[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk1HR3dnDv1qxNdtR3Lu4XyTd5jCix78l93B2VFGupZU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":43,"crawl_stats":34,"alternatives":51,"analysis":156,"fingerprints":258},"iframe-widget","IFrame Widget","4.1","Debashish","https:\u002F\u002Fprofiles.wordpress.org\u002Fdebashish\u002F","\u003Cp>The IFrame widget can display any external HTML page inside an \u003Ca href=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002Fhtml4\u002Fpresent\u002Fframes.html#edef-IFRAME\" title=\"Know more about IFrames\" rel=\"nofollow ugc\">HTML IFrame\u003C\u002Fa> component. The need came from the Hindi Tagcloud JSP that I had once created for \u003Ca href=\"http:\u002F\u002Fweb.archive.org\u002Fweb\u002F20080821123115\u002Fhttp:\u002F\u002Fwww.myjavaserver.com\u002F~hindi\" title=\"Chittha Vishwa, Hindi for World of Blogs, is the first ever Hindi blog aggregator\" rel=\"nofollow ugc\">Chittha Vishwa\u003C\u002Fa> and I always thought that there should be some way to display that page on my blog.\u003C\u002Fp>\n\u003Ch4>What’s new in verson 4.x of this plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>The Widget now offers configuration of IFrame Border and Scrolling attributes.\u003C\u002Fli>\n\u003Cli>You can now have multiple instances of Sidebar Widgets, thanks to the new Widget API to which this plugin has been re-written.\u003C\u002Fli>\n\u003Cli>A new “Markup Generator” to easily generate the markup that can simply be copy-pasted on your page.\u003C\u002Fli>\n\u003C\u002Fol>\n","IFrame widget can display any external HTML page inside an HTML IFrame component.",600,58039,0,"2012-09-20T11:50:00.000Z","3.4.2","3.0","",[19,20,4,21],"html","iframe","widget","http:\u002F\u002Fnullpointer.debashish.com\u002Fiframe-widget-for-wordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fiframe-widget.4.1.zip",63,1,"2025-06-05 00:00:00","2026-03-15T15:16:48.613Z",[29],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":34,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":26,"updated_date":40,"references":41,"days_to_patch":34},"CVE-2025-30939","iframe-widget-authenticated-administrator-stored-cross-site-scripting","IFrame Widget \u003C= 4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting","The IFrame Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=4.1","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-06-11 20:00:37",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa5e0acda-b76e-4290-8546-5da7e7758968?source=api-prod",{"slug":44,"display_name":7,"profile_url":8,"plugin_count":45,"total_installs":46,"avg_security_score":47,"avg_patch_time_days":48,"trust_score":49,"computed_at":50},"debashish",3,710,78,30,79,"2026-04-04T05:49:48.104Z",[52,75,95,119,138],{"slug":53,"name":54,"version":55,"author":56,"author_profile":57,"description":58,"short_description":59,"active_installs":60,"downloaded":61,"rating":62,"num_ratings":63,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":72,"download_link":73,"security_score":74,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":27},"code-widget","Code Widget","1.0.15","Sharaz Shahid","https:\u002F\u002Fprofiles.wordpress.org\u002Fsharaz\u002F","\u003Cp>Code Widget is simple widget allows you to insert any arbitrary Text\u002FHTML  and run  PHP Code or Short Code. This Widget parses PHP code  into simple text and much more.\u003C\u002Fp>\n\u003Cp>Only users with the unfiltered_html role will be allowed to insert unfiltered HTML. This includes PHP code, so users without admin or editor permissions will not be able to use this to execute code, even if they have widget editing permissions.\u003Cbr \u002F>\nThis plugin is developed and maintained by \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fsharazghouri1\" rel=\"nofollow ugc\">Sharaz Shahid\u003C\u002Fa>\u003C\u002Fp>\n","Code widget help  to  add  Short Code, PHP Code, HTML, and Simple Text in widget.",4000,60271,98,35,"2022-06-11T11:06:00.000Z","6.1.0","4.0","7.0",[69,19,70,71,21],"code","php","short-code","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcode-widget\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcode-widget.1.0.15.zip",85,{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":62,"num_ratings":85,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":17,"tags":89,"homepage":93,"download_link":94,"security_score":74,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":27},"unfiltered-mu","Unfiltered MU","1.3.1","Donncha O Caoimh (a11n)","https:\u002F\u002Fprofiles.wordpress.org\u002Fdonncha\u002F","\u003Cp>Unfiltered MU gives Administrators and Editors the \u003Ccode>unfiltered_html\u003C\u002Fcode> capability.  This prevents WordPress MU\u002FWordPress 3.0 multisite from stripping \u003Ccode>\u003Ciframe>\u003C\u002Fcode>, \u003Ccode>\u003Cembed>\u003C\u002Fcode>, etc. from these users’ posts. Authors and Contributors do not get this capability for security reasons.\u003C\u002Fp>\n\u003Cp>The plugin can either be used globally for your entire MU site, or it can be applied on a blog-by-blog basis.\u003C\u002Fp>\n\u003Cp>For WordPress MU or WordPress 3.0 multisite only. Regular WordPress already offers this feature and does not need this plugin.\u003C\u002Fp>\n\u003Cp>Warning! This is a very dangerous plugin to activate if you have untrusted users on your site. Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then inpersonate any of those users and wreak havoc. If all you want is to display videos on your WordPress MU blogs, use the native \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FEmbeds\" rel=\"nofollow ugc\">Embed Support\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fvipers-video-quicktags\u002F\" rel=\"ugc\">Viper’s Video Quicktags\u003C\u002Fa> or any of the other \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Ftags\u002Fvideo\" rel=\"ugc\">video plugins\u003C\u002Fa> on WordPress.org.\u003Cbr \u002F>\nIf you use this plugin your site will be hacked in one way or another if you allow anonymous users on the Internet to create blogs on your site. It’s very dangerous.\u003C\u002Fp>\n\u003Cp>Are you still 100% sure you want to use this plugin?\u003C\u002Fp>\n","This WordPress MU\u002FWordPress 3.0 multisite plugin gives blog Administrators and Editors the ability to post whatever HTML they want.",2000,121016,14,"2018-12-20T09:34:00.000Z","5.0.25","2.9.2",[90,19,20,91,92],"embed","object","script","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Funfiltered-mu\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funfiltered-mu.1.3.1.zip",{"slug":96,"name":97,"version":98,"author":99,"author_profile":100,"description":101,"short_description":102,"active_installs":103,"downloaded":104,"rating":105,"num_ratings":106,"last_updated":107,"tested_up_to":108,"requires_at_least":109,"requires_php":17,"tags":110,"homepage":116,"download_link":117,"security_score":118,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":27},"local-time-clock","Local Time Clock","1.3","enclick","https:\u002F\u002Fprofiles.wordpress.org\u002Fenclick\u002F","\u003Cp>Display a clock on your sidebar set automatically to your location’s timezone. Select from a choice of clocks, colors and sizes.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A wide range of analog and digital clocks. See screenshots tab or designs shown in \u003Ca href=\"http:\u002F\u002Flocaltimes.info\u002Fgetwidget\u002F\" title=\"Clock Widget Designs\" rel=\"nofollow ugc\">localtimes.info\u002Fgetwidget\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Choice of size, colors of text, border and background,\u003C\u002Fli>\n\u003Cli>Automatic adjustment of daylight saving time from the \u003Ca href=\"http:\u002F\u002Flocaltimes.info\" title=\"Local Times round the world\" rel=\"nofollow ugc\">localtimes.info\u003C\u002Fa> servers\u003C\u002Fli>\n\u003Cli>HTML5 responsive plugin, detects device and serves flash, html5, javascript progressively\u003C\u002Fli>\n\u003Cli>Easy addition of multiple clocks\u003C\u002Fli>\n\u003C\u002Ful>\n","Display a clock on your sidebar set automatically to your location's timezone. Select from a choice of clocks, colors and sizes.",1000,116955,62,10,"2024-05-14T16:21:00.000Z","6.5.8","2.8",[111,112,113,114,115],"clock","clock-widget","flash-clock","html5-clock","mobile-clock","https:\u002F\u002Flocaltimes.info\u002Fwordpress-clock-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flocal-time-clock.1.3.zip",92,{"slug":120,"name":121,"version":122,"author":123,"author_profile":124,"description":125,"short_description":126,"active_installs":103,"downloaded":127,"rating":128,"num_ratings":129,"last_updated":130,"tested_up_to":131,"requires_at_least":132,"requires_php":17,"tags":133,"homepage":136,"download_link":137,"security_score":74,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":27},"pageview","PageView","1.6","John Godley","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohnny5\u002F","\u003Cp>PageView is a plugin that will display another web page inside the current post. This is achieved with the use of an\u003Cbr \u002F>\niframe – an HTML tag that allows a webpage to be displayed inline with the current page.\u003C\u002Fp>\n\u003Cp>To use:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[pageview url=\"http:\u002F\u002Furbangiraffe.com\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Optional arguments:\u003C\u002Fp>\n\u003Cp>title = A title to show under the iframe\u003Cbr \u002F>\ndesc = A description to show under the iframe\u003Cbr \u002F>\nwidth = Width of iframe, in px or %\u003Cbr \u002F>\nheight = Height of iframe, in px or %\u003C\u002Fp>\n\u003Ch3>Documentation\u003C\u002Fh3>\n\u003Cp>Full documentation can be found on the \u003Ca href=\"http:\u002F\u002Furbangiraffe.com\u002Fplugins\u002Fpageview\u002F\" rel=\"nofollow ugc\">Pageview\u003C\u002Fa> page.\u003C\u002Fp>\n","Insert an iframe and display an external website directly in a post using just a shortcode.",73637,84,6,"2017-11-28T20:21:00.000Z","4.1.42","2.5",[90,19,20,134,135],"page","post","http:\u002F\u002Furbangiraffe.com\u002Fplugins\u002Fpageview\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpageview.zip",{"slug":139,"name":140,"version":141,"author":142,"author_profile":143,"description":144,"short_description":145,"active_installs":103,"downloaded":146,"rating":147,"num_ratings":25,"last_updated":148,"tested_up_to":149,"requires_at_least":149,"requires_php":17,"tags":150,"homepage":154,"download_link":155,"security_score":74,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":27},"widget-classes","Widget Classes","0.1","aizatto","https:\u002F\u002Fprofiles.wordpress.org\u002Faizatto\u002F","\u003Cp>Widget Classes allows you to add classes to your individual widgets to be used by your theme. This is done by appending an additional form field to the end of your widget forms where you can enter the class.\u003C\u002Fp>\n\u003Cp>You do not need to modify your widgets, as this will apply automatically to all widgets.\u003C\u002Fp>\n","Widget Classes allows you to add classes to your individual widgets to be used by your theme. This is done by appending an additional form field to th &hellip;",14441,100,"2010-05-30T16:10:00.000Z","3",[151,152,19,21,153],"class","classes","widgets","http:\u002F\u002Fblog.aizatto.com\u002Fwidget-classes","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-classes.0.1.zip",{"attackSurface":157,"codeSignals":185,"taintFlows":241,"riskAssessment":242,"analyzedAt":257},{"hooks":158,"ajaxHandlers":181,"restRoutes":182,"shortcodes":183,"cronEvents":184,"entryPointCount":13,"unprotectedCount":13},[159,164,168,172,177],{"type":160,"name":161,"callback":162,"file":163,"line":49},"action","admin_init","plugin_admin_init","iframe-markup-generator.php",{"type":160,"name":165,"callback":166,"file":163,"line":167},"admin_menu","plugin_admin_add_page",80,{"type":160,"name":169,"callback":170,"file":171,"line":85},"widgets_init","anonymous","iframe-widget.php",{"type":173,"name":174,"callback":175,"priority":106,"file":171,"line":176},"filter","the_content","widget_iframe_on_page",15,{"type":173,"name":178,"callback":179,"priority":106,"file":171,"line":180},"plugin_action_links","iframe_plugin_action_links",16,[],[],[],[],{"dangerousFunctions":186,"sqlUsage":190,"outputEscaping":192,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":240},[187],{"fn":188,"file":171,"line":85,"context":189},"create_function","add_action('widgets_init', create_function('', 'return register_widget(\"IFrame_Widget\");'));",{"prepared":13,"raw":13,"locations":191},[],{"escaped":176,"rawEcho":48,"locations":193},[194,197,199,200,202,204,205,207,209,210,212,214,215,217,219,220,221,222,223,225,227,228,230,232,233,234,235,236,237,239],{"file":171,"line":195,"context":196},41,"raw output",{"file":171,"line":198,"context":196},42,{"file":171,"line":198,"context":196},{"file":171,"line":201,"context":196},45,{"file":171,"line":203,"context":196},46,{"file":171,"line":203,"context":196},{"file":171,"line":206,"context":196},48,{"file":171,"line":208,"context":196},49,{"file":171,"line":208,"context":196},{"file":171,"line":211,"context":196},53,{"file":171,"line":213,"context":196},54,{"file":171,"line":213,"context":196},{"file":171,"line":216,"context":196},57,{"file":171,"line":218,"context":196},58,{"file":171,"line":218,"context":196},{"file":171,"line":105,"context":196},{"file":171,"line":24,"context":196},{"file":171,"line":24,"context":196},{"file":171,"line":224,"context":196},69,{"file":171,"line":226,"context":196},70,{"file":171,"line":226,"context":196},{"file":171,"line":229,"context":196},94,{"file":171,"line":231,"context":196},96,{"file":171,"line":231,"context":196},{"file":171,"line":231,"context":196},{"file":171,"line":231,"context":196},{"file":171,"line":231,"context":196},{"file":171,"line":231,"context":196},{"file":171,"line":238,"context":196},97,{"file":171,"line":147,"context":196},[],[],{"summary":243,"deductions":244},"The \"iframe-widget\" plugin v4.1 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by not having a large attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without proper authorization checks. Furthermore, all SQL queries are secured using prepared statements and there are no file operations or external HTTP requests to consider, which minimizes common attack vectors. However, the presence of a dangerous function ('create_function') is a significant concern. This function is deprecated due to security vulnerabilities and can easily lead to code injection if not handled with extreme care, which the code analysis signals do not suggest is the case.\n\nThe vulnerability history for this plugin is troubling. A known medium severity CVE exists, and it is currently unpatched. This indicates a past instance of Cross-site Scripting (XSS), which is a direct result of improper neutralization of input. The fact that this vulnerability is not patched suggests a lack of ongoing maintenance and a potential for attackers to exploit this known weakness. The limited taint analysis is not necessarily a positive sign; it could simply mean the analysis tools didn't find exploitable flows, but it doesn't negate the risks from the identified dangerous function and unpatched CVE.\n\nIn conclusion, while the plugin has a small attack surface and uses prepared statements for SQL, the use of 'create_function' and the unpatched medium severity CVE related to XSS are serious security concerns. The lack of patches for known vulnerabilities points to a plugin that may be abandoned or poorly maintained, making it a risky choice for WordPress sites.",[245,247,249,252,255],{"reason":246,"points":176},"Unpatched CVE exists",{"reason":248,"points":106},"Dangerous function 'create_function' used",{"reason":250,"points":251},"Output escaping at 33% - many outputs unescaped",8,{"reason":253,"points":254},"No nonce checks on entry points",5,{"reason":256,"points":254},"No capability checks on entry points","2026-03-16T19:31:14.965Z",{"wat":259,"direct":265},{"assetPaths":260,"generatorPatterns":262,"scriptPaths":263,"versionParams":264},[261],"\u002Fwp-content\u002Fplugins\u002Fiframe-widget\u002Fiframe-widget.php",[],[],[],{"cssClasses":266,"htmlComments":268,"htmlAttributes":269,"restEndpoints":276,"jsGlobals":277,"shortcodeOutput":278},[267],"IFrame_Widget",[],[270,271,272,273,274,275],"data-iframewidget-url","data-iframewidget-width","data-iframewidget-height","data-iframewidget-border","data-iframewidget-scrolling","data-iframewidget-style",[],[],[279,280],"\u003CIFRAME","[Your user agent does not support frames or is currently configured not to display frames. However, you may visit \u003CA href="]