[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6FDx15XClh54uNH5-82hHAA3pBAqgZu8_-94fTXnnfM":3,"$f6_WhfmTffIdsYotW5wPadhm7Ks0-w5ivnaw1YP18g54":683,"$f_RQF4DTAn_qPqA9JziP6o3sS75Zn5tjvzxCF2t6tFn8":688},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":24,"security_score":25,"vuln_count":14,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":58,"crawl_stats":36,"alternatives":61,"analysis":165,"fingerprints":646},"magic-conversation-for-gravity-forms","Magic Conversation For Gravity Forms","3.0.100","magicplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fmagicplugins\u002F","\u003Cp>Magic Conversation For Gravity Forms is a WordPress conversational form plugin that let’s you convert a Gravity Form into a conversational form.\u003C\u002Fp>\n\u003Cp>Our plugin is very easy to use. No programming is required.\u003C\u002Fp>\n\u003Cp>Just install and activate and then you can convert a Gravity Form into a conversational web form.\u003C\u002Fp>\n\u003Cp>Magic Conversation For Gravity Forms, visit our website:\u003Cbr \u002F>\nhttp:\u002F\u002Fmagicconversation.net\u003C\u002Fp>\n\u003Cp>Check out our Screencaps page:\u003Cbr \u002F>\nhttp:\u002F\u002Fmagicconversation.net\u002Fscreencaps\u002F\u003C\u002Fp>\n\u003Cp>Check out our Demos:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>Travel While You Work\u003Cbr \u002F>\nhttps:\u002F\u002Fmagicconversation.net\u002Fmagic-conversation\u002F8\u002F\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Standard Fields Demo\u003Cbr \u002F>\nhttps:\u002F\u002Fmagicconversation.net\u002Fmagic-conversation\u002F9\u002F\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>To learn how to use Magic Conversation For Gravity Forms plugin, visit our Online Documentation:\u003Cbr \u002F>\nhttp:\u002F\u002Fmagicconversation.net\u002Fdocumentation\u002F\u003C\u002Fp>\n\u003Cp>Magic Conversation For Gravity Forms features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Global conversation button – your conversation form button is displayed on all pages of your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Customizable Conversation Toolbar – set default text that users will see in the chat input field. Customize the button color.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Set to display the conversation button only on the home page.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Display a customizable welcome message on the conversation button.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Modify the background color of the conversation button.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Conversation style generator – choose from a selection of chat avatars for both the form robot and the user.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Premium versions are available at http:\u002F\u002Fmagicconversation.net\u002Fpricing\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Enable conditional logic with the premium version.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Create multiple forms in conversation mode.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Display conversation forms in a page.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Quick Start\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Show a Conversation Button in Home page or the whole website.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Settings -> Conversation Form -> Choose a form\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Embed a conversation into post\u002Fpage with short code\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>[magic-conversation id=”1″ width=”100%” height=”395px”]\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add Floating Conversation Button to special page with short code\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>[magic-conversation-button id=”1″]\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Trigger conversation with link\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=”\u002Fopen-magic-conversation?form_id=1″>Open Conversation\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Trigger conversation with JavaScript code\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>window.mcfgf_open_magic_conversation(“\u002Fopen-magic-conversation?form_id=1”);\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cp>\u003Cbutton onclick=”window.mcfgf_open_magic_conversation(‘open-magic-conversation?form_id=1’);return false;”>Open Conversation\u003C\u002Fbutton>\u003C\u002Fp>\n","Magic Conversation For Gravity Forms is a WordPress conversational form plugin that let's you convert a Gravity Form into a conversational form.",10,4444,100,1,"2026-03-24T13:01:00.000Z","6.9.4","3.9","",[20,21,22,23],"contact-form","conversational-form","mobile-friendly","responsive","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagic-conversation-for-gravity-forms.zip",99,0,"2026-04-07 19:53:11","2026-04-06T09:54:40.288Z","no_bundle",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":27,"updated_date":43,"references":44,"days_to_patch":14,"patch_diff_files":46,"patch_trac_url":36,"research_status":47,"research_verified":48,"research_rounds_completed":49,"research_plan":50,"research_summary":51,"research_vulnerable_code":52,"research_fix_diff":53,"research_exploit_outline":54,"research_model_used":55,"research_started_at":56,"research_completed_at":57,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":48,"poc_model_used":36,"poc_verification_depth":36},"CVE-2026-1396","magic-conversation-for-gravity-forms-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Magic Conversation For Gravity Forms \u003C= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=3.0.97","3.0.98","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 08:23:44",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=api-prod",[],"researched",false,3,"This research plan focuses on exploiting CVE-2026-1396, a Stored Cross-Site Scripting (XSS) vulnerability in the \"Magic Conversation For Gravity Forms\" plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the handling of the `[magic-conversation]` shortcode. The plugin fails to sanitize or escape user-supplied attributes before outputting them into the HTML of a page. An authenticated user with at least **Contributor-level** permissions can embed a malicious shortcode into a post or page. When any user (including an Administrator) views that post, the injected script executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[magic-conversation]`\n*   **Vulnerable Attribute:** Likely candidates include `id`, `title`, `name`, `header`, or `form_id` (inferred).\n*   **Authentication:** Authenticated (Contributor+).\n*   **Payload Location:** The attribute value is reflected inside an HTML tag (e.g., `\u003Cdiv data-id=\"[PAYLOAD]\">`).\n*   **Endpoint:** The standard WordPress post saving mechanism (Gutenberg REST API or `wp-admin\u002Fpost.php`).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook using `add_shortcode( 'magic-conversation', [ $this, 'render_shortcode' ] )`.\n2.  **Processing:** When a post is viewed, WordPress calls the handler function. This function uses `shortcode_atts()` to merge user input with defaults.\n3.  **Sink:** The handler function constructs an HTML string (often for a container div or to pass data to a JS frontend). It concatenates the attribute values directly into the string without using `esc_attr()` or `esc_html()`.\n4.  **Output:** The unescaped HTML string is returned and rendered on the frontend.\n\n### 4. Nonce Acquisition Strategy\nTo save a post as a Contributor via the REST API (the most reliable automated method), a `_wpnonce` for the `wp_rest` action is required.\n\n1.  **Step 1:** Log in to the WordPress dashboard as a Contributor.\n2.  **Step 2:** Navigate to the \"Add New Post\" page: `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Step 3:** Use `browser_eval` to extract the REST nonce from the WordPress environment.\n    *   **Script:** `window.wpApiSettings.nonce`\n4.  **Step 4:** Extract the post ID from the URL or the `wp` object if an autosave has already occurred.\n\n### 5. Exploitation Strategy\nThe plan involves creating a post containing a malicious shortcode that breaks out of an HTML attribute.\n\n**Payload:** `[magic-conversation id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']` (assuming `id` is a valid attribute).\n\n**Execution Steps:**\n1.  **Authenticate:** Login as a user with the `contributor` role.\n2.  **Extract Nonce:** Navigate to `\u002Fwp-admin\u002Fpost-new.php` and run `browser_eval(\"wpApiSettings.nonce\")`.\n3.  **Create Post:** Send a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` with the shortcode payload.\n    *   **Method:** `POST`\n    *   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n    *   **Headers:**\n        *   `Content-Type: application\u002Fjson`\n        *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n    *   **Body:**\n        ```json\n        {\n          \"title\": \"Security Test\",\n          \"content\": \"[magic-conversation id='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']\",\n          \"status\": \"publish\"\n        }\n        ```\n    *(Note: Contributors might only be able to set status to `pending`. If so, use `status: \"pending\"` and have the agent verify the preview URL.)*\n4.  **Trigger:** Navigate to the URL of the newly created post (or its preview) using `browser_navigate`.\n5.  **Verify:** Observe the execution of the JavaScript alert.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `magic-conversation-for-gravity-forms` version 3.0.97 is active.\n2.  **User Creation:** Create a user with the username `attacker` and role `contributor`.\n3.  **Gravity Forms:** While not strictly necessary for the XSS to trigger in the HTML output, having Gravity Forms installed might be required for the plugin to activate its shortcode logic.\n\n### 7. Expected Results\nWhen the post is rendered, the HTML source will contain something similar to:\n`\u003Cdiv class=\"magic-conversation\" data-id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">\u003C\u002Fdiv>`\n\nThe browser will execute the `\u003Cscript>` tag, displaying an alert box with the site's domain.\n\n### 8. Verification Steps\nAfter the HTTP request, use `wp-cli` to confirm the post content:\n1.  **Check Post Content:**\n    ```bash\n    wp post list --post_type=post --author=$(wp user get attacker --format=ids) --fields=ID,post_content\n    ```\n2.  **Check Frontend Rendering:**\n    Use `http_request` to fetch the post URL and grep for the unescaped payload:\n    ```bash\n    # Look for the raw script tag in the response body\n    grep -a \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n### 9. Alternative Approaches\nIf the `id` attribute is not vulnerable or recognized:\n*   **Fuzz Attributes:** Try common attributes used in the plugin: `form`, `title`, `header_text`, `theme`.\n*   **Attribute Breakout:** If the input is placed inside an existing script block instead of an HTML attribute, use a payload like: `';alert(1);\u002F\u002F`.\n*   **Classic Editor:** If the REST API is restricted, use the `http_request` tool to submit a standard `POST` to `\u002Fwp-admin\u002Fpost.php` with `action=editpost` and the `content` parameter, ensuring the `_wpnonce` is scraped from the `post-new.php` form.","The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode. Authenticated attackers with contributor-level permissions can inject malicious scripts into posts by using unescaped attributes in the shortcode, which execute in the browser of any user viewing the page.","\u002F\u002F Inferred vulnerable shortcode handler within the plugin logic\npublic function render_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'id'      => '',\n        'title'   => '',\n        'header'  => '',\n        'form_id' => '',\n    ), $atts );\n\n    \u002F\u002F Vulnerable Sink: attributes are concatenated directly into HTML without escaping\n    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n              'data-id=\"' . $atts['id'] . '\" ' .\n              'data-title=\"' . $atts['title'] . '\" ' .\n              'data-header=\"' . $atts['header'] . '\">\u003C\u002Fdiv>';\n\n    return $output;\n}","--- magic-conversation-for-gravity-forms\u002Fincludes\u002Fclass-magic-conversation.php\n+++ magic-conversation-for-gravity-forms\u002Fincludes\u002Fclass-magic-conversation.php\n@@ -50,9 +50,9 @@\n \n-    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n-              'data-id=\"' . $atts['id'] . '\" ' .\n-              'data-title=\"' . $atts['title'] . '\" ' .\n-              'data-header=\"' . $atts['header'] . '\">\u003C\u002Fdiv>';\n+    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n+              'data-id=\"' . esc_attr( $atts['id'] ) . '\" ' .\n+              'data-title=\"' . esc_attr( $atts['title'] ) . '\" ' .\n+              'data-header=\"' . esc_attr( $atts['header'] ) . '\">\u003C\u002Fdiv>';\n \n     return $output;","1. Log in to the target WordPress site with a user account having at least Contributor permissions.\n2. Create a new post or page (or edit an existing one).\n3. Insert the [magic-conversation] shortcode into the content area using a malicious attribute value designed to break out of an HTML attribute context. Example: [magic-conversation id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post as a draft or submit it for review (Contributor) or publish it (Author+).\n5. Navigate to the frontend URL of the post or use the 'Preview' function.\n6. Observe that the injected JavaScript executes in the browser, demonstrating the Stored XSS.","gemini-3-flash-preview","2026-04-17 20:28:19","2026-04-17 20:28:42",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":59,"avg_security_score":13,"avg_patch_time_days":14,"trust_score":13,"computed_at":60},720,"2026-05-20T04:31:58.037Z",[62,78,100,125,146],{"slug":63,"name":64,"version":65,"author":7,"author_profile":8,"description":66,"short_description":67,"active_installs":68,"downloaded":69,"rating":70,"num_ratings":49,"last_updated":71,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":72,"homepage":75,"download_link":76,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":77},"magic-tooltips-for-contact-form-7","Magic Tooltips For Contact Form 7","1.0.33","\u003Cp>Magic Tooltips For Contact Form 7 is a WordPress Contact Form 7 tooltip plugin that easily let’s you add tooltips to the Contact Form 7 plugin form fields.\u003C\u002Fp>\n\u003Cp>Our plugin is very easy to use. No programming is required.\u003C\u002Fp>\n\u003Cp>Sometimes it helps to have the ability to display a tooltip over one or more of your form fields. Our plugin makes adding tooltips to your form very simple. In no time at all, you will be able to show helpful tips when users hover over your form fields.\u003C\u002Fp>\n\u003Cp>Just install and activate and then you can begin adding tooltips to your Contact Form 7 fields right away.\u003C\u002Fp>\n\u003Cp>To see Magic Tooltips For Contact Form 7 in action, visit our Contact form:\u003Cbr \u002F>\nhttps:\u002F\u002Fcontactform7.magictooltips.com\u002Fcontact\u002F\u003C\u002Fp>\n\u003Cp>Check out our Screencaps page:\u003Cbr \u002F>\nhttps:\u002F\u002Fcontactform7.magictooltips.com\u002Fscreencaps\u002F\u003C\u002Fp>\n\u003Cp>To see how to use Magic Tooltips For Contact Form 7 plugin, visit our Online Documentation:\u003Cbr \u002F>\nhttps:\u002F\u002Fcontactform7.magictooltips.com\u002Fdocumentation\u002F\u003C\u002Fp>\n\u003Cp>Magic Tooltips ForContact Form 7 features:\u003C\u002Fp>\n\u003Cp>Contact Form 7 tooltip plugin Settings\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>As a matter of convenience, you can display the description field and also show a tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Enable or disable showing tooltips when mouse hovers over the title of a form field.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>You can reveal or hide tooltips when a form field is currently targeted by the keyboard, or activated by the mouse.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>If you like, you can set the plugin to show the help icon after the title of form field.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Choose to add an underline to the title of a form field.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add your own Custom CSS.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Tooltip Style Generator\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Set the position of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Adjust the line height of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Change the font size of the tooltip text.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Modify the color of the tooltip text.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add a different background color of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Display or modify the border color of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Adjust the border width of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Tweak the border radius of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Transform the padding of the tooltip.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>See a complete preview of of your tooltip style settings.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Ability to save or reset your tooltip settings.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Premium version available at https:\u002F\u002Fcontactform7.magictooltips.com\u003C\u002Fp>\n","Magic Tooltips For Contact Form 7 is a WordPress Contact Form 7 tooltip plugin that let's you add tooltips to the Contact Form 7 form fields.",700,16366,94,"2026-03-24T13:14:00.000Z",[73,22,23,74],"contact-form-7","tooltips","https:\u002F\u002Fcontactform7.magictooltips.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagic-tooltips-for-contact-form-7.zip","2026-04-16T10:56:18.058Z",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":88,"num_ratings":89,"last_updated":90,"tested_up_to":16,"requires_at_least":91,"requires_php":18,"tags":92,"homepage":96,"download_link":97,"security_score":98,"vuln_count":11,"unpatched_count":26,"last_vuln_date":99,"fetched_at":77},"wptouch","WPtouch – Make your WordPress Website Mobile-Friendly","4.3.62","WPtouch","https:\u002F\u002Fprofiles.wordpress.org\u002Fwptouch\u002F","\u003Cp>WPtouch is a mobile plugin for WordPress that automatically adds a simple and elegant mobile theme for mobile visitors to your WordPress website. Recommended by Google, it will instantly enable a mobile-friendly version of your website that passes the Google Mobile test, and ensure your SEO rankings do not drop due to not having a mobile-friendly website. For more information about using WPtouch to achieve Google mobile-friendly status, please read our \u003Ca href=\"http:\u002F\u002Fbit.ly\u002Fbnc_mobilefriendly\" rel=\"nofollow ugc\">comprehensive mobile-friendly guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>The WPtouch administration panel and WordPress Customizer allow you to customize many aspects of its appearance, and deliver a \u003Cem>fast\u003C\u002Fem>, user-friendly and stylish version of your site to your mobile visitors, without modifying \u003Cem>a single bit of code\u003C\u002Fem>.  Your regular desktop theme is left intact, and will continue to show for your non-mobile visitors.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Go Pro for support and more control, enhanced themes & features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>WPtouch Pro offers a variety of enhanced themes for blogs, businesses, and WooCommerce retailers; extensions that add rich advertising options, advanced web font controls, caching, and more; and of course, top-notch one-on-one support from our professional team.\u003C\u002Fp>\n\u003Cp>For more information visit \u003Ca href=\"http:\u002F\u002Fwww.wptouch.com\u002F?utm_campaign=wptouch-front-readme&utm_medium=web&utm_source=wordpressdotorg\" title=\"WPtouch.com\" rel=\"nofollow ugc\">WPtouch.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>‘WPtouch’ & ‘WPtouch Pro’ are trademarks of BraveNewCode Inc.\u003C\u002Fp>\n","With just a few clicks, make your WordPress website mobile-friendly (iPhone, Android, and more). Recommended by Google, it will instantly enable a mob &hellip;",50000,14811391,74,341,"2025-12-04T09:53:00.000Z","4.2",[93,94,95,22,23],"android","iphone","mobile","http:\u002F\u002Fwww.wptouch.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwptouch.4.3.62.zip",86,"2025-06-05 00:00:00",{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":108,"downloaded":109,"rating":110,"num_ratings":111,"last_updated":112,"tested_up_to":113,"requires_at_least":114,"requires_php":115,"tags":116,"homepage":122,"download_link":123,"security_score":124,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":77},"cf7-grid-layout","Smart Grid-Layout Design for Contact Form 7","4.15.8","Aurovrata Venet","https:\u002F\u002Fprofiles.wordpress.org\u002Faurovrata\u002F","\u003Cp>The plugin uses the \u003Ca href=\"http:\u002F\u002Forigin.css.gd\u002F\" rel=\"nofollow ugc\">smart-grid\u003C\u002Fa> CSS plugin to build beautiful form layouts.  It introduces a graphical editor to design your forms, as well as a coloured html syntax editor built using the excellent CodeMirror editor.  It is now possible to design smart layouts with ease.\u003C\u002Fp>\n\u003Cp>v4.0 introduces a tutorial sections within the dashboard for quick reference to various YouTube tutorials.  For a full list of available tutorials visit this playlist.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent&listType=playlist&list=PLblJwjs_dFBsynXEstrV3fCIC7GBmK9HW\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>In addition, the plugin also introduces multiple smart input functionalities, such as,\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>tabled input sections\u003C\u002Fstrong>: these allow you to group several \u003Cstrong>repetitive input fields\u003C\u002Fstrong> as table rows, the plugin will automatically add an ‘Add Row’ button to your front end form, giving your users the ability to add multiple rows of your grouped fields.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>tabbed sections\u003C\u002Fstrong>: with this plugin you can build tabbed sections of \u003Cstrong>repetitive fields\u003C\u002Fstrong>, allowing your users to add additional tabs.  It is a similar concept to the tabled input section above, but in a tabbed layout instead.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>collapsible sections\u003C\u002Fstrong>: for long and complex forms you can now group your front-end fields into collapsible sections, making it easier for user to see the big picture.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>toggled collapsible sections\u003C\u002Fstrong> for optional sections.  A toggle with a default Yes\u002FNo value is inserted, allowing your users to submit optional fields which within the section can be set to required in your design (See FAQ section for more info).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>grouped toggled sections\u003C\u002Fstrong> for either\u002For optional sections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>reusable sub-forms\u003C\u002Fstrong>: if you have fields which repeat across multiple forms, you can now build a sub-form which you can include in your form, saving you the trouble of redesigning the form each time, but also making large forms much easier to maintain.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>form categories\u003C\u002Fstrong>: the plugin introduces form taxonomy to classify your forms for the use of online registration where users may need to be associated with a given set of forms to access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>dynamic dropdown fields\u003C\u002Fstrong>: these are special select fields which you can populate with either existing post titles, or managed lists such as units, or even using a custom filter.  This makes dynamic interlinking of existing CMS data in your dashboard a piece of cake, giving you a very powerful tool for data capture.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>plays nice with Post My CF7 Form plugin\u003C\u002Fstrong>: and best of all you can map all your forms to custom posts using the now stable \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpost-my-contact-form-7\u002F\" rel=\"ugc\">Post My CF7 Form\u003C\u002Fa> plugin.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>redesign the form editor\u003C\u002Fstrong>: this plugin now uses the WordPress default post editor page to edit\u002Fbuild forms, therefore making it easier for developer to plugin their functionality on top, while preserving all the hooks of Contact Form 7.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Looking for Collaborators\u003C\u002Fstrong>\u003Cbr \u002F>\nAre you a WordPress developer or an HTML\u002FJavaScript wizard?  Want to collaborate on this plugin?  There are some really great pieces of functionality that are in the roadmap for this plugin, but I just don’t have the time or resources to get them all on file in a timely manner.  So join me on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Faurovrata\u002Fcf7-grid-layout\u002Fwiki\u002FRoadmap\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa> if you want to collaborate.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>For plugin developers\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you wish to leverage the in-editor helper code functionality for your CF7 plugin, you need to use the following hooks,\u003Cbr \u002F>\n    cf7sg_ui_grid_js_helper_hooks – include js bind event code helpers.\u003Cbr \u002F>\n    cf7sg_ui_grid_helper_hooks – include php filter\u002Faction hooks code helpers.\u003Cbr \u002F>\n    cf7sg_enqueue_admin_editor_scripts – to enqueue scripts on the admin editor page to bind to editor events for further dynamic code helpers.\u003C\u002Fp>\n\u003Cp>If you wish to see an example on how to use this, please check the Google Map CF7 extension plugin code.  The \u003Ccode>cf7-google-map\u002Fincludes\u002Fclass-cf7-googleMap.php\u003C\u002Fcode> list the above hooks and the function calls are in the \u003Ccode>cf7-google-map\u002Fadmin\u002Fclass-cf7-googleMap-admin.php\u003C\u002Fcode> file.\u003C\u002Fp>\n\u003Ch4>Checkout our other CF7 plugin extensions\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-polylang\u002F\" rel=\"ugc\">CF7 Polylang Module\u003C\u002Fa> – this plugin allows you to create forms in different languages for a multi-language website.  The plugin requires the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpolylang\u002F\" rel=\"ugc\">Polylang\u003C\u002Fa> plugin to be installed in order to manage translations.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-multislide\u002F\" rel=\"ugc\">CF7 Multi-slide Module\u003C\u002Fa> – this plugin allows you to build a multi-step form using a slider.  Each slide has cf7 form which are linked together and submitted as a single form.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpost-my-contact-form-7\u002F\" rel=\"ugc\">Post My CF7 Form\u003C\u002Fa> – this plugin allows you to save you cf7 form to a custom post, map your fields to meta fields or taxonomy.  It also allows you to pre-fill fields before your form  is displayed.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-google-map\u002F\" rel=\"ugc\">CF7 Google Map\u003C\u002Fa> – allows Google Maps to be inserted into a Contact Form 7.  Unlike other plugins, this one allows map settings to be done at the form level, enabling diverse maps to be configured for each form.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-grid-layout\u002F\" rel=\"ugc\">Smart Grid-Layout Design for CF7\u003C\u002Fa> – allows responsive grid layout Contact Form 7 form designs, enabling modular designs of complex forms, and rich inter-linking of your CMS data with taxonomy\u002Fposts populated dynamic dropdown fields.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Documentation\u003C\u002Fh4>\n\u003Cp>This plugin has a substantial set of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-grid-layout\u002F#faq\" rel=\"ugc\">FAQs\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-grid-layout\u002F#screenshots\" rel=\"ugc\">screenshots\u003C\u002Fa> that is has a lot of information.  Please go through the FAQs and screenshot captions to understand how to use the basic functionality.\u003C\u002Fp>\n\u003Cp>The plugin has a number of hooks (filters and actions) which can be leveraged to further customise your form layouts and fields.  Please refer to the Helper Metabox available in the form post editor when you create\u002Fedit a form.  The helpers have commented code snippets which you can copy to and paste in your \u003Ccode>functions.php\u003C\u002Fcode> file to further understand how to use them. (See \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-grid-layout\u002F#screenshots\" rel=\"ugc\">screenshot\u003C\u002Fa> #21).\u003C\u002Fp>\n\u003Ch4>Support Open-source effort\u003C\u002Fh4>\n\u003Cp>This plugin would not have been possible without the following open-source efforts.  Please consider visiting these plugins pages and making a donation to its authors to say thank you.  Even small amount of beer money is always appreciated. Alternatively\u002Fadditionally you can help in the maintenance or translation effort.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbeautify-web\u002Fjs-beautify\" rel=\"nofollow ugc\">Beautify\u003C\u002Fa> – a jQuery plugin to beautify html text, used in the text editor of this plugin.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fcodemirror.net\u002F\" rel=\"nofollow ugc\">CodeMirror\u003C\u002Fa> – a remarkable jQuery text editor that allows for colour-coded highlighting among many other functionality.  Used to edit form source code in text editor of this plugin.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Forigin.css.gd\u002F\" rel=\"nofollow ugc\">CSS Smart Grid\u003C\u002Fa> – a CSS plugin that allows for intuitive CSS styling of responsive grid layouts.  Used for building the responsive form layouts.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fclipboardjs.com\u002F\" rel=\"nofollow ugc\">jQuery Clipboard\u003C\u002Fa> – copy text to the clipboard, used for helper links.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fhernansartorio.com\u002Fjquery-nice-select\u002F\" rel=\"nofollow ugc\">jQuery Nice Select\u003C\u002Fa> – makes beautiful dropdown fields.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fselect2.org\u002F\" rel=\"nofollow ugc\">jQuery Select2\u003C\u002Fa> – this plugin converts dropdowns into powerful searchable dropdown fields.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsimontabor.com\u002Flabs\u002Ftoggles\u002F\" rel=\"nofollow ugc\">jQuery Toggles\u003C\u002Fa> – enables pretty toggle switches on collapsible sections.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fvoku\u002Fsimple_html_dom\" rel=\"nofollow ugc\">PHP Simple HTML Dom\u003C\u002Fa> – a php library that enables traversing and manipulation of html documents using CSS selectors like jQuery.  This is used to build the modular functionality of form designs.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fnickpiscitelli.github.io\u002FGlider.js\u002F\" rel=\"nofollow ugc\">Glider.js slider\u003C\u002Fa> – a A blazingly fast, crazy small, fully responsive, mobile-friendly, dependency free, native scrolling list with paging controls!\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Thanks to\u003C\u002Fh4>\n\u003Cp>Birmania \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fbirmania\u002F\" rel=\"nofollow ugc\">@birmania\u003C\u002Fa> for providing:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>a fix for JS toggles.\u003C\u002Fli>\n\u003Cli>a fix for file fields in tabs as mail attachments\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Andrew Browning \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Faltworks\u002F\" rel=\"nofollow ugc\">@altworks\u003C\u002Fa> for providing:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>an IE polyfill for frontend table fields.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PenhTech \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fusers\u002Fpenhtech\u002F\" rel=\"ugc\">@penhtech\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>a fix for continue warnings in php7.3\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Thomas Fellinger \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fnetzgestaltung\u002F\" rel=\"nofollow ugc\">@netzgestaltung\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>a fix for \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Freally-simple-captcha\u002F\" rel=\"ugc\">Really Simple Captcha\u003C\u002Fa> plugin.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Privacy Notices\u003C\u002Fh4>\n\u003Cp>This plugin, in itself, does not:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>track users by stealth;\u003C\u002Fli>\n\u003Cli>write any user personal data to the database;\u003C\u002Fli>\n\u003Cli>send any data to external servers;\u003C\u002Fli>\n\u003Cli>use cookies.\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugins allow pure CSS responsive grid layouts for contact form 7.  It enables rich interlinking of your CMS data via taxonomy\u002Fposts populated dr &hellip;",10000,619017,90,72,"2024-06-13T01:47:00.000Z","6.5.8","4.7","5.6",[117,118,119,120,121],"contact-form-7-extension","contact-form-7-module","form-custom-styling","multi-step-form","responsive-forms","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcf7-grid-layout\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-grid-layout.4.15.8.zip",92,{"slug":126,"name":127,"version":128,"author":129,"author_profile":130,"description":131,"short_description":132,"active_installs":68,"downloaded":133,"rating":134,"num_ratings":135,"last_updated":136,"tested_up_to":137,"requires_at_least":138,"requires_php":18,"tags":139,"homepage":142,"download_link":143,"security_score":144,"vuln_count":14,"unpatched_count":14,"last_vuln_date":145,"fetched_at":77},"responsive-mobile-friendly-tooltip","Responsive Mobile-Friendly Tooltip","1.6.6","ItayXD","https:\u002F\u002Fprofiles.wordpress.org\u002Fitayxd\u002F","\u003Cp>tooltips are used to present a tiny amount of hidden content (mainly explanatory, so-called tips), that pops up when user moves a cursor over or clicks (less common) on a special target.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>It’s responsive. It relies on a maximum width value when viewed on large screens, adopts to narrow environments and picks the best viewable position relatively to the target (top, bottom; left, center, right).\u003C\u002Fli>\n\u003Cli>It’s mobile-friendly. It pops up when a call-to-action button is tapped and disappears when tapped on the tooltip itself.\u003C\u002Fli>\n\u003Cli>It’s HTML formatting capable. Need to write some words in italic or so? No problem, this will work out.\u003C\u002Fli>\n\u003Cli>It’s extremely easy to use: A tooltip button in added to the default WordPress editor, all you have to do it click it and fill the pop-up dialog, the rest is taken care of automatically.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Advance\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>The button adds a WordPress short-code, if you want the tip to be HTML formated (avoid block level elements) you can just wrap it with [tooltip tip=””][\u002Ftooltip] in tinyMCE.\u003C\u002Fli>\n\u003Cli>You can also assign the attribute rel=”tooltip” and title=”Enter your tip here” to any of body tags in HTML file where you want the tooltip to pop up when called.\u003C\u002Fli>\n\u003Cli>You can change the pop-up look by editing responsive-tooltip.css. change it to what ever suits your website best!\u003C\u002Fli>\n\u003C\u002Ful>\n","A WordPress plugin that helps you create responsive and mobile-friendly tooltip to present tiny amount of hidden content - the tip.",34659,88,17,"2017-12-18T11:16:00.000Z","4.3.34","3.0.1",[22,23,140,141],"tinymce","tooltip","https:\u002F\u002Fgithub.com\u002FItayXD\u002Fresponsive-tooltip","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-mobile-friendly-tooltip.1.6.6.zip",63,"2025-08-25 00:00:00",{"slug":147,"name":148,"version":149,"author":150,"author_profile":151,"description":152,"short_description":153,"active_installs":154,"downloaded":155,"rating":26,"num_ratings":26,"last_updated":156,"tested_up_to":16,"requires_at_least":157,"requires_php":158,"tags":159,"homepage":163,"download_link":164,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":36,"fetched_at":77},"responsive-mailform","Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform","9.0","Motohiro Tani","https:\u002F\u002Fprofiles.wordpress.org\u002Fmotohirotani0505\u002F","\u003Cp>This is a WordPress plugin version of the program “Responsive Mailform” that is available for free on my website. ( http:\u002F\u002Fwww.1-firststep.com\u002Farchives\u002F462 )\u003C\u002Fp>\n","This is a WordPress plugin version of the program \"Responsive Mailform\" that is available for free on my website.",500,5727,"2025-12-27T13:12:00.000Z","6.3.7","7.0",[20,160,161,162,23],"easy","inquiry","mail-form","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fresponsive-mailform\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-mailform.9.0.zip",{"attackSurface":166,"codeSignals":313,"taintFlows":529,"riskAssessment":628,"analyzedAt":645},{"hooks":167,"ajaxHandlers":300,"restRoutes":301,"shortcodes":302,"cronEvents":311,"entryPointCount":312,"unprotectedCount":26},[168,174,178,183,187,191,195,198,202,205,210,214,217,220,223,226,231,236,240,243,245,250,254,258,263,267,271,275,278,283,287,291,296],{"type":169,"name":170,"callback":171,"file":172,"line":173},"action","admin_init","getAllQuestions","api.php",16,{"type":169,"name":175,"callback":175,"file":176,"line":177},"admin_menu","conversation-questions.php",29,{"type":179,"name":180,"callback":181,"file":176,"line":182},"filter","gettext","custom_enter_title",31,{"type":169,"name":184,"callback":185,"file":176,"line":186},"admin_head-edit-tags.php","wpse_register_filter",34,{"type":179,"name":188,"callback":189,"priority":11,"file":176,"line":190},"gettext_with_context","wpse_translate",49,{"type":169,"name":175,"callback":192,"file":193,"line":194},"mcfgf_conversation_generator_add_admin_menu","css-generator.php",5,{"type":169,"name":170,"callback":196,"file":193,"line":197},"mcfgf_conversation_generator_init",6,{"type":179,"name":199,"callback":200,"priority":11,"file":193,"line":201},"pre_update_option_mcfgf_conversation_generator","mcfgf_conversation_generator_before_save",66,{"type":169,"name":175,"callback":203,"file":204,"line":194},"mcfgf_tooltip_demo_add_admin_menu","demo.php",{"type":179,"name":206,"callback":207,"priority":11,"file":208,"line":209},"woocommerce_add_error","yakker_woocommerce_get_cart_handle_error","functions.php",282,{"type":179,"name":211,"callback":212,"file":208,"line":213},"gform_pre_render","gform_pre_render_yakker_handle_old_orders",383,{"type":179,"name":215,"callback":212,"file":208,"line":216},"gform_pre_validation",384,{"type":179,"name":218,"callback":212,"file":208,"line":219},"gform_pre_submission_filter",385,{"type":179,"name":221,"callback":212,"file":208,"line":222},"gform_admin_pre_render",386,{"type":169,"name":175,"callback":224,"file":225,"line":194},"mcfgf_tooltip_help_add_admin_menu","help.php",{"type":169,"name":227,"callback":228,"file":229,"line":230},"print_media_templates","___action_print_media_templates","main.php",1584,{"type":169,"name":232,"callback":233,"priority":234,"file":229,"line":235},"media_buttons","___add_form_button",20,1590,{"type":169,"name":237,"callback":238,"file":229,"line":239},"admin_print_footer_scripts","___add_mce_popup",1592,{"type":169,"name":170,"callback":170,"file":241,"line":242},"settings.php",23,{"type":169,"name":175,"callback":175,"file":241,"line":244},24,{"type":179,"name":246,"callback":247,"priority":11,"file":248,"line":249},"gform_form_tag","change_ajax_submit_action_url","sideform.php",217,{"type":169,"name":251,"callback":252,"file":253,"line":197},"admin_notices","mcfgf_upgrade_notices","upgrade.php",{"type":169,"name":175,"callback":255,"file":256,"line":257},"mcfgf_add_admin_woo_product_picker_generator_menu","woo-product-picker-generator.php",4,{"type":179,"name":259,"callback":260,"priority":11,"file":261,"line":262},"woocommerce_rest_check_permissions","yakker_woocommerce_rest_check_permissions","yakker-form.php",197,{"type":179,"name":264,"callback":265,"priority":11,"file":261,"line":266},"woocommerce_rest_prepare_product_variation_object","yakker_woocommerce_rest_prepare_product_variation_object",199,{"type":179,"name":268,"callback":269,"priority":11,"file":261,"line":270},"woocommerce_product_add_to_cart_url","yakker_woocommerce_product_add_to_cart_url",201,{"type":179,"name":272,"callback":273,"priority":11,"file":261,"line":274},"woocommerce_rest_prepare_product_object","yakker_woocommerce_rest_prepare_product_object",203,{"type":179,"name":276,"callback":277,"priority":11,"file":261,"line":89},"gform_replace_merge_tags","yakker_gform_replace_merge_tags",{"type":179,"name":279,"callback":280,"priority":11,"file":281,"line":282},"gform_submit_button","form_submit_button","yakker-gravityforms\u002Fclass-gfyakkeraddon.php",55,{"type":169,"name":284,"callback":285,"priority":11,"file":281,"line":286},"gform_after_submission","after_submission",56,{"type":169,"name":288,"callback":289,"priority":194,"file":290,"line":257},"gform_loaded","load","yakker-gravityforms\u002Fgfyakkeraddon.php",{"type":179,"name":292,"callback":293,"file":294,"line":295},"gform_suppress_confirmation_redirect","__return_true","yakker.php",283,{"type":179,"name":297,"callback":298,"priority":11,"file":294,"line":299},"gform_mollie_return_url","yakker_custom_gf_mollie_return_url",285,[],[],[303,307],{"tag":304,"callback":305,"file":229,"line":306},"magic-conversation","___magic_conversation_short_code_handler",1570,{"tag":308,"callback":309,"file":229,"line":310},"magic-conversation-button","___magic_conversation_button_short_code_handler",1571,[],2,{"dangerousFunctions":314,"sqlUsage":319,"outputEscaping":321,"fileOperations":312,"externalRequests":14,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":524},[315],{"fn":316,"file":261,"line":317,"context":318},"ini_set",371,"ini_set('display_errors', 1);",{"prepared":14,"raw":26,"locations":320},[],{"escaped":322,"rawEcho":323,"locations":324},109,105,[325,328,330,332,333,335,337,339,341,342,344,346,347,349,351,353,354,356,358,360,362,364,366,367,369,371,373,375,377,379,381,383,385,387,388,389,391,393,395,396,398,400,402,404,406,408,410,412,414,416,418,420,422,424,425,427,428,430,432,434,436,438,440,442,444,446,448,450,452,454,456,458,460,462,464,466,468,470,472,474,476,478,479,481,483,485,487,489,491,493,495,497,498,500,502,505,506,508,510,512,514,516,518,520,522],{"file":193,"line":326,"context":327},174,"raw output",{"file":193,"line":329,"context":327},182,{"file":193,"line":331,"context":327},190,{"file":193,"line":262,"context":327},{"file":193,"line":334,"context":327},204,{"file":193,"line":336,"context":327},210,{"file":193,"line":338,"context":327},235,{"file":193,"line":340,"context":327},236,{"file":193,"line":340,"context":327},{"file":193,"line":343,"context":327},239,{"file":193,"line":345,"context":327},241,{"file":193,"line":345,"context":327},{"file":193,"line":348,"context":327},254,{"file":193,"line":350,"context":327},398,{"file":204,"line":352,"context":327},28,{"file":204,"line":182,"context":327},{"file":204,"line":355,"context":327},32,{"file":204,"line":357,"context":327},36,{"file":204,"line":359,"context":327},37,{"file":225,"line":361,"context":327},54,{"file":225,"line":363,"context":327},81,{"file":225,"line":365,"context":327},82,{"file":225,"line":98,"context":327},{"file":225,"line":368,"context":327},87,{"file":229,"line":370,"context":327},352,{"file":229,"line":372,"context":327},390,{"file":229,"line":374,"context":327},408,{"file":229,"line":376,"context":327},433,{"file":229,"line":378,"context":327},925,{"file":229,"line":380,"context":327},944,{"file":229,"line":382,"context":327},958,{"file":229,"line":384,"context":327},966,{"file":229,"line":386,"context":327},967,{"file":229,"line":386,"context":327},{"file":229,"line":386,"context":327},{"file":229,"line":390,"context":327},969,{"file":229,"line":392,"context":327},972,{"file":229,"line":394,"context":327},973,{"file":229,"line":394,"context":327},{"file":229,"line":397,"context":327},975,{"file":229,"line":399,"context":327},987,{"file":229,"line":401,"context":327},1011,{"file":229,"line":403,"context":327},1012,{"file":229,"line":405,"context":327},1017,{"file":229,"line":407,"context":327},1033,{"file":229,"line":409,"context":327},1034,{"file":229,"line":411,"context":327},1035,{"file":229,"line":413,"context":327},1038,{"file":229,"line":415,"context":327},1039,{"file":229,"line":417,"context":327},1041,{"file":229,"line":419,"context":327},1048,{"file":229,"line":421,"context":327},1049,{"file":229,"line":423,"context":327},1076,{"file":229,"line":423,"context":327},{"file":229,"line":426,"context":327},1077,{"file":229,"line":426,"context":327},{"file":229,"line":429,"context":327},1090,{"file":229,"line":431,"context":327},1091,{"file":229,"line":433,"context":327},1095,{"file":229,"line":435,"context":327},1098,{"file":229,"line":437,"context":327},1101,{"file":229,"line":439,"context":327},1102,{"file":229,"line":441,"context":327},1836,{"file":229,"line":443,"context":327},1861,{"file":229,"line":445,"context":327},1867,{"file":229,"line":447,"context":327},1884,{"file":229,"line":449,"context":327},1894,{"file":248,"line":451,"context":327},121,{"file":248,"line":453,"context":327},123,{"file":248,"line":455,"context":327},124,{"file":248,"line":457,"context":327},138,{"file":248,"line":459,"context":327},143,{"file":248,"line":461,"context":327},147,{"file":248,"line":463,"context":327},156,{"file":248,"line":465,"context":327},181,{"file":248,"line":467,"context":327},186,{"file":248,"line":469,"context":327},192,{"file":248,"line":471,"context":327},195,{"file":248,"line":473,"context":327},200,{"file":248,"line":475,"context":327},221,{"file":248,"line":477,"context":327},228,{"file":248,"line":477,"context":327},{"file":248,"line":480,"context":327},270,{"file":248,"line":482,"context":327},273,{"file":248,"line":484,"context":327},275,{"file":248,"line":486,"context":327},306,{"file":248,"line":488,"context":327},309,{"file":248,"line":490,"context":327},313,{"file":248,"line":492,"context":327},316,{"file":248,"line":494,"context":327},321,{"file":248,"line":496,"context":327},336,{"file":248,"line":496,"context":327},{"file":248,"line":499,"context":327},355,{"file":253,"line":501,"context":327},126,{"file":503,"line":504,"context":327},"url_preview.php",42,{"file":256,"line":262,"context":327},{"file":256,"line":507,"context":327},222,{"file":509,"line":177,"context":327},"woo_products.php",{"file":511,"line":451,"context":327},"yakker-gravityforms\u002Fclass-gf-addon-ex.php",{"file":511,"line":513,"context":327},248,{"file":511,"line":515,"context":327},274,{"file":511,"line":517,"context":327},308,{"file":281,"line":519,"context":327},759,{"file":281,"line":521,"context":327},892,{"file":294,"line":523,"context":327},572,[525],{"name":526,"version":527,"knownCves":528},"jQuery","1.7.2",[],[530,552,563,576,591,601,610,619],{"entryPoint":531,"graph":532,"unsanitizedCount":14,"severity":39},"_gf_button_get_form (main.php:575)",{"nodes":533,"edges":549},[534,539,543],{"id":535,"type":536,"label":537,"file":229,"line":538},"n0","source","$_GET",588,{"id":540,"type":541,"label":542,"file":229,"line":538},"n1","transform","→ showEmbedForm()",{"id":544,"type":545,"label":546,"file":248,"line":547,"wp_function":548},"n2","sink","echo() [XSS]",30,"echo",[550,551],{"from":535,"to":540,"sanitized":48},{"from":540,"to":544,"sanitized":48},{"entryPoint":553,"graph":554,"unsanitizedCount":312,"severity":39},"\u003Cmain> (main.php:0)",{"nodes":555,"edges":560},[556,558,559],{"id":535,"type":536,"label":557,"file":229,"line":538},"$_GET (x2)",{"id":540,"type":541,"label":542,"file":229,"line":538},{"id":544,"type":545,"label":546,"file":248,"line":547,"wp_function":548},[561,562],{"from":535,"to":540,"sanitized":48},{"from":540,"to":544,"sanitized":48},{"entryPoint":564,"graph":565,"unsanitizedCount":14,"severity":39},"mcfgf_woo_product_picker_generator_page (woo-product-picker-generator.php:21)",{"nodes":566,"edges":573},[567,570,572],{"id":535,"type":536,"label":568,"file":256,"line":569},"$_POST",185,{"id":540,"type":541,"label":571,"file":256,"line":569},"→ mcfgf_woo_product_conversation_generated_notices()",{"id":544,"type":545,"label":546,"file":256,"line":507,"wp_function":548},[574,575],{"from":535,"to":540,"sanitized":48},{"from":540,"to":544,"sanitized":48},{"entryPoint":577,"graph":578,"unsanitizedCount":312,"severity":39},"\u003Cwoo-product-picker-generator> (woo-product-picker-generator.php:0)",{"nodes":579,"edges":587},[580,581,582,583,585],{"id":535,"type":536,"label":568,"file":256,"line":357},{"id":540,"type":545,"label":546,"file":256,"line":507,"wp_function":548},{"id":544,"type":536,"label":568,"file":256,"line":569},{"id":584,"type":541,"label":571,"file":256,"line":569},"n3",{"id":586,"type":545,"label":546,"file":256,"line":507,"wp_function":548},"n4",[588,589,590],{"from":535,"to":540,"sanitized":48},{"from":544,"to":584,"sanitized":48},{"from":584,"to":586,"sanitized":48},{"entryPoint":592,"graph":593,"unsanitizedCount":14,"severity":600},"\u003Csideform> (sideform.php:0)",{"nodes":594,"edges":598},[595,597],{"id":535,"type":536,"label":537,"file":248,"line":596},98,{"id":540,"type":545,"label":546,"file":248,"line":475,"wp_function":548},[599],{"from":535,"to":540,"sanitized":48},"low",{"entryPoint":602,"graph":603,"unsanitizedCount":14,"severity":600},"\u003Curl_preview> (url_preview.php:0)",{"nodes":604,"edges":608},[605,607],{"id":535,"type":536,"label":537,"file":503,"line":606},40,{"id":540,"type":545,"label":546,"file":503,"line":504,"wp_function":548},[609],{"from":535,"to":540,"sanitized":48},{"entryPoint":611,"graph":612,"unsanitizedCount":14,"severity":600},"\u003Cwoo_products> (woo_products.php:0)",{"nodes":613,"edges":617},[614,616],{"id":535,"type":536,"label":537,"file":509,"line":615},27,{"id":540,"type":545,"label":546,"file":509,"line":177,"wp_function":548},[618],{"from":535,"to":540,"sanitized":48},{"entryPoint":620,"graph":621,"unsanitizedCount":14,"severity":600},"\u003Cyakker> (yakker.php:0)",{"nodes":622,"edges":626},[623,625],{"id":535,"type":536,"label":568,"file":294,"line":624},112,{"id":540,"type":545,"label":546,"file":294,"line":523,"wp_function":548},[627],{"from":535,"to":540,"sanitized":48},{"summary":629,"deductions":630},"The \"magic-conversation-for-gravity-forms\" plugin v3.0.100 exhibits a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and has no currently unpatched CVEs, several areas raise concern.  The static analysis reveals a significant portion of output (49%) is not properly escaped, creating a risk of Cross-Site Scripting (XSS) vulnerabilities, which is further corroborated by its vulnerability history. The plugin also lacks nonce and capability checks on its entry points, exposing it to potential CSRF and privilege escalation attacks if any of its entry points are exploited. The presence of `ini_set` without context also warrants scrutiny as it can sometimes be misused.\n\nDespite the 1 medium CVE in its history, which was related to XSS and is now patched, the ongoing issue with unescaped output is a persistent concern. The taint analysis shows no critical or high severity flows with unsanitized paths, which is a positive sign. However, the presence of 8 flows with unsanitized paths, even if classified as lower severity or not leading to critical vulnerabilities in this analysis, indicates potential weaknesses that could be exploited in conjunction with other factors. The outdated jQuery library, while not a direct critical risk in isolation, can sometimes be a vector for exploits if specific vulnerabilities exist within that version.\n\nIn conclusion, the plugin has strengths in its SQL handling and a clean recent vulnerability record. However, the high percentage of unescaped output, the lack of robust authentication\u002Fauthorization checks on its entry points, and the presence of unsanitized paths in taint flows represent notable security weaknesses that require attention. The previous XSS vulnerability further emphasizes the need for strict output sanitization.",[631,634,637,639,641,643],{"reason":632,"points":633},"Unescaped output (49%)",12,{"reason":635,"points":636},"No nonce checks",8,{"reason":638,"points":636},"No capability checks",{"reason":640,"points":636},"8 flows with unsanitized paths",{"reason":642,"points":257},"Bundled outdated library (jQuery v1.7.2)",{"reason":644,"points":49},"Dangerous function: ini_set","2026-04-16T11:36:38.142Z",{"wat":647,"direct":667},{"assetPaths":648,"generatorPatterns":657,"scriptPaths":658,"versionParams":659},[649,650,651,652,653,654,655,656],"\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002Fjquery.miniColors.css","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002Finit.css","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002F..\u002F..\u002Fcss\u002Fcustom.css","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.mousewheel.min.js","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.miniColors.min.js","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.cookie.js","\u002Fwp-content\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Fmcfgf.js",[],[653,654,655,656],[660,661,662,663,664,665,666],"magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002Fstyle.css?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002Finit.css?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fcss\u002F..\u002F..\u002Fcss\u002Fcustom.css?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.mousewheel.min.js?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.miniColors.min.js?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Flibs\u002Fjquery.cookie.js?ver=","magic-conversation-for-gravity-forms\u002Fassets\u002Fcss-generator\u002Fjs\u002Fmcfgf.js?ver=",{"cssClasses":668,"htmlComments":676,"htmlAttributes":677,"restEndpoints":679,"jsGlobals":680,"shortcodeOutput":682},[669,670,671,672,673,674,675],"mcfgf-conversation-generator-section","mcfgf_conversation_generator_section_callback","mcfgf_conversation_generator_css_code_render","mcfgf_conversation_generator_css_options_render","mcfgf_conversation_generator_js_code_render","mcfgf_conversation_generator_avatar_robot_render","mcfgf_conversation_generator_avatar_user_render",[],[678],"data-option-value",[],[681],"MCFGFP_VER",[],{"error":684,"url":685,"statusCode":686,"statusMessage":687,"message":687},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fmagic-conversation-for-gravity-forms\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":26,"versions":689},[]]