[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzCoCkvKSltWlm68wbliu7JoNtPdJIjho0egDx69KGTk":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":39,"analysis":58,"fingerprints":112},"login-form-anywhere","Login Form Anywhere","1.5","BCS Website Solutions","https:\u002F\u002Fprofiles.wordpress.org\u002Fbcswpplugins\u002F","\u003Cp>Allow admin to show login from anywhere in WordPress. There are 2 ways to do so:\u003Cbr \u002F>\nUse shortcode [loginform]. If redirect param is not passed, it will use the current page permalink as a redirect.\u003C\u002Fp>\n\u003Cp>OR\u003C\u002Fp>\n\u003Cp>Use shortcode [loginform redirect=”http:\u002F\u002Fwww.YOURDOMAIN.com\u002FPAGE”]. If a redirect param is set, it will redirect the user to that page. Do note that the page must be on the same URL, it will not redirect to external URLs.\u003C\u002Fp>\n","Allow admin to show login from anywhere in Wordpress.",60,4093,100,1,"2016-02-22T20:05:00.000Z","4.4.34","3.0.1","",[20,21,22,23,24],"add-login-form-to-page","add-login-form-to-post","add-login-form-to-widget","embed-login-form","login-form-shortcode","https:\u002F\u002Fwww.bcswebsitesolutions.com\u002Fdownloads\u002Flogin-form-anywhere\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-form-anywhere.1.5.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":35,"avg_security_score":27,"avg_patch_time_days":36,"trust_score":37,"computed_at":38},"bcswpplugins",2,160,30,84,"2026-04-04T11:21:02.373Z",[40],{"slug":41,"name":42,"version":43,"author":44,"author_profile":45,"description":46,"short_description":47,"active_installs":28,"downloaded":48,"rating":49,"num_ratings":14,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":53,"tags":54,"homepage":18,"download_link":57,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"login-form-in-restricted-message-for-ultimate-member","Login Form in Restricted Message for Ultimate Member","1.0","realestatetips","https:\u002F\u002Fprofiles.wordpress.org\u002Frealestatetips\u002F","\u003Cp>Ultimate member is one of the \u003Ca href=\"https:\u002F\u002Fwww.iworksolo.com\u002F\" rel=\"nofollow ugc\">most popular\u003C\u002Fa> membership plugin out there. By default, Ultimate Member doesn’t support login form shortcode inside restricted access messages.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.realestatetipsblog.com\u002F\" rel=\"nofollow ugc\">Real estate tips\u003C\u002Fa> brings this plugin which enables this feature so that you can \u003Ca href=\"https:\u002F\u002Fwww.yoursmallbusinessblog.com\u002F\" rel=\"nofollow ugc\">use your\u003C\u002Fa> login form shortcode inside restricted access messages.\u003C\u002Fp>\n","Ultimate member is one of the most popular membership plugin out there. By default, Ultimate Member doesn't support login form shortcode inside r …",1081,20,"2023-02-09T09:02:00.000Z","6.1.10","5.0","5.6",[24,55,56],"restricted-message","ultimate-member","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-form-in-restricted-message-for-ultimate-member.1.0.zip",{"attackSurface":59,"codeSignals":96,"taintFlows":103,"riskAssessment":104,"analyzedAt":111},{"hooks":60,"ajaxHandlers":88,"restRoutes":89,"shortcodes":90,"cronEvents":95,"entryPointCount":14,"unprotectedCount":28},[61,68,73,77,80,83],{"type":62,"name":63,"callback":64,"priority":65,"file":66,"line":67},"filter","authenticate","bcs_lf_custom_authenticate",31,"loginfrom.php",72,{"type":69,"name":70,"callback":71,"file":66,"line":72},"action","admin_notices","bcs_lf_wp_admin_area_notice",89,{"type":69,"name":74,"callback":75,"file":66,"line":76},"admin_init","bcs_lf_login_form_notice_ignore",91,{"type":69,"name":74,"callback":78,"file":66,"line":79},"bcs_lf_login_email_ignore_ad",101,{"type":69,"name":70,"callback":81,"file":66,"line":82},"bcs_lf_my_admin_notice",131,{"type":62,"name":84,"callback":85,"priority":86,"file":66,"line":87},"plugin_action_links","bcs_lf_ad",10,135,[],[],[91],{"tag":92,"callback":93,"file":66,"line":94},"loginform","bcs_lf_login_form",55,[],{"dangerousFunctions":97,"sqlUsage":98,"outputEscaping":100,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":102},[],{"prepared":28,"raw":28,"locations":99},[],{"escaped":28,"rawEcho":28,"locations":101},[],[],[],{"summary":105,"deductions":106},"The \"login-form-anywhere\" plugin v1.5 exhibits a strong security posture based on the provided static analysis.  There are no detected dangerous functions, file operations, external HTTP requests, or unsanitized taint flows. All SQL queries utilize prepared statements, and output is properly escaped, indicating good development practices for preventing common web vulnerabilities.  The lack of any recorded CVEs and the absence of common vulnerability types further reinforce this positive assessment.\n\nHowever, the plugin's security is not without potential concerns. A notable observation is the complete absence of nonce and capability checks across all entry points, including the single shortcode. While the attack surface is currently small and appears to have no direct unprotected entry points, this lack of fundamental security checks presents a risk. If the shortcode or any future functionality were to process user-supplied data in a sensitive manner, the absence of these checks could allow for unauthorized actions or data manipulation, particularly if the plugin interacts with WordPress core functionalities in ways not immediately apparent from this analysis.\n\nIn conclusion, the plugin demonstrates sound coding practices for handling data and preventing direct exploits. The main weakness lies in the fundamental omission of nonce and capability checks. While this hasn't led to recorded vulnerabilities, it represents a potential risk that could be exploited if the plugin's functionality evolves or interacts with other components in unexpected ways. It's a plugin that is well-built in many regards but leaves room for improvement in basic WordPress security hygiene.",[107,109],{"reason":108,"points":86},"Missing nonce checks on all entry points",{"reason":110,"points":86},"Missing capability checks on all entry points","2026-03-16T21:50:44.108Z",{"wat":113,"direct":118},{"assetPaths":114,"generatorPatterns":115,"scriptPaths":116,"versionParams":117},[],[],[],[],{"cssClasses":119,"htmlComments":121,"htmlAttributes":122,"restEndpoints":123,"jsGlobals":124,"shortcodeOutput":125},[120],"button-primary",[],[],[],[],[126,127],"[loginform","\u003Ca class='button-primary' href='"]