[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8xHfNsmNS3xh7oaHzmFpOJwL2jVlL9EdE3SO5yl9Mm0":3,"$fRH6vrwa9g1apzt19J5UM6hpC3I6jT5BvwaxYrF28v3w":233,"$fwfh60gNwQUV6Nb4PygWKmHjX7sxkFHHi0Ncr42RBYhU":238},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":15,"download_link":17,"security_score":18,"vuln_count":13,"unpatched_count":13,"last_vuln_date":19,"fetched_at":20,"discovery_status":21,"vulnerabilities":22,"developer":23,"crawl_stats":19,"alternatives":29,"analysis":30,"fingerprints":218},"mailout","Mailout","1","samwilson","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamwilson\u002F","\u003Cp>A simple mailing list manager.  You can send emails to multiple lists, quite independent of any blog posts or pages.\u003C\u002Fp>\n","A simple mailing list manager.  You can send emails to multiple lists, quite independent of any blog posts or pages.",10,3906,0,"2007-10-25T01:51:00.000Z","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailout.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":24,"total_installs":25,"avg_security_score":18,"avg_patch_time_days":26,"trust_score":27,"computed_at":28},5,200,30,84,"2026-05-20T07:40:58.605Z",[],{"attackSurface":31,"codeSignals":60,"taintFlows":86,"riskAssessment":206,"analyzedAt":217},{"hooks":32,"ajaxHandlers":56,"restRoutes":57,"shortcodes":58,"cronEvents":59,"entryPointCount":13,"unprotectedCount":13},[33,39,43,47,51],{"type":34,"name":35,"callback":36,"file":37,"line":38},"action","admin_menu","mailout_add_admin_pages","mailout.php",245,{"type":34,"name":40,"callback":41,"file":37,"line":42},"activate_mailout.php","mailout_install",246,{"type":34,"name":44,"callback":45,"file":37,"line":46},"publish_post","mailout_do_mailout",247,{"type":34,"name":48,"callback":49,"file":37,"line":50},"admin_head","mailout_css_styles",248,{"type":52,"name":53,"callback":54,"file":37,"line":55},"filter","the_content","mailout_subscription_page",249,[],[],[],[],{"dangerousFunctions":61,"sqlUsage":62,"outputEscaping":65,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":85},[],{"prepared":63,"raw":13,"locations":64},12,[],{"escaped":13,"rawEcho":66,"locations":67},8,[68,71,73,75,77,79,81,83],{"file":37,"line":69,"context":70},64,"raw output",{"file":37,"line":72,"context":70},89,{"file":37,"line":74,"context":70},100,{"file":37,"line":76,"context":70},102,{"file":37,"line":78,"context":70},105,{"file":37,"line":80,"context":70},108,{"file":37,"line":82,"context":70},121,{"file":37,"line":84,"context":70},126,[],[87,116,159,170],{"entryPoint":88,"graph":89,"unsanitizedCount":114,"severity":115},"mailout_options (mailout.php:36)",{"nodes":90,"edges":110},[91,96,102,106],{"id":92,"type":93,"label":94,"file":37,"line":95},"n0","source","$_POST",40,{"id":97,"type":98,"label":99,"file":37,"line":100,"wp_function":101},"n1","sink","update_option() [Settings Manipulation]",41,"update_option",{"id":103,"type":93,"label":104,"file":37,"line":105},"n2","$_SERVER['REQUEST_URI']",65,{"id":107,"type":98,"label":108,"file":37,"line":69,"wp_function":109},"n3","echo() [XSS]","echo",[111,113],{"from":92,"to":97,"sanitized":112},false,{"from":103,"to":107,"sanitized":112},2,"medium",{"entryPoint":117,"graph":118,"unsanitizedCount":157,"severity":158},"mailout_manage (mailout.php:82)",{"nodes":119,"edges":150},[120,123,126,127,128,132,134,137,139,142,144,148],{"id":92,"type":93,"label":121,"file":37,"line":122},"$_GET['delete']",88,{"id":97,"type":98,"label":124,"file":37,"line":122,"wp_function":125},"query() [SQLi]","query",{"id":103,"type":93,"label":121,"file":37,"line":72},{"id":107,"type":98,"label":108,"file":37,"line":72,"wp_function":109},{"id":129,"type":93,"label":130,"file":37,"line":131},"n4","$_POST['email_address'] (x2)",96,{"id":133,"type":98,"label":124,"file":37,"line":131,"wp_function":125},"n5",{"id":135,"type":93,"label":136,"file":37,"line":74},"n6","$_POST['email_address'] (x3)",{"id":138,"type":98,"label":108,"file":37,"line":74,"wp_function":109},"n7",{"id":140,"type":93,"label":104,"file":37,"line":141},"n8",110,{"id":143,"type":98,"label":108,"file":37,"line":80,"wp_function":109},"n9",{"id":145,"type":93,"label":146,"file":37,"line":147},"n10","$_SERVER['PHP_SELF']",128,{"id":149,"type":98,"label":108,"file":37,"line":84,"wp_function":109},"n11",[151,152,153,154,155,156],{"from":92,"to":97,"sanitized":112},{"from":103,"to":107,"sanitized":112},{"from":129,"to":133,"sanitized":112},{"from":135,"to":138,"sanitized":112},{"from":140,"to":143,"sanitized":112},{"from":145,"to":149,"sanitized":112},9,"high",{"entryPoint":160,"graph":161,"unsanitizedCount":169,"severity":158},"mailout_subscription_page (mailout.php:173)",{"nodes":162,"edges":167},[163,166],{"id":92,"type":93,"label":164,"file":37,"line":165},"$_POST['email_address']",198,{"id":97,"type":98,"label":124,"file":37,"line":165,"wp_function":125},[168],{"from":92,"to":97,"sanitized":112},1,{"entryPoint":171,"graph":172,"unsanitizedCount":205,"severity":158},"\u003Cmailout> (mailout.php:0)",{"nodes":173,"edges":196},[174,175,176,178,179,180,181,182,183,184,185,186,187,189,191,193],{"id":92,"type":93,"label":94,"file":37,"line":95},{"id":97,"type":98,"label":99,"file":37,"line":100,"wp_function":101},{"id":103,"type":93,"label":177,"file":37,"line":105},"$_SERVER['REQUEST_URI'] (x2)",{"id":107,"type":98,"label":108,"file":37,"line":69,"wp_function":109},{"id":129,"type":93,"label":121,"file":37,"line":122},{"id":133,"type":98,"label":124,"file":37,"line":122,"wp_function":125},{"id":135,"type":93,"label":121,"file":37,"line":72},{"id":138,"type":98,"label":108,"file":37,"line":72,"wp_function":109},{"id":140,"type":93,"label":136,"file":37,"line":131},{"id":143,"type":98,"label":124,"file":37,"line":131,"wp_function":125},{"id":145,"type":93,"label":136,"file":37,"line":74},{"id":149,"type":98,"label":108,"file":37,"line":74,"wp_function":109},{"id":188,"type":93,"label":146,"file":37,"line":147},"n12",{"id":190,"type":98,"label":108,"file":37,"line":84,"wp_function":109},"n13",{"id":192,"type":93,"label":94,"file":37,"line":95},"n14",{"id":194,"type":98,"label":124,"file":37,"line":195,"wp_function":125},"n15",148,[197,198,199,200,201,202,203,204],{"from":92,"to":97,"sanitized":112},{"from":103,"to":107,"sanitized":112},{"from":129,"to":133,"sanitized":112},{"from":135,"to":138,"sanitized":112},{"from":140,"to":143,"sanitized":112},{"from":145,"to":149,"sanitized":112},{"from":188,"to":190,"sanitized":112},{"from":192,"to":194,"sanitized":112},13,{"summary":207,"deductions":208},"The 'mailout' v1 plugin presents a mixed security posture.  On the positive side, it has a minimal attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. It also exclusively uses prepared statements for its SQL queries, which is a strong security practice.  However, the lack of any output escaping for its 8 identified outputs is a significant concern, indicating a high risk of cross-site scripting (XSS) vulnerabilities.  Furthermore, the taint analysis reveals 4 flows with unsanitized paths, 3 of which are classified as high severity. This suggests that untrusted data is being processed in a way that could lead to exploits, despite the absence of obvious entry points like AJAX or REST APIs. The plugin's vulnerability history is clean, with no known CVEs, which is positive, but it does not mitigate the risks identified in the static and taint analysis.",[209,211,213,215],{"reason":210,"points":63},"High severity unsanitized taint flows",{"reason":212,"points":66},"All outputs unescaped",{"reason":214,"points":24},"No nonce checks",{"reason":216,"points":24},"No capability checks","2026-04-16T12:28:43.786Z",{"wat":219,"direct":224},{"assetPaths":220,"generatorPatterns":221,"scriptPaths":222,"versionParams":223},[],[],[],[],{"cssClasses":225,"htmlComments":227,"htmlAttributes":229,"restEndpoints":230,"jsGlobals":231,"shortcodeOutput":232},[226],"pending",[228],"\u003C!-- styles for mailout plugin -->",[],[],[],[],{"error":234,"url":235,"statusCode":236,"statusMessage":237,"message":237},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fmailout\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":13,"versions":239},[]]