[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fS91Z6JwZvnWB0XwYYMO1DrAe7bBiplfZPYUH0x7T1zQ":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":13,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":55,"crawl_stats":36,"alternatives":61,"analysis":157,"fingerprints":216},"laposta-signup-embed","Laposta Signup Embed","1.5.2","stijnvanderree","https:\u002F\u002Fprofiles.wordpress.org\u002Fstijnvanderree\u002F","\u003Cp>Laposta is a Dutch email marketing solution. This plugin can be used to load any of your Laposta embedded registration forms.\u003C\u002Fp>\n","Laposta is a Dutch email marketing solution. This plugin can be used to load any of your Laposta embedded registration forms.",1000,11813,0,"2026-02-24T10:03:00.000Z","6.9.4","5.0","7.1",[19,20,21,22,23],"aanmelden","avg","formulier","laposta","nieuwsbrieven","https:\u002F\u002Fdocs.laposta.nl\u002Farticle\u002F1058-installatie-en-configuratie-van-laposta-signup-embed-voor-wordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flaposta-signup-embed.1.5.2.zip",99,2,"2023-09-05 00:00:00","2026-03-15T15:16:48.613Z",[31,47],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":46},"WF-12b81441-d22c-4211-a8da-811182de622d-laposta-signup-embed","laposta-signup-embed-missing-authorization","Laposta Signup Embed \u003C= 1.1.0 - Missing Authorization","The Laposta Signup Embed plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.0. This is due to a missing capability check on the ajaxResetCache function. This makes it possible for subscriber-level attackers or higher to clear the plugin's cache.",null,"\u003C1.1.1","1.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2024-01-22 19:56:02",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F12b81441-d22c-4211-a8da-811182de622d?source=api-prod",140,{"id":48,"url_slug":49,"title":50,"description":51,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":52,"vuln_type":42,"published_date":28,"updated_date":43,"references":53,"days_to_patch":46},"WF-4c0cbf44-f6b4-408d-9a96-98f45d890822-laposta-signup-embed","laposta-signup-embed-cross-site-request-forgery","Laposta Signup Embed \u003C= 1.1.0 - Cross-Site Request Forgery","The Laposta Signup Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the ajaxResetCache function. This makes it possible for unauthenticated attackers to clear the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N",[54],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4c0cbf44-f6b4-408d-9a96-98f45d890822?source=api-prod",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":56,"total_installs":57,"avg_security_score":26,"avg_patch_time_days":58,"trust_score":59,"computed_at":60},3,3500,114,78,"2026-04-05T10:28:41.051Z",[62,78,95,116,138],{"slug":63,"name":64,"version":65,"author":7,"author_profile":8,"description":66,"short_description":67,"active_installs":68,"downloaded":69,"rating":70,"num_ratings":71,"last_updated":72,"tested_up_to":15,"requires_at_least":73,"requires_php":17,"tags":74,"homepage":75,"download_link":76,"security_score":26,"vuln_count":71,"unpatched_count":13,"last_vuln_date":77,"fetched_at":29},"laposta-woocommerce","Laposta WooCommerce","1.10.1","\u003Cp>Laposta is a Dutch emailmarketing solution. Use this plugin to add an optin checkbox to your checkout,\u003Cbr \u002F>\nso your customers can subscribe to your newsletter.\u003C\u002Fp>\n","This plugin can be used to add an optin checkbox to receive newsletters, using Laposta newsletter software (https:\u002F\u002Flaposta.nl).",500,8616,100,1,"2026-03-03T14:09:00.000Z","3.0",[19,22,23],"http:\u002F\u002Flaposta.nl\u002Fdocumentatie\u002Fwordpress.524.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flaposta-woocommerce.1.10.1.zip","2025-08-17 00:00:00",{"slug":79,"name":80,"version":81,"author":7,"author_profile":8,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":70,"num_ratings":27,"last_updated":86,"tested_up_to":15,"requires_at_least":87,"requires_php":17,"tags":88,"homepage":93,"download_link":94,"security_score":26,"vuln_count":27,"unpatched_count":13,"last_vuln_date":28,"fetched_at":29},"laposta-signup-basic","Laposta Signup Basic","3.2.5","\u003Cp>Laposta is a Dutch email marketing tool. Load your Laposta lists and render fields in a HTML form with custom styling.\u003C\u002Fp>\n","Laposta is a Dutch email marketing tool. Load your Laposta lists and render fields in a HTML form with custom styling.",2000,38826,"2026-02-24T10:01:00.000Z","4.7",[89,90,22,91,92],"form","gdpr","marketing","newsletters","https:\u002F\u002Fdocs.laposta.nl\u002Farticle\u002F546-installatie-van-laposta-signup-basic","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flaposta-signup-basic.3.2.5.zip",{"slug":96,"name":97,"version":98,"author":99,"author_profile":100,"description":101,"short_description":102,"active_installs":11,"downloaded":103,"rating":70,"num_ratings":104,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":113,"download_link":114,"security_score":115,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":29},"gdpr-press","GDPRess | Eliminate external requests to increase GDPR compliance","1.2.3","Daan van den Bergh","https:\u002F\u002Fprofiles.wordpress.org\u002Fdaanvandenbergh\u002F","\u003Cp>In January, 2022 \u003Ca href=\"https:\u002F\u002Fffw.press\u002Fblog\u002Fgdpr\u002Fgoogle-fonts-violates-gdpr-germany\u002F\" rel=\"nofollow ugc\">a German court ruled\u003C\u002Fa> that a website owner was in breach of GDPR and should pay a € 100,- fine, because embedded Google Fonts were used, essentially transferring the user’s personal data (IP address) without the user’s prior consent.\u003C\u002Fp>\n\u003Ch4>What’s embedding?\u003C\u002Fh4>\n\u003Cp>When an external (i.e. loaded from another server, besides your own) resource is embedded into a webpage, it basically means that the resource behaves as if it’s loaded from the same server hosting the webpage.\u003C\u002Fp>\n\u003Ch4>Why is using embedded resources in breach of GDPR?\u003C\u002Fh4>\n\u003Cp>Because of \u003Ca href=\"https:\u002F\u002Fffw.press\u002Fblog\u002Fhow-to\u002Fgoogle-fonts-gdpr\u002F\" rel=\"nofollow ugc\">the way the internet works\u003C\u002Fa>. When a browser (i.e. computer) requests a file (e.g. an image or a font file), the server needs the IP address of that computer to send it back. All these requests (including the IP address) are logged in a so-called \u003Ccode>access.log\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Once this IP address leaves the European Union, your website is violating the GDPR.\u003C\u002Fp>\n\u003Ch4>What does this plugin do?\u003C\u002Fh4>\n\u003Cp>GDPRess scans your homepage for 3rd party scripts (JS) and stylesheets (CSS), and:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows you to download or exclude them from downloading,\u003C\u002Fli>\n\u003Cli>Parses the stylesheets for loaded font files, downloads them, and rewrites the stylesheet to use the local copies,\u003C\u002Fli>\n\u003Cli>Makes sure the local copies of each script\u002Fstylesheet are used in your site’s frontend.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In short, it makes sure no requests are made to external\u002Fembedded\u002F3rd party scripts and stylesheets.\u003C\u002Fp>\n","In January, 2022 a German court ruled that a website owner was in breach of GDPR and should pay a € 100,- fine, because embedded Google Fonts were use &hellip;",10934,8,"2022-09-05T12:42:00.000Z","5.9.13","5.8","7.2",[110,20,111,112,90],"3rd-party","dsvgo","external","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fgdpr-press\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgdpr-press.1.2.3.zip",85,{"slug":117,"name":118,"version":119,"author":117,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":70,"num_ratings":125,"last_updated":126,"tested_up_to":127,"requires_at_least":128,"requires_php":129,"tags":130,"homepage":134,"download_link":135,"security_score":136,"vuln_count":71,"unpatched_count":71,"last_vuln_date":137,"fetched_at":29},"cookiecode","CookieCode","2.4.4","https:\u002F\u002Fprofiles.wordpress.org\u002Fcookiecode\u002F","\u003Cp>CookieCode enables your website to comply with GDPR and e-privacy rules by blocking tracking and analytical cookies until the visitor has given their consent.\u003Cbr \u002F>\nIn addition, the cookie declaration for your website will be updated automatically by our crawler.\u003C\u002Fp>\n\u003Ch3>Third party service\u003C\u002Fh3>\n\u003Cp>CookieCode is a third party service that analyzes your website to look for tracking and analytical cookies.\u003Cbr \u002F>\nConsent given by the visitor is stored anonymously on our servers for audit purposes.\u003C\u002Fp>\n\u003Cp>Privacy statement: https:\u002F\u002Fcdn.cookiecode.nl\u002Fprivacy\u002Fwww.cookiecode.nl\u002Fen\u002Fpdf\u003C\u002Fp>\n","CookieCode enables your website to automatically comply with GDPR and e-privacy rules",400,6497,4,"2025-03-05T10:34:00.000Z","6.7.5","4.4","5.6",[20,131,132,133,90],"consent","cookie","eu","https:\u002F\u002Fcookiecode.nl\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookiecode.2.4.5.zip",70,"2025-05-07 00:00:00",{"slug":139,"name":140,"version":73,"author":141,"author_profile":142,"description":143,"short_description":144,"active_installs":145,"downloaded":146,"rating":13,"num_ratings":13,"last_updated":147,"tested_up_to":148,"requires_at_least":149,"requires_php":150,"tags":151,"homepage":155,"download_link":156,"security_score":115,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":29},"popstats","PopStats","oxig3n","https:\u002F\u002Fprofiles.wordpress.org\u002Foxig3n\u002F","\u003Cp>Popstats is a powerfull realtime stats tool for your wordpress, it makes you get to know more about your visitors.\u003C\u002Fp>\n\u003Cp>With PopStats now you can know:\u003Cbr \u002F>\n* where are your visitors coming from?\u003Cbr \u002F>\n* How many users are on line.\u003Cbr \u002F>\n* What browser are they using?\u003Cbr \u002F>\n* What OS are they using?\u003Cbr \u002F>\n* What’s the max number of users conected at same time.\u003Cbr \u002F>\n* If a user is on line, you can see what is he\u002Fshe watching.\u003C\u002Fp>\n\u003Cp>Popstats is a wordpress Plugin who was forgoten in the past, but i recover it and make it better. The project was started by Luis Sancho with the first version,\u003Cbr \u002F>\nand sometime before Andres Nieto made the second version, but now popstats is enhaced and updated by me, Victor Martinez(Oxigen).\u003C\u002Fp>\n\u003Cp>This version, can recognize all the new navigators like Chrome of Safari for Windows, and that’s why i updated the code, because before safari just ran over MacOS\u003Cbr \u002F>\nbut now is available a version for Windows. And the Style was updated to look like the gray dashboard of wordpress.\u003C\u002Fp>\n\u003Ch3>About the Autor\u003C\u002Fh3>\n\u003Cp>Go get more information visit \u003Ca href=\"http:\u002F\u002Fhyanetworks.com\u002F\" title=\"Your favorite software\" rel=\"nofollow ugc\">hyanetworks\u003C\u002Fa>\u003C\u002Fp>\n","Popstats is a plugin to enhace statics of your blog, now you'll know more about your visitors.",30,12113,"2010-12-30T17:28:00.000Z","2.9.2","2.1","",[20,152,153,154],"logs","statistics","stats","http:\u002F\u002Fhyanetworks.com\u002Fwordpress\u002F2010\u002F03\u002F03\u002Fmi-version-del-popstats\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpopstats.zip",{"attackSurface":158,"codeSignals":187,"taintFlows":203,"riskAssessment":204,"analyzedAt":215},{"hooks":159,"ajaxHandlers":183,"restRoutes":184,"shortcodes":185,"cronEvents":186,"entryPointCount":13,"unprotectedCount":13},[160,166,170,174,179],{"type":161,"name":162,"callback":163,"file":164,"line":165},"action","admin_init","onAdminInitAction","src\\Plugin.php",80,{"type":161,"name":167,"callback":168,"file":164,"line":169},"init","onInitAction",84,{"type":161,"name":171,"callback":172,"priority":26,"file":164,"line":173},"wp_head","addToEveryPage",91,{"type":161,"name":175,"callback":176,"file":177,"line":178},"admin_menu","renderMenu","src\\Service\\AdminMenu.php",41,{"type":161,"name":180,"callback":181,"file":177,"line":182},"admin_head","addCustomSvgIcon",42,[],[],[],[],{"dangerousFunctions":188,"sqlUsage":189,"outputEscaping":191,"fileOperations":125,"externalRequests":13,"nonceChecks":71,"capabilityChecks":13,"bundledLibraries":202},[],{"prepared":13,"raw":13,"locations":190},[],{"escaped":192,"rawEcho":56,"locations":193},34,[194,197,200],{"file":177,"line":195,"context":196},72,"raw output",{"file":198,"line":199,"context":196},"src\\Service\\RequestHelper.php",20,{"file":201,"line":195,"context":196},"templates\\settings\\settings.php",[],[],{"summary":205,"deductions":206},"The \"laposta-signup-embed\" plugin v1.5.2 exhibits a generally good security posture based on the static analysis. The absence of known entry points like AJAX handlers, REST API routes, and shortcodes, coupled with the fact that there are no unprotected entry points, suggests a minimal attack surface. Furthermore, the code demonstrates good practices by exclusively using prepared statements for SQL queries and a high percentage of properly escaped output. The presence of a nonce check and file operations are noted, but without specific context on their implementation, their security impact is neutral.\n\nHowever, the plugin's vulnerability history is a significant concern. With two known medium severity CVEs, the plugin has a documented past of security weaknesses, even though none are currently unpatched. The fact that the last vulnerability was in September 2023 indicates that it has had security issues relatively recently. The common vulnerability type being Cross-Site Request Forgery (CSRF) suggests potential issues with state-changing actions not being adequately protected against unauthorized execution.\n\nIn conclusion, while the static analysis of version 1.5.2 indicates a well-written codebase with few immediate exploitable flaws and a small attack surface, the historical pattern of medium severity CSRF vulnerabilities warrants caution. Users should remain vigilant for future updates addressing these historical issues and be aware of the potential for past vulnerabilities to be re-introduced or similar ones to emerge. The plugin's strengths lie in its technical implementation in this version, but its weakness is its security track record.",[207,210,213],{"reason":208,"points":209},"Two known medium severity CVEs in history",10,{"reason":211,"points":212},"Recent vulnerability (2023-09-05)",5,{"reason":214,"points":212},"No capability checks found","2026-03-16T18:55:11.783Z",{"wat":217,"direct":228},{"assetPaths":218,"generatorPatterns":222,"scriptPaths":223,"versionParams":224},[219,220,221],"\u002Fwp-content\u002Fplugins\u002Flaposta-signup-embed\u002Fassets\u002Fcss\u002Flse-settings.css","\u002Fwp-content\u002Fplugins\u002Flaposta-signup-embed\u002Fassets\u002Fjs\u002Flse-settings\u002FLseSettings.js","\u002Fwp-content\u002Fplugins\u002Flaposta-signup-embed\u002Fassets\u002Fjs\u002Flse-settings\u002Fmain.js",[],[220,221],[225,226,227],"laposta-signup-embed\u002Fassets\u002Fcss\u002Flse-settings.css?ver=","laposta-signup-embed\u002Fassets\u002Fjs\u002Flse-settings\u002FLseSettings.js?ver=","laposta-signup-embed\u002Fassets\u002Fjs\u002Flse-settings\u002Fmain.js?ver=",{"cssClasses":229,"htmlComments":231,"htmlAttributes":233,"restEndpoints":235,"jsGlobals":236,"shortcodeOutput":239},[230],"lse-settings-field",[232],"\u003C!-- Laposta Signup Embed Form -->",[234],"data-laposta-api-key",[],[237,238],"laposta_signup_embed_ajax_url","LAPOSTA_SIGNUP_EMBED_AJAX_URL",[240],"[laposta_signup_embed_form]"]