[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fY-IvundHa5b2oZf81xQuGY-yUqRKrJoTawZKrtqLDtU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":36,"analysis":124,"fingerprints":344},"llavero-io","Llavero.io","0.1.4","davidnoguera","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidnoguera\u002F","\u003Cp>Llavero.io es un servicio creado por Webempresa.com con el propósito de facilitar en WordPress una protección extra en momento de hacer login.\u003C\u002Fp>\n\u003Cp>El plugin crea un segundo factor de autenticación que permite vincular la cuenta de tu blog WordPress a tu dispositivo móvil, de forma que nadie pueda hacer login en tu cuenta sin antes validar el acceso desde tu móvil, a través e una notificación Push a tu dispositivo.\u003C\u002Fp>\n\u003Cp>Llavero.io permite definir horarios de autocierre de forma que a esas horas nadie pueda loguearse aunque tenga tu contraseña correcta, por ejemplo mientras estás durmiendo o de vacaciones.\u003C\u002Fp>\n\u003Cp>El administrador del blog podrá sobreescribir los valores de los usuarios y obligar a que cada usuario solo pueda acceder durante unos horarios específicos definidos por él.\u003C\u002Fp>\n\u003Cp>Puedes ver una guía de inicio rápido para empezar a usar Llavero.io en este enlace: https:\u002F\u002Fllavero.io\u002Fempieza-a-usar-llavero-wordpress\u002F\u003C\u002Fp>\n\u003Cp>El plugin no rastrea ningún tipo de información de los usuarios, el uso de APIs externas es tan solo para establecer un estado de abierto y cerrado de la cuenta asociada, en ningún momento se obtiene información de WordPress para almacenarla en serviores externos.\u003C\u002Fp>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Spanish – default, always included\u003C\u002Fli>\n\u003C\u002Ful>\n","Este plugin permite vincular las cuentas de usuario de WordPress con Llavero.io para tener un segundo factor de authenticación (2FA) en el login de lo …",10,1991,80,4,"2018-03-03T04:21:00.000Z","4.9.29","4.6","5.3",[20,21,22,23],"2fa","authentication","login","security","https:\u002F\u002Fllavero.io\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fllavero-io.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},1,30,84,"2026-04-04T10:45:50.935Z",[37,59,76,93,109],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":13,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":56,"download_link":57,"security_score":58,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wordfence-login-security","Wordfence Login Security","1.1.15","wfryan","https:\u002F\u002Fprofiles.wordpress.org\u002Fwfryan\u002F","\u003Ch3>WORDFENCE LOGIN SECURITY\u003C\u002Fh3>\n\u003Cp>Wordfence Login Security contains a subset of the functionality found in the full Wordfence plugin: Two-factor Authentication, XML-RPC Protection and Login Page CAPTCHA.\u003C\u002Fp>\n\u003Cp>Are you looking for comprehensive WordPress Security? \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwordfence\u002F\" rel=\"ugc\">Check out the full Wordfence plugin\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>TWO-FACTOR AUTHENTICATION\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Two-factor authentication (2FA), one of the most secure forms of remote system authentication available.\u003C\u002Fli>\n\u003Cli>Use any TOTP-based authenticator app or service like Google Authenticator, Authy, 1Password or FreeOTP.\u003C\u002Fli>\n\u003Cli>Enable 2FA for any WordPress user role.\u003C\u002Fli>\n\u003Cli>Completely free to use, no limits or restrictions of any kind.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>LOGIN PAGE CAPTCHA\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Easily enable Google ReCAPTCHA v3 on your login and registration pages.\u003C\u002Fli>\n\u003Cli>Stops bots from logging in without inconveniencing your site visitors.\u003C\u002Fli>\n\u003Cli>Robust protection against password guessing and credential stuffing attacks distributed across large IP pools\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>XML-RPC PROTECTION\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>XML-RPC is the biggest target for WordPress attacks, but is often overlooked.\u003C\u002Fli>\n\u003Cli>Protect XML-RPC with 2FA or disable it altogether if it’s not needed.\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.",70000,1239075,25,"2025-01-15T17:05:00.000Z","6.7.5","4.7","7.0",[20,53,54,23,55],"captcha","login-security","two-factor-authentication","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordfence-login-security.1.1.15.zip",92,{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":11,"downloaded":67,"rating":27,"num_ratings":27,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":74,"download_link":75,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"passclip-auth-for-wordpress","PassClip Auth for WordPress","1.0.5","Passlogy","https:\u002F\u002Fprofiles.wordpress.org\u002Fpasslogy\u002F","\u003Cp>You need strong password to protect your site. However, how do you remember it or is it really strong?\u003Cbr \u002F>\n“PassClip Auth” provides really strong password that is also easy to remember.\u003Cbr \u002F>\nOnce you make your “pattern”, you can get your password using “PassClip”. And the password will change every 30 seconds(at the shortest).\u003C\u002Fp>\n\u003Ch4>Get and sign up for PassClip\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fwww.passclip.com\u002F\" rel=\"nofollow ugc\">the page about PassClip\u003C\u002Fa> and install PassClip on your smart phone.\u003C\u002Fli>\n\u003Cli>Activate your PassClip by registering your “pattern” and email address.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Sign up for PassClip Auth(PCA)\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Input PassClip Code “paauth” in your PassClip. That makes a new slot in your PassClip.\u003C\u002Fli>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fmember.passclip.com\u002Fmember\u002Fui\u002F\" rel=\"nofollow ugc\">PassClip Auth member’s page\u003C\u002Fa> and log in with your email address and password which the slot shows you.\u003C\u002Fli>\n\u003Cli>Make your “PassClip Code”. And then you get your “PassClip Auth app service id(PCA app service id)”. You need both “code” and “id” to use this plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to apply PassClip Auth to your site\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate this plugin to your WordPress.\u003C\u002Fli>\n\u003Cli>Go to PassClip Auth Options Setting from the menu.\u003C\u002Fli>\n\u003Cli>Input the PassClip Auth app service id(PCA app service id), PassClip Code and other items in the setting page and click the “Save Change” button.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>How to log in to WordPress site with PassClip Auth\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Users register PassClip Code of your site in their PassClip. That makes a new slot to get password to log in to your site.\u003C\u002Fli>\n\u003Cli>Show the password in PassClip (tap the new slot).\u003C\u002Fli>\n\u003Cli>In login form of your site, users enter email address and password in the slot. (\u003Cstrong>Users do not need general WordPress password.\u003C\u002Fstrong>)\u003C\u002Fli>\n\u003Cli>Click the “Log in” button.\u003C\u002Fli>\n\u003C\u002Fol>\n","\"PassClip Auth\" provides strong and easy authentication. \"PassClip Auth for WordPress\" is the plugin to launch PassClip Auth to Wo …",2199,"2019-12-27T07:42:00.000Z","5.3.21","4.5","5.3.3",[20,22,73,23,55],"otp","https:\u002F\u002Fwww.passclip.com\u002Fja\u002Fpca\u002Fpca_for_wp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassclip-auth-for-wordpress.1.0.6.zip",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":27,"downloaded":84,"rating":27,"num_ratings":27,"last_updated":56,"tested_up_to":85,"requires_at_least":86,"requires_php":87,"tags":88,"homepage":89,"download_link":90,"security_score":91,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":92},"4login-for-secure-and-smart-access","4Login for Secure And Smart Access","0.1.0","4login","https:\u002F\u002Fprofiles.wordpress.org\u002F4login\u002F","\u003Cp>Secure your site with a strong password — without the hassle of remembering it.\u003Cbr \u002F>\nWith 4Login, you get simple yet powerful authentication that connects to an external server.\u003Cbr \u002F>\nSimply create your own pattern to generate a dynamic password that updates every 60 minutes.\u003C\u002Fp>\n\u003Cp>Please refer to the \u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002F\" rel=\"nofollow ugc\">operation Instructions \u003C\u002Fa> for instructions on how to use 4Login.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an external API to enable 4Login authentication.\u003Cbr \u002F>\nWhen logging in with 4Login, the plugin sends the 4Login App Service ID, the user’s email address, and a dynamic password .\u003Cbr \u002F>\nThese credentials are entered directly within the WordPress login interface.\u003C\u002Fp>\n\u003Cp>This authentication service is provided by Passlogy.\u003Cbr \u002F>\nFor more information, please review our\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002Fen\u002Fauto_terms\u002F\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> and\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.4login.jp\u002Fprivacy-policy\u002F?en=app\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>.\u003C\u002Fp>\n","4Login will give you an easy and powerful authentication (connect to an external server for authentication).",431,"6.8.5","6.7","8.0",[20,22,73,23,55],"https:\u002F\u002Fwww.4login.jp\u002F4login-for-secure-and-smart-access\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002F4login-for-secure-and-smart-access.0.1.0.zip",100,"2026-03-15T10:48:56.248Z",{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":27,"downloaded":101,"rating":91,"num_ratings":32,"last_updated":56,"tested_up_to":102,"requires_at_least":103,"requires_php":104,"tags":105,"homepage":107,"download_link":108,"security_score":91,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":92},"av-2fa","AV 2FA","1.2.0","Avrasys","https:\u002F\u002Fprofiles.wordpress.org\u002Favrasys\u002F","\u003Cp>AV 2FA adds a crucial layer of security to your WordPress login process. After a user successfully enters their password, this plugin sends a unique, time-sensitive verification code to their registered email address. The user must then enter this code to complete the login, effectively protecting their account even if their password is compromised.\u003C\u002Fp>\n\u003Cp>The plugin is designed to be lightweight, easy to use, and seamlessly integrated into the WordPress experience.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Email-Based 2FA:\u003C\u002Fstrong> Sends a 6-digit verification code to the user’s email.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Login URL:\u003C\u002Fstrong> Hide your login page by setting a custom login slug. The default wp-login.php becomes inaccessible, protecting against brute force attacks and bots.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting & Account Lockout:\u003C\u002Fstrong> Protects against brute force attacks on 2FA codes with configurable thresholds and temporary lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive Lockout:\u003C\u002Fstrong> Automatically increases lockout duration for repeat offenders (2x, 4x, 8x multiplier).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP-Based Protection:\u003C\u002Fstrong> Tracks failed attempts by IP address to prevent distributed attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Notifications:\u003C\u002Fstrong> Alerts users when their account is locked due to suspicious activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Controls:\u003C\u002Fstrong> View and manually unlock locked accounts from the settings page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Code Validity:\u003C\u002Fstrong> Admin can set how long the code is valid for (default is 60 seconds).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Exclusion List:\u003C\u002Fstrong> Easily bypass 2FA for specific users (e.g., admin or integration accounts) by adding their User ID to an exclusion list.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Countdown Timer:\u003C\u002Fstrong> The verification screen displays a countdown timer to show the user how much time is left.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure & Reliable:\u003C\u002Fstrong> Uses WordPress’s built-in mailer and secure practices for code generation and verification.\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and secure Two-Factor Authentication plugin that sends a verification code to your email.",290,"6.9.4","5.2","7.4",[20,106,23,55],"secure-login","https:\u002F\u002Favrasys.hu\u002Fletoltes\u002Fav-2fa-wordpress-ketfaktoros-hitelesites-bovitmeny","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fav-2fa.1.2.0.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":27,"downloaded":117,"rating":27,"num_ratings":27,"last_updated":56,"tested_up_to":102,"requires_at_least":118,"requires_php":119,"tags":120,"homepage":56,"download_link":123,"security_score":91,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":92},"db-solution-2fa","DB Solution – 2FA","15.4","Davide Baraldi","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidebaraldi\u002F","\u003Cp>\u003Cstrong>DB Solution – 2FA\u003C\u002Fstrong> transforms your WordPress login security by integrating seamlessly into the DB Solution ecosystem.\u003Cbr \u002F>\nDon’t rely just on a password: protect your work with a dual-layer system designed to be invisible to hackers but simple for you.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FAlipj1PDJ9Y?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🔥 NEW IN VERSION 15.4: ADVANCED SECURITY\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Strict Mode (Anti-Hacker):\u003C\u002Fstrong> Now you can bind the OTP code to the specific IP address and Device requesting it. If a hacker intercepts the code but tries to use it from a different location, it won’t work!\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom OTP Expiration:\u003C\u002Fstrong> You decide how long the code is valid (e.g., 15 or 30 minutes). Increased flexibility for your users.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Feedback:\u003C\u002Fstrong> Clear confirmation messages when you save your settings.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Two-Factor Authentication (2FA):\u003C\u002Fstrong> Sends a secure OTP (One Time Password) to your email upon login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Strict Mode:\u003C\u002Fstrong> (New) Prevents code reuse from different IP addresses or browsers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secret Login URL:\u003C\u002Fstrong> Hide standard entry points (\u003Ccode>wp-login.php\u003C\u002Fcode> and \u003Ccode>wp-admin\u003C\u002Fcode>) by replacing them with a custom address (e.g., \u003Ccode>mysite.com\u002Fprivate-access\u003C\u002Fcode>).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Master Switch:\u003C\u002Fstrong> A single smart switch to instantly activate or deactivate all security barriers in case of emergency.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Monitor:\u003C\u002Fstrong> Get notified via email whenever a successful login occurs (includes IP and timestamp).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>DB Solution Hub:\u003C\u002Fstrong> Centralized management via the professional DB Solution suite interface.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Why use it?\u003C\u002Fstrong>\u003Cbr \u002F>\nMost automated attacks (brute force) target standard WordPress URLs.\u003Cbr \u002F>\nBy changing the URL and adding 2FA with Strict Mode, you eliminate 99% of automated risks.\u003C\u002Fp>\n","Advanced security module for the DB Solution suite. Adds email-based 2FA, Strict Mode protection, and hides the standard login URL.",305,"6.0","8.2",[20,21,121,122,23],"custom-login","protection","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdb-solution-2fa.15.4.zip",{"attackSurface":125,"codeSignals":205,"taintFlows":250,"riskAssessment":331,"analyzedAt":343},{"hooks":126,"ajaxHandlers":168,"restRoutes":201,"shortcodes":202,"cronEvents":203,"entryPointCount":11,"unprotectedCount":204},[127,133,137,141,144,148,151,156,160,164],{"type":128,"name":129,"callback":130,"file":131,"line":132},"action","admin_menu","cill_ciberllavero_main","weciberllavero.php",17,{"type":128,"name":134,"callback":135,"file":131,"line":136},"admin_enqueue_scripts","cill_admin_enqueue_javascript",43,{"type":128,"name":138,"callback":139,"file":131,"line":140},"show_user_profile","cill_additional_profile_fields",174,{"type":128,"name":142,"callback":139,"file":131,"line":143},"edit_user_profile",175,{"type":128,"name":145,"callback":146,"file":131,"line":147},"personal_options_update","cill_save_profile_fields",231,{"type":128,"name":149,"callback":146,"file":131,"line":150},"edit_user_profile_update",232,{"type":152,"name":153,"callback":154,"priority":11,"file":131,"line":155},"filter","wp_authenticate_user","cill_comprueba_login_ciberllavero",241,{"type":128,"name":157,"callback":158,"file":131,"line":159},"manage_users_columns","cill_columnas_de_usuario",414,{"type":128,"name":161,"callback":162,"priority":11,"file":131,"line":163},"manage_users_custom_column","cill_rellena_columnas_ciberllavero",420,{"type":128,"name":165,"callback":166,"priority":32,"file":131,"line":167},"login_enqueue_scripts","cill_loginscript",696,[169,173,176,179,183,186,189,192,195,198],{"action":170,"nopriv":171,"callback":170,"hasNonce":171,"hasCapCheck":171,"file":131,"line":172},"cill_get_user_data",false,449,{"action":174,"nopriv":171,"callback":174,"hasNonce":171,"hasCapCheck":171,"file":131,"line":175},"cill_empezar",472,{"action":177,"nopriv":171,"callback":177,"hasNonce":171,"hasCapCheck":171,"file":131,"line":178},"cill_desvincular_cuenta",519,{"action":180,"nopriv":171,"callback":180,"hasNonce":171,"hasCapCheck":181,"file":131,"line":182},"cill_set_apikey",true,565,{"action":184,"nopriv":171,"callback":184,"hasNonce":171,"hasCapCheck":181,"file":131,"line":185},"cill_set_appid",596,{"action":187,"nopriv":171,"callback":187,"hasNonce":171,"hasCapCheck":171,"file":131,"line":188},"cill_config_test",626,{"action":190,"nopriv":171,"callback":190,"hasNonce":171,"hasCapCheck":171,"file":131,"line":191},"cill_send_2fanotify",658,{"action":193,"nopriv":181,"callback":193,"hasNonce":171,"hasCapCheck":171,"file":131,"line":194},"cill_getmeinfo",700,{"action":196,"nopriv":181,"callback":196,"hasNonce":171,"hasCapCheck":171,"file":131,"line":197},"cill_getmeinfo_apertura",784,{"action":199,"nopriv":181,"callback":199,"hasNonce":171,"hasCapCheck":171,"file":131,"line":200},"cill_send_notification",852,[],[],[],8,{"dangerousFunctions":206,"sqlUsage":207,"outputEscaping":218,"fileOperations":27,"externalRequests":32,"nonceChecks":27,"capabilityChecks":248,"bundledLibraries":249},[],{"prepared":27,"raw":14,"locations":208},[209,212,214,216],{"file":210,"line":150,"context":211},"includes\\helper.php","$wpdb->get_results() with variable interpolation",{"file":210,"line":213,"context":211},268,{"file":131,"line":215,"context":211},728,{"file":131,"line":217,"context":211},809,{"escaped":219,"rawEcho":220,"locations":221},59,11,[222,226,228,230,231,233,236,238,241,243,246],{"file":223,"line":224,"context":225},"includes\\views\\config.php",56,"raw output",{"file":223,"line":227,"context":225},95,{"file":223,"line":229,"context":225},104,{"file":223,"line":229,"context":225},{"file":223,"line":232,"context":225},132,{"file":234,"line":235,"context":225},"includes\\views\\configmanual.php",54,{"file":234,"line":237,"context":225},66,{"file":239,"line":240,"context":225},"includes\\views\\debug.php",39,{"file":242,"line":220,"context":225},"includes\\views\\inicio.php",{"file":244,"line":245,"context":225},"includes\\view_helper.php",21,{"file":244,"line":247,"context":225},22,3,[],[251,267,275,286,296,313,322],{"entryPoint":252,"graph":253,"unsanitizedCount":248,"severity":266},"\u003Cconfig> (includes\\views\\config.php:0)",{"nodes":254,"edges":264},[255,259],{"id":256,"type":257,"label":258,"file":223,"line":204},"n0","source","$_POST (x3)",{"id":260,"type":261,"label":262,"file":223,"line":11,"wp_function":263},"n1","sink","update_option() [Settings Manipulation]","update_option",[265],{"from":256,"to":260,"sanitized":171},"low",{"entryPoint":268,"graph":269,"unsanitizedCount":248,"severity":266},"\u003Cconfigmanual> (includes\\views\\configmanual.php:0)",{"nodes":270,"edges":273},[271,272],{"id":256,"type":257,"label":258,"file":234,"line":204},{"id":260,"type":261,"label":262,"file":234,"line":11,"wp_function":263},[274],{"from":256,"to":260,"sanitized":171},{"entryPoint":276,"graph":277,"unsanitizedCount":27,"severity":266},"cill_set_apikey (weciberllavero.php:567)",{"nodes":278,"edges":284},[279,282],{"id":256,"type":257,"label":280,"file":131,"line":281},"$_POST",577,{"id":260,"type":261,"label":262,"file":131,"line":283,"wp_function":263},587,[285],{"from":256,"to":260,"sanitized":181},{"entryPoint":287,"graph":288,"unsanitizedCount":27,"severity":266},"cill_set_appid (weciberllavero.php:598)",{"nodes":289,"edges":294},[290,292],{"id":256,"type":257,"label":280,"file":131,"line":291},608,{"id":260,"type":261,"label":262,"file":131,"line":293,"wp_function":263},617,[295],{"from":256,"to":260,"sanitized":181},{"entryPoint":297,"graph":298,"unsanitizedCount":27,"severity":266},"\u003Cweciberllavero> (weciberllavero.php:0)",{"nodes":299,"edges":310},[300,302,303,306],{"id":256,"type":257,"label":301,"file":131,"line":281},"$_POST (x2)",{"id":260,"type":261,"label":262,"file":131,"line":283,"wp_function":263},{"id":304,"type":257,"label":301,"file":131,"line":305},"n2",712,{"id":307,"type":261,"label":308,"file":131,"line":215,"wp_function":309},"n3","get_results() [SQLi]","get_results",[311,312],{"from":256,"to":260,"sanitized":181},{"from":304,"to":307,"sanitized":181},{"entryPoint":314,"graph":315,"unsanitizedCount":32,"severity":321},"cill_getmeinfo (weciberllavero.php:702)",{"nodes":316,"edges":319},[317,318],{"id":256,"type":257,"label":280,"file":131,"line":305},{"id":260,"type":261,"label":308,"file":131,"line":215,"wp_function":309},[320],{"from":256,"to":260,"sanitized":171},"high",{"entryPoint":323,"graph":324,"unsanitizedCount":32,"severity":321},"cill_getmeinfo_apertura (weciberllavero.php:786)",{"nodes":325,"edges":329},[326,328],{"id":256,"type":257,"label":280,"file":131,"line":327},793,{"id":260,"type":261,"label":308,"file":131,"line":217,"wp_function":309},[330],{"from":256,"to":260,"sanitized":171},{"summary":332,"deductions":333},"The 'llavero-io' plugin exhibits several security concerns despite a clean vulnerability history. The static analysis reveals a significant attack surface with 10 AJAX handlers, of which 8 lack authentication checks. This is a critical vulnerability, as it allows unauthenticated users to interact with potentially sensitive plugin functionalities. Furthermore, all 4 SQL queries are executed without prepared statements, increasing the risk of SQL injection vulnerabilities, especially in conjunction with the unprotected AJAX endpoints. Taint analysis indicates 2 high-severity flows, suggesting potential for data manipulation or unauthorized access, although their exact nature is not detailed here. The absence of nonce checks on AJAX endpoints further exacerbates the risk of Cross-Site Request Forgery (CSRF) attacks. While the plugin has no recorded vulnerabilities, this should not be interpreted as a sign of robust security, given the identified weaknesses in the code itself. The high percentage of properly escaped outputs (84%) and the absence of dangerous functions or file operations are positive signs. However, the numerous unprotected entry points and the reliance on raw SQL queries pose a substantial risk that needs immediate attention.",[334,336,338,341],{"reason":335,"points":11},"Unprotected AJAX handlers",{"reason":337,"points":11},"Raw SQL queries without prepared statements",{"reason":339,"points":340},"High severity taint flows",15,{"reason":342,"points":11},"Missing nonce checks on AJAX","2026-03-16T23:45:27.748Z",{"wat":345,"direct":352},{"assetPaths":346,"generatorPatterns":348,"scriptPaths":349,"versionParams":351},[347],"\u002Fwp-content\u002Fplugins\u002Fllavero-io\u002Fincludes\u002Fjs\u002Fcilib.js",[],[350,347],"https:\u002F\u002Funpkg.com\u002Fnode-forge@0.7.0\u002Fdist\u002Fforge.min.js",[],{"cssClasses":353,"htmlComments":354,"htmlAttributes":355,"restEndpoints":366,"jsGlobals":367,"shortcodeOutput":369},[],[],[356,357,358,359,360,361,362,363,364,365],"id=\"cill_messages\"","id=\"cill_appid\"","id=\"ciberllaverouserkey\"","id=\"ciberllavelogin_user\"","id=\"ciberllavelogin_password\"","name=\"empezarcill\"","name=\"ciberllavelogin_user\"","name=\"ciberllavelogin_password\"","name=\"cill_appid\"","name=\"cill_dejardeusar\"",[],[368],"window.cilib",[]]