":198,"context":167},478,{"file":138,"line":200,"context":167},493,{"file":138,"line":200,"context":167},{"file":138,"line":200,"context":167},{"file":138,"line":204,"context":167},494,{"file":138,"line":204,"context":167},{"file":138,"line":207,"context":167},498,{"file":138,"line":209,"context":167},507,{"file":138,"line":211,"context":167},527,{"file":138,"line":211,"context":167},{"file":138,"line":211,"context":167},{"file":138,"line":215,"context":167},528,{"file":138,"line":215,"context":167},{"file":138,"line":218,"context":167},532,{"file":138,"line":218,"context":167},{"file":138,"line":221,"context":167},534,{"file":138,"line":223,"context":167},569,{"file":138,"line":225,"context":167},570,{"file":138,"line":227,"context":167},571,{"file":138,"line":229,"context":167},602,{"file":138,"line":231,"context":167},627,{"file":138,"line":231,"context":167},{"file":138,"line":234,"context":167},637,{"file":138,"line":236,"context":167},652,{"file":138,"line":238,"context":167},654,{"file":138,"line":240,"context":167},704,{"file":138,"line":242,"context":167},773,{"file":138,"line":242,"context":167},{"file":138,"line":245,"context":167},812,{"file":138,"line":247,"context":167},814,{"file":138,"line":247,"context":167},{"file":138,"line":247,"context":167},{"file":138,"line":251,"context":167},866,[],[254,277],{"entryPoint":255,"graph":256,"unsanitizedCount":48,"severity":276},"debugRequestParameters (hikari-tools.php:732)",{"nodes":257,"edges":272},[258,263,267],{"id":259,"type":260,"label":261,"file":138,"line":262},"n0","source","$_REQUEST",736,{"id":264,"type":265,"label":266,"file":138,"line":262},"n1","transform","→ echoArray()",{"id":268,"type":269,"label":270,"file":138,"line":166,"wp_function":271},"n2","sink","echo() [XSS]","echo",[273,275],{"from":259,"to":264,"sanitized":274},false,{"from":264,"to":268,"sanitized":274},"medium",{"entryPoint":278,"graph":279,"unsanitizedCount":48,"severity":276},"\u003Chikari-tools> (hikari-tools.php:0)",{"nodes":280,"edges":284},[281,282,283],{"id":259,"type":260,"label":261,"file":138,"line":262},{"id":264,"type":265,"label":266,"file":138,"line":262},{"id":268,"type":269,"label":270,"file":138,"line":166,"wp_function":271},[285,286],{"from":259,"to":264,"sanitized":274},{"from":264,"to":268,"sanitized":274},{"summary":288,"deductions":289},"The \"hikari-unicornified-gravatars\" plugin v0.00.02 presents a mixed security posture. On the positive side, the plugin has no recorded vulnerabilities (CVEs) and does not appear to perform any external HTTP requests or file operations. All detected SQL queries are properly prepared, which is a significant security best practice. However, the static analysis reveals substantial concerns, particularly regarding output escaping and taint analysis. A mere 2% of output escaping is properly done, indicating a high risk of cross-site scripting (XSS) vulnerabilities. Furthermore, the taint analysis shows two flows with unsanitized paths, suggesting potential security weaknesses that could be exploited if they lead to sensitive operations. The complete lack of nonce checks and capability checks across all identified entry points (even though the attack surface is reported as zero) is also a serious oversight, as it leaves any potential future additions to the plugin vulnerable to CSRF and unauthorized actions. The vulnerability history being clear is a good sign, but it doesn't mitigate the identified code-level risks.",[290,293,295,297],{"reason":291,"points":292},"Low percentage of properly escaped output",15,{"reason":294,"points":11},"Taint flows with unsanitized paths",{"reason":296,"points":11},"No nonce checks detected",{"reason":298,"points":11},"No capability checks detected","2026-03-17T01:43:27.158Z",{"wat":301,"direct":307},{"assetPaths":302,"generatorPatterns":304,"scriptPaths":305,"versionParams":306},[303],"\u002Fwp-content\u002Fplugins\u002Fhikari-unicornified-gravatars\u002Fhikari-unicornified-gravatar.php",[],[],[],{"cssClasses":308,"htmlComments":309,"htmlAttributes":311,"restEndpoints":312,"jsGlobals":313,"shortcodeOutput":314},[],[310]," Copyright Hikari (http:\u002F\u002Fwordpress.Hikari.ws), 2010",[],[],[],[]]