[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fENfIhsXNv-89Kg0aWz3flgo_Adb0mw5qxucZ9YV0tGg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":39,"fingerprints":251},"limit-comments-and-word-count","Limit Comments and Word Count","1.2.4","artiosmedia","https:\u002F\u002Fprofiles.wordpress.org\u002Fartiosmedia\u002F","\u003Cp>This plugin adds an active letter counter, word counter, and comment counter above the comment box, providing users with constant visual access to their input activity. Any comment that exceeds the word limit will result in a red change in its count as the user types more words. If users try to post anyway, a warning dialogue will appear below the comment box stating the limit, and the comment will not post. Once the user edits the words that exceed the limit, the comment can be posted. User types are defined when a rule is created, allowing a rule to restrict a specific user type. Multiple rule types can be made if different rules are required.\u003C\u002Fp>\n\u003Cp>The plugin never restricts or limits the WordPress default user types Administrator, Editor, Author, and Contributor. If the blog administrator creates a rule for any of the three roles (Editor, Author, or Contributor) separately, that rule supersedes the default setting. Other user types that may appear in the user type dropdown do not default to WordPress and would require a rule to be created if limits are needed.\u003C\u002Fp>\n\u003Cp>This plugin also allows the blog administrator to limit the number of comments. The defined limit applies to each day, week, month, or year. Once the limit set by the selected time span is reached, an alert message explains why further comments are not allowed.\u003C\u002Fp>\n\u003Cp>The plugin settings allow you to disable the default WordPress flood protection notice, which blocks a user from quickly submitting successive posts and results in a 404 error. Additionally, a user is blocked by default from pasting the same comment, letter-for-letter, under any post. This can also be disabled.\u003C\u002Fp>\n\u003Cp>The latest addition enables activating a Comment Rules pop-up modal within the post. It can be deactivated in the settings, but is active by default. It appears in the top-left corner above the post’s comment box. You may create the rules to read however you wish in settings, but keep the text rules short, as in the sample text, or they will wrap and distort the appearance of the window.\u003C\u002Fp>\n\u003Cp>The plugin as a whole is straightforward, uses nearly no system resources, and is compatible with all tested blog add-ons loaded to the initial staging site. This includes membership platforms like Magic Members, MemberPress, Memberships Pro, Restrict Content Pro, LearnDash, S2Member and WooCommerce Memberships. Additionally, the plugin works with any other WordPress module that requires users to register before commenting. To clarify, for the plugin to track activity, a user must be registered and active. Logically, no plugin can monitor or limit unregistered anonymous comments. The plugin limits cannot control guests; only registered users can.\u003C\u002Fp>\n\u003Cp>As of \u003Cstrong>version 1.1.3\u003C\u002Fstrong>, you can now, from the metabox in each post, select the post to be exempt from the limit rules saved in the plugin’s settings. This has been a repeat feature request.\u003C\u002Fp>\n\u003Cp>As of \u003Cstrong>version 1.1.8\u003C\u002Fstrong>, an administrator can optionally enter a global value in the settings panel to limit the total number of comments allowed on all posts. If the field is left blank, WordPress’s default value is maintained.\u003C\u002Fp>\n\u003Cp>Notes: This plugin will not work with wpDiscuz where it uses its own hook and templates. If the limit is set to 2 comments in 24 hours, for example, and the moderator deletes one, the subscribers’ comments will now show that another comment remains. Previously, any comments in the trash within a limited time were counted against the subscriber.\u003C\u002Fp>\n\u003Cp>The plugin’s language support includes: English, Spanish, German, French, and Russian.\u003C\u002Fp>\n\u003Ch3>Using in Multisite Installation\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Extract the zip file contents in the wp-content\u002Fmu-plugins\u002F directory of your WordPress installation. (This is not created by default. You must create it in the wp-content folder.) The ‘mu’ does not stand for multi-user, as it did for WPMU; it stands for ‘must-use’, as any code placed in that folder will run without needing to be activated.\u003C\u002Fli>\n\u003Cli>Access the Plugins settings panel named ‘Limit Comments and Word Count’ under options.\u003C\u002Fli>\n\u003Cli>Configure your settings with two different error messages and save the settings.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Technical Details for Release 1.2.4\u003C\u002Fh3>\n\u003Cp>Load time: 0.311 s; Memory usage: 3.56 MiB\u003Cbr \u002F>\nPHP up to tested version: 8.3.28\u003Cbr \u002F>\nMySQL up to tested version: 8.4.7\u003Cbr \u002F>\nMariaDB up to tested version: 12.0.2\u003Cbr \u002F>\ncURL up to tested version: 8.17.0, OpenSSL\u002F3.6.0\u003Cbr \u002F>\nPHP 7.4, 8.0, 8.1, 8.2, and 8.3 compliant. Not tested on 8.4 yet.\u003C\u002Fp>\n","This plugin will limit the number of comments and the word count each user can add to a WordPress blog post, configurable by user role and time.",50,5900,88,9,"","6.9.0","4.6","7.4.33",[20,21,22,23,24],"comment-limits","comment-word-limit","comments-per-user","user-comment-limit","word-limits","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Flimit-comments-and-word-count","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-comments-and-word-count.1.2.4.zip",100,0,null,"2026-03-15T10:48:56.248Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},8,4980,14,94,"2026-04-04T15:37:37.825Z",[],{"attackSurface":40,"codeSignals":176,"taintFlows":237,"riskAssessment":238,"analyzedAt":250},{"hooks":41,"ajaxHandlers":146,"restRoutes":164,"shortcodes":165,"cronEvents":173,"entryPointCount":174,"unprotectedCount":175},[42,48,51,57,61,64,68,71,74,78,82,86,90,94,96,99,103,107,110,113,117,121,124,127,131,135,138,142],{"type":43,"name":44,"callback":45,"file":46,"line":47},"action","admin_init","check_trial","limit-comments-and-word-count.php",65,{"type":43,"name":44,"callback":49,"file":46,"line":50},"run_on_upgrade",69,{"type":52,"name":53,"callback":54,"priority":55,"file":46,"line":56},"filter","plugin_row_meta","add_description_link",10,72,{"type":43,"name":58,"callback":59,"file":46,"line":60},"admin_head","lpwc_limit_post_count",75,{"type":43,"name":58,"callback":62,"file":46,"line":63},"remove_add_new",76,{"type":43,"name":65,"callback":66,"file":46,"line":67},"admin_menu","lpwc_menu",77,{"type":43,"name":44,"callback":69,"file":46,"line":70},"wpsnfl_init",79,{"type":43,"name":44,"callback":72,"file":46,"line":73},"add_notification",80,{"type":43,"name":75,"callback":76,"file":46,"line":77},"admin_print_scripts","lpwc_print_settings_js",81,{"type":43,"name":79,"callback":80,"file":46,"line":81},"admin_print_styles","print_settings_styles",82,{"type":43,"name":83,"callback":84,"file":46,"line":85},"wp_enqueue_scripts","add_comment_script",84,{"type":52,"name":87,"callback":88,"file":46,"line":89},"wp_insert_post_empty_content","limit_xml_rpc",86,{"type":52,"name":91,"callback":92,"priority":55,"file":46,"line":93},"comment_form_field_comment","add_comment_restrictions",87,{"type":52,"name":95,"callback":95,"file":46,"line":13},"preprocess_comment",{"type":52,"name":53,"callback":97,"priority":55,"file":46,"line":98},"add_details_link",90,{"type":52,"name":100,"callback":101,"priority":55,"file":46,"line":102},"comment_form_submit_button","restrict_comment_button",91,{"type":43,"name":104,"callback":105,"file":46,"line":106},"init","add_translations",92,{"type":52,"name":108,"callback":109,"file":46,"line":36},"comment_flood_filter","disable_comment_flood_protection",{"type":52,"name":95,"callback":111,"file":46,"line":112},"enable_duplicate_comments_preprocess_comment",97,{"type":43,"name":114,"callback":115,"file":46,"line":116},"comment_post","enable_duplicate_comments_comment_post",98,{"type":43,"name":118,"callback":119,"file":46,"line":120},"admin_notices","display_feature_message",109,{"type":43,"name":122,"callback":122,"priority":55,"file":46,"line":123},"add_meta_boxes",112,{"type":43,"name":125,"callback":125,"priority":55,"file":46,"line":126},"save_post",114,{"type":52,"name":128,"callback":129,"file":46,"line":130},"comments_open","hide_comment_form",116,{"type":43,"name":132,"callback":133,"file":46,"line":134},"admin_footer","hide_links",436,{"type":43,"name":118,"callback":136,"file":46,"line":137},"show_admin_message",1452,{"type":43,"name":139,"callback":140,"file":46,"line":141},"lpwc_add_notification","add_admin_notification_notice",1630,{"type":43,"name":143,"callback":144,"file":46,"line":145},"wp_footer","add_comment_rules",1631,[147,151,154,158,160],{"action":148,"nopriv":149,"callback":150,"hasNonce":149,"hasCapCheck":149,"file":46,"line":27},"lpwc_cancel_notification",false,"cancel_notification",{"action":148,"nopriv":152,"callback":150,"hasNonce":149,"hasCapCheck":149,"file":46,"line":153},true,101,{"action":155,"nopriv":149,"callback":156,"hasNonce":149,"hasCapCheck":149,"file":46,"line":157},"lpwc_review_clicked","review_clicked",103,{"action":155,"nopriv":152,"callback":156,"hasNonce":149,"hasCapCheck":149,"file":46,"line":159},104,{"action":161,"nopriv":149,"callback":162,"hasNonce":149,"hasCapCheck":149,"file":46,"line":163},"lpwc_close_feature_notification","close_feature_notification",106,[],[166,170],{"tag":167,"callback":168,"file":46,"line":169},"IN_LIMIT","limits_shortcode_handler",55,{"tag":171,"callback":168,"file":46,"line":172},"in_limit",56,[],7,5,{"dangerousFunctions":177,"sqlUsage":178,"outputEscaping":187,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":33,"bundledLibraries":236},[],{"prepared":179,"raw":180,"locations":181},3,2,[182,185],{"file":46,"line":183,"context":184},133,"$wpdb->get_col() with variable interpolation",{"file":46,"line":186,"context":184},191,{"escaped":188,"rawEcho":189,"locations":190},41,22,[191,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,230,232,234],{"file":192,"line":193,"context":194},"includes\\comment-rules-modal.php",21,"raw output",{"file":46,"line":196,"context":194},451,{"file":46,"line":198,"context":194},888,{"file":46,"line":200,"context":194},889,{"file":46,"line":202,"context":194},890,{"file":46,"line":204,"context":194},891,{"file":46,"line":206,"context":194},892,{"file":46,"line":208,"context":194},893,{"file":46,"line":210,"context":194},894,{"file":46,"line":212,"context":194},895,{"file":46,"line":214,"context":194},909,{"file":46,"line":216,"context":194},913,{"file":46,"line":218,"context":194},918,{"file":46,"line":220,"context":194},922,{"file":46,"line":222,"context":194},933,{"file":46,"line":224,"context":194},941,{"file":46,"line":226,"context":194},945,{"file":46,"line":228,"context":194},1073,{"file":46,"line":228,"context":194},{"file":46,"line":231,"context":194},1463,{"file":46,"line":233,"context":194},1496,{"file":46,"line":235,"context":194},1569,[],[],{"summary":239,"deductions":240},"The 'limit-comments-and-word-count' plugin, version 1.2.4, exhibits a mixed security posture. While it demonstrates good practices in avoiding dangerous functions, file operations, and external HTTP requests, and a decent percentage of its SQL queries use prepared statements, significant concerns arise from its attack surface.  The presence of 5 AJAX handlers without authentication checks presents a notable risk, as these can be exploited by unauthenticated users to trigger unintended actions.  The complete lack of nonce checks further exacerbates this risk, making these AJAX endpoints highly vulnerable to Cross-Site Request Forgery (CSRF) attacks.  The plugin's history of zero known vulnerabilities is a positive sign, suggesting a generally stable codebase and diligent maintenance. However, this does not negate the immediate risks identified in the static analysis.",[241,243,245,248],{"reason":242,"points":55},"Unprotected AJAX handlers",{"reason":244,"points":55},"Missing nonce checks on AJAX handlers",{"reason":246,"points":247},"SQL queries not using prepared statements (40% of 5)",4,{"reason":249,"points":179},"Improperly escaped output (35% of 63)","2026-03-16T21:52:13.631Z",{"wat":252,"direct":261},{"assetPaths":253,"generatorPatterns":256,"scriptPaths":257,"versionParams":258},[254,255],"\u002Fwp-content\u002Fplugins\u002Flimit-comments-and-word-count\u002Fjs\u002Flimit-comments-admin.js","\u002Fwp-content\u002Fplugins\u002Flimit-comments-and-word-count\u002Fcss\u002Flimit-comments-admin.css",[],[254],[259,260],"limit-comments-and-word-count\u002Fjs\u002Flimit-comments-admin.js?ver=","limit-comments-and-word-count\u002Fcss\u002Flimit-comments-admin.css?ver=",{"cssClasses":262,"htmlComments":265,"htmlAttributes":268,"restEndpoints":270,"jsGlobals":272,"shortcodeOutput":274},[263,264],"lpwc_notice","lpwc_content",[266,267],"\u003C!-- Comment restrictions meta box -->","\u003C!-- End Comment restrictions meta box -->",[269],"data-lpwc-id",[271],"\u002Fwp-json\u002Flpwc\u002Fv1\u002Fsettings",[273],"lpwc_admin_obj",[275,276],"[IN_LIMIT]","[in_limit]"]