[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffdWAZ5-bmjephVuojqmwYYxH9LXChSFN4ZOqUCawneo":3,"$fWFfDaL7bafh7K9XeDEXl3VPSs0PI3BtLeIXLG0CXwlU":306,"$f6iKedVKleNVl0w6agktQTAs6duZeWoPzqR26gtAqBiE":310},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"discovery_status":27,"vulnerabilities":28,"developer":29,"crawl_stats":25,"alternatives":36,"analysis":37,"fingerprints":290},"hoo-hreflang-tags","Hoo Hreflang Tags","1.1","HooThemes","https:\u002F\u002Fprofiles.wordpress.org\u002Fhoosoft\u002F","\u003Cp>Add Hreflang meta tags to the head of your Multi-Language WordPress Website. It is compatible with the elementor plugin.\u003C\u002Fp>\n","Add Hreflang meta tags to the head of your Multi-Language WordPress Website. It is compatible with the elementor plugin.",100,2331,70,2,"2018-11-11T11:16:00.000Z","4.9.29","4.0","5.3",[20],"hreflang-tags","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhoo-hreflang-tags.zip",85,0,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":23,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"hoosoft",6,560,30,84,"2026-05-20T01:27:10.025Z",[],{"attackSurface":38,"codeSignals":137,"taintFlows":233,"riskAssessment":277,"analyzedAt":289},{"hooks":39,"ajaxHandlers":125,"restRoutes":134,"shortcodes":135,"cronEvents":136,"entryPointCount":14,"unprotectedCount":14},[40,46,50,54,57,61,68,72,77,81,84,88,91,93,96,100,104,107,111,114,116,121],{"type":41,"name":42,"callback":43,"file":44,"line":45},"action","admin_enqueue_scripts","admin_scripts","hoo-hreflang-tags.php",19,{"type":41,"name":47,"callback":48,"file":44,"line":49},"wp_head","register_alternate_link",20,{"type":41,"name":51,"callback":52,"file":44,"line":53},"admin_menu","my_plugin_menu",21,{"type":41,"name":55,"callback":55,"file":44,"line":56},"plugins_loaded",22,{"type":41,"name":58,"callback":59,"file":44,"line":60},"admin_init","register_mysettings",68,{"type":62,"name":63,"callback":64,"priority":65,"file":66,"line":67},"filter","get_post_metadata","hijack_oembed_cache_get",10,"includes\\metabox\\helpers\\cmb_Meta_Box_ajax.php",112,{"type":62,"name":69,"callback":70,"priority":65,"file":66,"line":71},"update_post_metadata","hijack_oembed_cache_set",114,{"type":62,"name":73,"callback":74,"priority":65,"file":75,"line":76},"cmb_show_on","anonymous","includes\\metabox\\init.php",171,{"type":41,"name":42,"callback":78,"priority":79,"file":75,"line":80},"register_scripts",8,175,{"type":41,"name":51,"callback":82,"file":75,"line":83},"add_metaboxes",178,{"type":41,"name":85,"callback":86,"file":75,"line":87},"add_attachment","save_post",179,{"type":41,"name":89,"callback":86,"file":75,"line":90},"edit_attachment",180,{"type":41,"name":86,"callback":86,"priority":65,"file":75,"line":92},181,{"type":41,"name":42,"callback":94,"file":75,"line":95},"do_scripts",182,{"type":41,"name":97,"callback":98,"file":75,"line":99},"admin_head","add_post_enctype",185,{"type":41,"name":101,"callback":102,"file":75,"line":103},"show_user_profile","user_metabox",200,{"type":41,"name":105,"callback":102,"file":75,"line":106},"edit_user_profile",201,{"type":41,"name":108,"callback":109,"file":75,"line":110},"personal_options_update","save_user",203,{"type":41,"name":112,"callback":109,"file":75,"line":113},"edit_user_profile_update",204,{"type":41,"name":97,"callback":98,"file":75,"line":115},207,{"type":62,"name":117,"callback":118,"file":119,"line":120},"cmb_meta_boxes","hoo_hreflang_metaboxes","includes\\metabox\\options.php",3,{"type":41,"name":122,"callback":123,"priority":124,"file":119,"line":110},"init","hoo_hreflang_initialize_cmb_meta_boxes",9999,[126,131],{"action":127,"nopriv":128,"callback":129,"hasNonce":128,"hasCapCheck":128,"file":75,"line":130},"cmb_oembed_handler",false,"oembed_handler",1047,{"action":127,"nopriv":132,"callback":129,"hasNonce":128,"hasCapCheck":128,"file":75,"line":133},true,1048,[],[],[],{"dangerousFunctions":138,"sqlUsage":144,"outputEscaping":146,"fileOperations":24,"externalRequests":24,"nonceChecks":231,"capabilityChecks":120,"bundledLibraries":232},[139],{"fn":140,"file":141,"line":142,"context":143},"unserialize","includes\\metabox\\helpers\\cmb_Meta_Box_types.php",486,"$datetime   = unserialize( $meta_value );",{"prepared":14,"raw":24,"locations":145},[],{"escaped":49,"rawEcho":147,"locations":148},50,[149,152,154,156,159,161,163,165,167,169,171,173,175,176,178,180,181,183,184,185,186,188,189,190,192,193,195,197,198,200,201,202,203,204,205,207,208,209,211,213,215,216,218,219,221,222,223,225,227,229],{"file":44,"line":150,"context":151},79,"raw output",{"file":44,"line":153,"context":151},97,{"file":66,"line":155,"context":151},199,{"file":157,"line":158,"context":151},"includes\\metabox\\helpers\\cmb_Meta_Box_field.php",402,{"file":157,"line":160,"context":151},407,{"file":141,"line":162,"context":151},60,{"file":141,"line":164,"context":151},244,{"file":141,"line":166,"context":151},250,{"file":141,"line":168,"context":151},301,{"file":141,"line":170,"context":151},328,{"file":141,"line":172,"context":151},443,{"file":141,"line":174,"context":151},666,{"file":141,"line":174,"context":151},{"file":141,"line":177,"context":151},678,{"file":141,"line":179,"context":151},692,{"file":141,"line":179,"context":151},{"file":141,"line":182,"context":151},704,{"file":141,"line":182,"context":151},{"file":141,"line":182,"context":151},{"file":141,"line":182,"context":151},{"file":141,"line":187,"context":151},722,{"file":141,"line":187,"context":151},{"file":141,"line":187,"context":151},{"file":141,"line":191,"context":151},748,{"file":141,"line":191,"context":151},{"file":141,"line":194,"context":151},759,{"file":141,"line":196,"context":151},760,{"file":141,"line":196,"context":151},{"file":141,"line":199,"context":151},768,{"file":141,"line":199,"context":151},{"file":141,"line":199,"context":151},{"file":141,"line":199,"context":151},{"file":141,"line":199,"context":151},{"file":141,"line":199,"context":151},{"file":141,"line":206,"context":151},775,{"file":141,"line":206,"context":151},{"file":141,"line":206,"context":151},{"file":141,"line":210,"context":151},784,{"file":75,"line":212,"context":151},316,{"file":75,"line":214,"context":151},437,{"file":75,"line":214,"context":151},{"file":75,"line":217,"context":151},441,{"file":75,"line":172,"context":151},{"file":75,"line":220,"context":151},456,{"file":75,"line":220,"context":151},{"file":75,"line":220,"context":151},{"file":75,"line":224,"context":151},464,{"file":75,"line":226,"context":151},469,{"file":75,"line":228,"context":151},484,{"file":75,"line":230,"context":151},1182,4,[],[234,258],{"entryPoint":235,"graph":236,"unsanitizedCount":256,"severity":257},"sanitize_field (includes\\metabox\\init.php:641)",{"nodes":237,"edges":253},[238,243,247],{"id":239,"type":240,"label":241,"file":75,"line":242},"n0","source","$_POST",653,{"id":244,"type":245,"label":246,"file":75,"line":242},"n1","transform","→ sanitization_cb()",{"id":248,"type":249,"label":250,"file":157,"line":251,"wp_function":252},"n2","sink","call_user_func() [RCE]",222,"call_user_func",[254,255],{"from":239,"to":244,"sanitized":128},{"from":244,"to":248,"sanitized":128},1,"high",{"entryPoint":259,"graph":260,"unsanitizedCount":256,"severity":257},"\u003Cinit> (includes\\metabox\\init.php:0)",{"nodes":261,"edges":273},[262,265,268,269,271],{"id":239,"type":240,"label":263,"file":75,"line":264},"$_REQUEST",702,{"id":244,"type":249,"label":266,"file":75,"line":230,"wp_function":267},"echo() [XSS]","echo",{"id":248,"type":240,"label":241,"file":75,"line":242},{"id":270,"type":245,"label":246,"file":75,"line":242},"n3",{"id":272,"type":249,"label":250,"file":157,"line":251,"wp_function":252},"n4",[274,275,276],{"from":239,"to":244,"sanitized":132},{"from":248,"to":270,"sanitized":128},{"from":270,"to":272,"sanitized":128},{"summary":278,"deductions":279},"The hoo-hreflang-tags plugin, version 1.1, presents a mixed security posture.  While it demonstrates good practices by exclusively using prepared statements for its SQL queries, handling file operations correctly, and making no external HTTP requests, several significant concerns emerge from the static analysis.\n\nThe most prominent risks stem from the two AJAX handlers, both of which lack authentication checks. This creates a direct attack vector where unauthenticated users could potentially trigger these handlers, leading to unintended consequences.  Furthermore, the presence of the `unserialize` function, combined with two taint flows exhibiting unsanitized paths, raises a critical red flag. This combination suggests a high risk of remote code execution or other severe vulnerabilities if user-supplied data is not meticulously validated before being passed to `unserialize`.\n\nThe plugin's vulnerability history is clean, with no recorded CVEs. This is a positive indicator, suggesting the developers may have a good understanding of common security pitfalls or that the plugin hasn't been a target. However, the current code analysis reveals potential weaknesses that could be exploited regardless of past history. The lack of proper output escaping on nearly 71% of outputs is another area of concern, potentially leading to cross-site scripting (XSS) vulnerabilities.",[280,282,285,287],{"reason":281,"points":65},"Unprotected AJAX handlers",{"reason":283,"points":284},"Taint flows with unsanitized paths (High severity)",15,{"reason":286,"points":79},"Use of unserialize()",{"reason":288,"points":31},"Low output escaping coverage","2026-03-16T20:51:25.703Z",{"wat":291,"direct":297},{"assetPaths":292,"generatorPatterns":294,"scriptPaths":295,"versionParams":296},[293],"\u002Fwp-content\u002Fplugins\u002Fhoo-hreflang-tags\u002Fassets\u002Fcss\u002Fadmin.css",[],[],[],{"cssClasses":298,"htmlComments":299,"htmlAttributes":302,"restEndpoints":303,"jsGlobals":304,"shortcodeOutput":305},[],[300,301],"\u003C!-- Hoo hreflang tags -->","\u003C!-- \u002F Hoo hreflang tags -->",[],[],[],[],{"error":132,"url":307,"statusCode":308,"statusMessage":309,"message":309},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fhoo-hreflang-tags\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":24,"versions":311},[]]