[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA_z1tN_DhQJr6Fd-5t5cfrt-yBAtzP80KQ6Qv3Xk0HI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":135,"fingerprints":489},"media-vault","Media Vault","0.8.12","Max GJ Panas","https:\u002F\u002Fprofiles.wordpress.org\u002Fmax-gjp\u002F","\u003Ch4>Protected Attachment Files\u003C\u002Fh4>\n\u003Cp>Media Vault cordons off a section of your WordPress uploads folder and secures it, protecting all files within by passing requests for them through a \u003Cem>powerful, flexible and completely customizable\u003C\u002Fem> set of permission checks.\u003C\u002Fp>\n\u003Cp>After activating the plugin, to protect attachment files with Media Vault you can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>use the \u003Cem>Media Uploader admin page\u003C\u002Fem> to upload new protected attachments,\u003C\u002Fli>\n\u003Cli>use the \u003Cem>Media Vault metabox\u003C\u002Fem> to toggle file protection on the ‘Edit Media’ admin page,\u003C\u002Fli>\n\u003Cli>use the the \u003Cem>Media Vault Protection Settings\u003C\u002Fem> fields in the new Media Modal, or, \u003C\u002Fli>\n\u003Cli>using \u003Cem>bulk actions\u003C\u002Fem> in your Media Library page, you can change file protection on multiple pre-existing attachments at once.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>By default the only permission check that the plugin does on media files is that the user requesting them be logged in. You can change this \u003Cem>default\u003C\u002Fem> behavior from the ‘Media Settings’ page in the ‘Settings’ menu of the WordPress Admin. You can also change the restrictions set on attachments on an individual basis by means of either the Media Vault metabox on the ‘Edit Media’ page or the Media Vault Protection Settings fields in the new Media Modal.\u003C\u002Fp>\n\u003Cp>You can also write your own custom restrictions using the \u003Ccode>mgjp_mv_add_permission()\u003C\u002Fcode> function. See \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Frestrict-only-for-subscribers?replies=5\" rel=\"ugc\">this support question\u003C\u002Fa> for more details.\u003C\u002Fp>\n\u003Ch4>Safe Download Links\u003C\u002Fh4>\n\u003Cp>Creating a cross-browser compatible download link for a file is a harder task than might be expected. Media Vault handles this for you, and it does so while preserving all the file security features discussed earlier like blocking downloads to people who should not have access to the file.\u003C\u002Fp>\n\u003Cp>The download links are available through a simple shortcode that you can use in your post\u002Fpage editor screen:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[mv_dl_links ids=\"1,2,3\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>where ‘ids’ are the comma separated list of attachment ids you would like to make available for download in the list.\u003C\u002Fp>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem> Plugin comes with styles ready for WordPress 3.8+!\u003C\u002Fp>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem>  \u003Cstrong>Now supports WordPress MultiSite!\u003C\u002Fstrong>\u003C\u002Fp>\n","Protect attachment files from direct access using powerful and flexible restrictions. Offer safe download links for any file in your uploads folder.",800,17132,88,27,"2014-02-18T16:48:00.000Z","3.7.41","3.5.0","",[20,21,22,23,24],"attachments","downloads","media","protection","security","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmedia-vault\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-vault.0.8.12.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"max-gjp",1,30,84,"2026-04-04T00:38:43.174Z",[39,59,77,94,110],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":53,"requires_php":18,"tags":54,"homepage":57,"download_link":58,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"documents-tab-for-woocommerce","Documents Tab for WooCommerce","1.0","dimitrov.adrian","https:\u002F\u002Fprofiles.wordpress.org\u002Fdimitrovadrian\u002F","\u003Cp>Allow attach various documents and media files to a product as separate tab.\u003C\u002Fp>\n","Allow attach various documents and media files to a product as separate tab.",100,2265,86,3,"2015-08-21T06:35:00.000Z","4.3.34","3.7",[20,55,21,22,56],"documents","woocommerce","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdocuments-tab-woocommerce\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdocuments-tab-for-woocommerce.zip",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":28,"num_ratings":28,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":72,"tags":73,"homepage":75,"download_link":76,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"rbam-media","Role Based Access Manager: Media Protector","1.1.3","muis IT","https:\u002F\u002Fprofiles.wordpress.org\u002Fmuisit\u002F","\u003Cp>Role Base Access Manager: Media Protector\u003C\u002Fp>\n\u003Cp>WordPress plugin to assign access roles to individual files.\u003C\u002Fp>\n\u003Cp>This simple plugin allows administrators (anyone with access to the edit-post form for attachments\u002Fmedia) to set access based on roles.\u003Cbr \u002F>\nThe plugin provides a ‘Security’ meta-box on the right hand side where you can type in role names and select them (much like you add tags\u003Cbr \u002F>\nto regular posts). Whenever a visitor wants to download or view a file or image from the uploads directory, his\u002Fher current roles are checked\u003Cbr \u002F>\nagainst the configured roles.\u003C\u002Fp>\n\u003Cp>This plugin tries to look for originals of resized and rescaled images by making a rough search in the meta data table. This allows you to\u003Cbr \u002F>\nmark the original image of a blog entry for specific access and have all thumbnails and other derived images be protected as well. Please note\u003Cbr \u002F>\nthat this plugin does not clean up after you. If for some reason left-over thumbnails remain in the upload directory, the plugin cannot find\u003Cbr \u002F>\nthem in the database and will allow access.\u003C\u002Fp>\n\u003Ch3>Roles\u003C\u002Fh3>\n\u003Cp>This plugin works based on role access management. That means it will try to match the specified roles on the media with the available roles of a user. However, the capabilities system of \u003Ccode>WordPress\u003C\u002Fcode> is cumulative: an \u003Ccode>Administrator\u003C\u002Fcode> has more privileges as an \u003Ccode>Editor\u003C\u002Fcode>, but at least the\u003Cbr \u002F>\nsame. Usually, people only have one Role in this system. As this plugin does not check on capabilities, but on roles, you will need to specify\u003Cbr \u002F>\n\u003Cem>all\u003C\u002Fem> the roles that should have access to this file (including the ‘administrator’ role).\u003C\u002Fp>\n\u003Cp>Alternatively, you can add secondary roles to a User, allowing \u003Ccode>Administrator\u003C\u002Fcode> to also be a \u003Ccode>Subscriber\u003C\u002Fcode>. In this way, you only need to add the\u003Cbr \u002F>\n    Subscriber role to media files to allow it to be downloaded by all registered members. However, adding secondary roles is a manual task. If you have many users and few files, it can be easier to specifiy all roles with the media. If you have many files and few users, you had better use secondary role assignments. If you have many files and many users, you should look into a way to automatically assign roles to people using some sort of on-boarding method. If you need a plugin for that, send me a message.\u003C\u002Fp>\n\u003Ch3>Redirections\u003C\u002Fh3>\n\u003Cp>The plugin works by inserting a redirection script in your \u003Ccode>.htaccess\u003C\u002Fcode> file on activation. This does not work properly for \u003Ccode>NGinX\u003C\u002Fcode>, in which\u003Cbr \u002F>\ncase you have to insert a redirection manually. Freely copied from the [https:\u002F\u002Fwordpress.org\u002Fplugins\u002Faam-protected-media-files\u002F](AAM Protected Media Files) description:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>location ~* ^\u002Fwp-content\u002Fuploads\u002F {\u003Cbr \u002F>\n   rewrite (?i)^(\u002Fwp-content\u002Fuploads\u002F.*)$ \u002Findex.php?rbam-media=1 last;\u003Cbr \u002F>\n   return 307;\u003Cbr \u002F>\n}\u003Cbr \u002F>\n    `\u003C\u002Fp>\n\u003Cp>The plugin will try to read the accessed file from the original request and apply role based access management on it.\u003C\u002Fp>\n","Role Based Access Management for Media files (attachments).",10,1231,"2021-06-17T13:34:00.000Z","5.7.15","5.4","7.2",[20,22,74,24],"roles","https:\u002F\u002Fgithub.com\u002Fmuisit\u002Frbam-media","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frbam-media.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":67,"downloaded":85,"rating":28,"num_ratings":28,"last_updated":18,"tested_up_to":86,"requires_at_least":87,"requires_php":88,"tags":89,"homepage":91,"download_link":92,"security_score":47,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":93},"wp-attachment-download","WP Attachment Download","1.0.1","Tomas Rybnicky","https:\u002F\u002Fprofiles.wordpress.org\u002Frybnitom\u002F","\u003Cp>If you are adding functionality to your posts using popular Advanced Custom Fields plugin. This plugin is focused on fields of type \\”file\\”. Handful when publishing some posts with attachments whole year and once a year you need to download all attachments to send them to third parties.\u003C\u002Fp>\n\u003Cp>You are prompted to select post type, publish date range and ACF filed group you want to extract attachments from.\u003Cbr \u002F>\nThen if there is something to download you can hit the button and archive file with attachments is prepared to download.\u003C\u002Fp>\n\u003Ch4>Instructions\u003C\u002Fh4>\n\u003Cp>After installing and activating plugin, you will find new section in Tools called Attachments.\u003Cbr \u002F>\nYou can use it for downloading all attachments specified by ACF file fields you want.\u003C\u002Fp>\n\u003Ch4>Prerequisites\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>installed and activated \u003Ca href=\"https:\u002F\u002Fcs.wordpress.org\u002Fplugins\u002Fadvanced-custom-fields\u002F\" rel=\"nofollow ugc\">Advanced Custom Field plugin\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>All you need to do to get you attachments is:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Select required post type\u003C\u002Fli>\n\u003Cli>Select published date range by specifying from and to days\u003C\u002Fli>\n\u003Cli>If there are more ACF field groups that contains file field you can select only one of them\u003C\u002Fli>\n\u003Cli>Check preview information\u003C\u002Fli>\n\u003Cli>Hit Download button if there is something to download\u003C\u002Fli>\n\u003Cli>Archive ZIP file will be downloaded automatically or you can use link in review under Download button\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>GitHub repository\u003C\u002Fh4>\n\u003Cp>You can find this plugin on [GitHub](https:\u002F\u002Fgithub.com\u002Fwetory\u002Fwp-attachment-download \\”Your favorite public repository\\”),\u003Cbr \u002F>\nwhere you can report issues, review code and commits. Please report all possible problems to make it better.\u003C\u002Fp>\n","Plugin adds functionality to download posts attachments build with ACF file fields from administration.",1156,"5.4.19","3.0.1","5.6",[20,21,22,90],"zip","https:\u002F\u002Fwww.wetory.eu\u002Fwordpress\u002Fplugins\u002Fwp-attachments-download\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-attachment-download.1.0.1.zip","2026-03-15T10:48:56.248Z",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":28,"downloaded":102,"rating":28,"num_ratings":28,"last_updated":103,"tested_up_to":104,"requires_at_least":105,"requires_php":18,"tags":106,"homepage":18,"download_link":109,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"jvm-protected-media","JVM Protected Media","1.0.6","Joris van Montfort","https:\u002F\u002Fprofiles.wordpress.org\u002Fjorisvanmontfort\u002F","\u003Cp>Protect access to all your media files and implement your own custom file access rules using a hook. Works for apache with mod rewrite or nginx with some custom configuration. No Multisite support. This plugin is more or less a development tool for defining your own custom file access rules.\u003C\u002Fp>\n\u003Cp>For nginx you will need to modify the config file as nginx does not handle .htacess files. Add the following code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>location ~ \"^\u002Fwp-content\u002Fuploads\u002F(.*)$\" {\n    rewrite ^\u002Fwp-content\u002Fuploads(\u002F.*\\.\\w+)$ \u002Findex.php?jvm_protected_media_file=$1;\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>Without a custom hook all file access will be disabled. The user will see the 404 page for all requested files. Adding a hook is needed to handle your own file access rules. A simple example that could go into your functions.php:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>function my_file_access_rule($file_info) {\n    \u002F\u002F Implement your own logic here\n    $userHasAccess = true;\n\n    if($userHasAccess) {\n        \u002F\u002F Send the file output if users has access to the file\n        JVM_Protected_Media::send_file_output($file_info['path']);\n    }\n}\n\nadd_action( 'jvm_protected_media_file', 'my_file_access_rule');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The jvm_protected_media_file action has one parameter with the following file information:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Array\n(\n    [id] => id_of_the_file\n    [url] => full\u002Furl\u002Fto\u002Fyour\u002Ffile\n    [path] => full\u002Fpath\u002Fto\u002Fyour\u002Ffile\n    [is_resized_image] => bool (true if the requested file is a image thumbnail or resized version of an image)\n)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Actions\u003C\u002Fh3>\n\u003Cp>Available actions:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>jvm_protected_media_loaded (fires as soon as the plugin is loaded)\u003C\u002Fli>\n\u003Cli>jvm_protected_media_file (fires when a file is requested)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Functions\u003C\u002Fh3>\n\u003Cp>To send the output of a file to you can call:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>JVM_Protected_Media::send_file_output($fullPathToFile)\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Restrict access to all your media files and implement your own custom file access rules.",1543,"2022-09-28T09:22:00.000Z","6.0.11","4.4.1",[20,107,22,108,23],"files","protect","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjvm-protected-media.zip",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":118,"downloaded":119,"rating":120,"num_ratings":121,"last_updated":122,"tested_up_to":123,"requires_at_least":124,"requires_php":125,"tags":126,"homepage":130,"download_link":131,"security_score":132,"vuln_count":133,"unpatched_count":28,"last_vuln_date":134,"fetched_at":30},"safe-svg","Safe SVG","2.4.0","10up","https:\u002F\u002Fprofiles.wordpress.org\u002F10up\u002F","\u003Cp>Safe SVG is the best way to Allow SVG Uploads in WordPress!\u003C\u002Fp>\n\u003Cp>It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG\u002FXML vulnerabilities affecting your site.  It also gives you the ability to preview your uploaded SVGs in the media library in all views.\u003C\u002Fp>\n\u003Ch4>Current Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sanitised SVGs\u003C\u002Fstrong> – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SVGO Optimisation\u003C\u002Fstrong> – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: \u003Ccode>add_filter( 'safe_svg_optimizer_enabled', '__return_true' );\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>View SVGs in the Media Library\u003C\u002Fstrong> – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose Who Can Upload\u003C\u002Fstrong> – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Initially a proof of concept for \u003Ca href=\"https:\u002F\u002Fcore.trac.wordpress.org\u002Fticket\u002F24251\" rel=\"nofollow ugc\">#24251\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>SVG Sanitization is done through the following library: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdarylldoyle\u002Fsvg-sanitizer\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fdarylldoyle\u002Fsvg-sanitizer\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>SVG Optimization is done through the following library: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsvg\u002Fsvgo\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fsvg\u002Fsvgo\u003C\u002Fa>.\u003C\u002Fp>\n","Enable SVG uploads and sanitize them to stop XML\u002FSVG vulnerabilities in your WordPress website.",1000000,12729263,98,77,"2026-01-04T21:05:00.000Z","6.9.4","6.6","7.4",[22,127,24,128,129],"mime","svg","vector","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsafe-svg\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsafe-svg.2.4.0.zip",94,6,"2024-10-17 00:00:00",{"attackSurface":136,"codeSignals":310,"taintFlows":386,"riskAssessment":478,"analyzedAt":488},{"hooks":137,"ajaxHandlers":294,"restRoutes":303,"shortcodes":304,"cronEvents":309,"entryPointCount":50,"unprotectedCount":34},[138,144,149,151,155,160,164,167,170,172,175,176,178,179,184,186,188,190,195,199,203,207,211,214,218,222,225,229,233,238,241,245,248,250,254,258,262,265,268,272,275,278,282,286,290,292],{"type":139,"name":140,"callback":141,"priority":67,"file":142,"line":143},"filter","attachment_fields_to_edit","mgjp_mv_add_attachment_edit_fields","mv-ajax-actions.php",157,{"type":145,"name":146,"callback":147,"file":142,"line":148},"action","edit_attachment","mgjp_mv_save_attachment_metabox_data",184,{"type":145,"name":146,"callback":147,"file":142,"line":150},198,{"type":139,"name":152,"callback":153,"priority":67,"file":142,"line":154},"attachment_fields_to_save","mgjp_mv_save_attachment_edit_fields",218,{"type":145,"name":156,"callback":157,"priority":28,"file":158,"line":159},"init","mgjp_mv_check_rewrite_rules_answer","mv-extra-activation-steps.php",28,{"type":145,"name":161,"callback":162,"file":158,"line":163},"admin_notices","mgjp_mv_extra_activation_steps_notice",58,{"type":145,"name":165,"callback":162,"file":158,"line":166},"network_admin_notices",59,{"type":145,"name":168,"callback":169,"file":158,"line":36},"admin_menu","mgjp_mv_extra_activation_steps_page",{"type":145,"name":171,"callback":169,"file":158,"line":27},"network_admin_menu",{"type":145,"name":161,"callback":173,"file":174,"line":163},"mgjp_mv_extra_deactivation_steps_notice","mv-extra-deactivation-steps.php",{"type":145,"name":165,"callback":173,"file":174,"line":166},{"type":145,"name":168,"callback":177,"file":174,"line":36},"mgjp_mv_extra_deactivation_steps_page",{"type":145,"name":171,"callback":177,"file":174,"line":27},{"type":145,"name":180,"callback":181,"file":182,"line":183},"admin_enqueue_scripts","mgjp_mv_attachment_protection_metabox_styles_and_scripts","mv-metaboxes.php",39,{"type":145,"name":146,"callback":147,"file":182,"line":185},142,{"type":145,"name":146,"callback":147,"file":182,"line":187},156,{"type":145,"name":146,"callback":147,"file":182,"line":189},176,{"type":139,"name":191,"callback":192,"priority":67,"file":193,"line":194},"media_row_actions","mgjp_mv_modify_media_library_row_actions","mv-options-media-library.php",36,{"type":139,"name":196,"callback":197,"file":193,"line":198},"manage_upload_columns","mgjp_mv_register_media_library_custom_column",54,{"type":145,"name":200,"callback":201,"priority":67,"file":193,"line":202},"manage_media_custom_column","mgjp_mv_render_media_library_custom_column",96,{"type":145,"name":204,"callback":205,"file":193,"line":206},"admin_head-upload.php","mgjp_mv_media_library_custom_column_styles",115,{"type":145,"name":208,"callback":209,"file":193,"line":210},"admin_footer-upload.php","mgjp_mv_add_media_library_bulk_actions_js",154,{"type":145,"name":161,"callback":212,"file":193,"line":213},"mgjp_mv_add_media_library_admin_notices",194,{"type":145,"name":180,"callback":215,"file":216,"line":217},"mgjp_mv_media_new_options_css","mv-options-media-new.php",25,{"type":145,"name":219,"callback":220,"file":216,"line":221},"admin_footer-media-new.php","mgjp_mv_media_new_options_js",68,{"type":145,"name":223,"callback":224,"file":216,"line":206},"post-upload-ui","mgjp_mv_render_media_new_options",{"type":145,"name":226,"callback":227,"file":216,"line":228},"pre-plupload-upload-ui","mgjp_mv_render_media_new_options_message_box",137,{"type":145,"name":180,"callback":230,"file":231,"line":232},"mgjp_mv_options_media_enqueue_scripts","mv-options-media-vault.php",307,{"type":145,"name":234,"callback":235,"file":236,"line":237},"plugins_loaded","mgjp_mv_textdomain","_mediavault.php",79,{"type":145,"name":156,"callback":239,"file":236,"line":240},"mgjp_mv_check_version",81,{"type":145,"name":242,"callback":243,"file":236,"line":244},"load-plugins.php","mgjp_mv_on_deactivation_request",83,{"type":145,"name":156,"callback":246,"priority":28,"file":236,"line":247},"mgjp_mv_handle_file_request",87,{"type":145,"name":156,"callback":249,"file":236,"line":13},"mgjp_mv_register_shortcodes",{"type":145,"name":251,"callback":252,"file":236,"line":253},"wp_enqueue_media","mgjp_mv_attachment_edit_fields_styles_and_scripts",90,{"type":139,"name":255,"callback":256,"file":236,"line":257},"mod_rewrite_rules","mgjp_mv_add_plugin_rewrite_rules",92,{"type":139,"name":259,"callback":260,"priority":261,"file":236,"line":132},"upload_dir","mgjp_mv_change_upload_directory",999,{"type":139,"name":263,"callback":264,"priority":261,"file":236,"line":202},"user_has_cap","mgjp_mv_edit_capabilities",{"type":139,"name":266,"callback":267,"priority":261,"file":236,"line":120},"image_downsize","mgjp_mv_replace_protected_image",{"type":145,"name":269,"callback":270,"priority":28,"file":236,"line":271},"admin_init","mgjp_mv_ajax_actions_include",102,{"type":145,"name":269,"callback":273,"file":236,"line":274},"mgjp_mv_media_vault_options_include",103,{"type":145,"name":269,"callback":276,"file":236,"line":277},"mgjp_mv_attachment_metabox_include",104,{"type":145,"name":279,"callback":280,"file":236,"line":281},"load-media-new.php","mgjp_mv_media_new_options_include",106,{"type":145,"name":283,"callback":284,"file":236,"line":285},"load-upload.php","mgjp_mv_media_library_options_include",107,{"type":139,"name":287,"callback":288,"file":236,"line":289},"admin_body_class","mgjp_add_mp6_admin_body_class",109,{"type":139,"name":255,"callback":256,"file":236,"line":291},190,{"type":139,"name":266,"callback":267,"priority":261,"file":236,"line":293},537,[295,299],{"action":296,"nopriv":297,"callback":296,"hasNonce":297,"hasCapCheck":297,"file":142,"line":298},"mgjp_mv_get_attachment_image",false,42,{"action":300,"nopriv":297,"callback":300,"hasNonce":301,"hasCapCheck":301,"file":142,"line":302},"mgjp_mv_restore_default_placeholder_image",true,72,[],[305],{"tag":306,"callback":307,"file":236,"line":308},"mv_dl_links","mgjp_mv_download_links_list_shortcode_handler",401,[],{"dangerousFunctions":311,"sqlUsage":320,"outputEscaping":331,"fileOperations":382,"externalRequests":34,"nonceChecks":383,"capabilityChecks":384,"bundledLibraries":385},[312,317],{"fn":313,"file":314,"line":315,"context":316},"unserialize","mv-class-update.php",149,"$meta = unserialize( $columns['meta_value'] );",{"fn":313,"file":318,"line":257,"context":319},"mv-file-handler.php","$meta_value = unserialize( $attachment['meta_value'] );",{"prepared":321,"raw":50,"locations":322},9,[323,327,329],{"file":324,"line":325,"context":326},"uninstall.php",71,"$wpdb->get_col() with variable interpolation",{"file":236,"line":328,"context":326},206,{"file":236,"line":330,"context":326},245,{"escaped":166,"rawEcho":332,"locations":333},26,[334,337,339,341,342,344,346,347,349,351,353,355,357,358,360,362,364,365,367,369,372,373,375,377,378,380],{"file":142,"line":335,"context":336},116,"raw output",{"file":142,"line":338,"context":336},118,{"file":142,"line":340,"context":336},119,{"file":142,"line":340,"context":336},{"file":142,"line":343,"context":336},127,{"file":142,"line":345,"context":336},129,{"file":142,"line":345,"context":336},{"file":142,"line":348,"context":336},143,{"file":158,"line":350,"context":336},130,{"file":158,"line":352,"context":336},217,{"file":158,"line":354,"context":336},230,{"file":174,"line":356,"context":336},150,{"file":193,"line":253,"context":336},{"file":193,"line":359,"context":336},140,{"file":216,"line":361,"context":336},131,{"file":216,"line":363,"context":336},132,{"file":231,"line":356,"context":336},{"file":231,"line":366,"context":336},152,{"file":231,"line":368,"context":336},266,{"file":370,"line":371,"context":336},"mv-shortcodes.php",65,{"file":370,"line":371,"context":336},{"file":370,"line":374,"context":336},66,{"file":370,"line":376,"context":336},75,{"file":370,"line":376,"context":336},{"file":370,"line":379,"context":336},76,{"file":236,"line":381,"context":336},1239,4,7,13,[],[387,404,412,426,436,454,469],{"entryPoint":388,"graph":389,"unsanitizedCount":34,"severity":403},"__construct (mv-class-update.php:62)",{"nodes":390,"edges":401},[391,396],{"id":392,"type":393,"label":394,"file":314,"line":395},"n0","source","$_SERVER",93,{"id":397,"type":398,"label":399,"file":314,"line":120,"wp_function":400},"n1","sink","wp_redirect() [Open Redirect]","wp_redirect",[402],{"from":392,"to":397,"sanitized":297},"medium",{"entryPoint":405,"graph":406,"unsanitizedCount":34,"severity":403},"\u003Cmv-class-update> (mv-class-update.php:0)",{"nodes":407,"edges":410},[408,409],{"id":392,"type":393,"label":394,"file":314,"line":395},{"id":397,"type":398,"label":399,"file":314,"line":120,"wp_function":400},[411],{"from":392,"to":397,"sanitized":297},{"entryPoint":413,"graph":414,"unsanitizedCount":425,"severity":403},"mgjp_mv_add_media_library_admin_notices (mv-options-media-library.php:161)",{"nodes":415,"edges":423},[416,419],{"id":392,"type":393,"label":417,"file":193,"line":418},"$_REQUEST (x2)",173,{"id":397,"type":398,"label":420,"file":193,"line":421,"wp_function":422},"echo() [XSS]",175,"echo",[424],{"from":392,"to":397,"sanitized":297},2,{"entryPoint":427,"graph":428,"unsanitizedCount":34,"severity":403},"mgjp_mv_on_deactivation_request (_mediavault.php:310)",{"nodes":429,"edges":434},[430,432],{"id":392,"type":393,"label":394,"file":236,"line":431},335,{"id":397,"type":398,"label":399,"file":236,"line":433,"wp_function":400},336,[435],{"from":392,"to":397,"sanitized":297},{"entryPoint":437,"graph":438,"unsanitizedCount":34,"severity":403},"mgjp_mv_handle_file_request (_mediavault.php:364)",{"nodes":439,"edges":451},[440,443,446],{"id":392,"type":393,"label":441,"file":236,"line":442},"$_GET['mgjp_mv_file']",381,{"id":397,"type":444,"label":445,"file":236,"line":442},"transform","→ mgjp_mv_get_file()",{"id":447,"type":398,"label":448,"file":318,"line":449,"wp_function":450},"n2","header() [Header Injection]",191,"header",[452,453],{"from":392,"to":397,"sanitized":297},{"from":397,"to":447,"sanitized":297},{"entryPoint":455,"graph":456,"unsanitizedCount":34,"severity":403},"\u003C_mediavault> (_mediavault.php:0)",{"nodes":457,"edges":465},[458,459,460,461,463],{"id":392,"type":393,"label":394,"file":236,"line":431},{"id":397,"type":398,"label":399,"file":236,"line":433,"wp_function":400},{"id":447,"type":393,"label":441,"file":236,"line":442},{"id":462,"type":444,"label":445,"file":236,"line":442},"n3",{"id":464,"type":398,"label":448,"file":318,"line":449,"wp_function":450},"n4",[466,467,468],{"from":392,"to":397,"sanitized":301},{"from":447,"to":462,"sanitized":297},{"from":462,"to":464,"sanitized":297},{"entryPoint":470,"graph":471,"unsanitizedCount":28,"severity":477},"\u003Cmv-options-media-library> (mv-options-media-library.php:0)",{"nodes":472,"edges":475},[473,474],{"id":392,"type":393,"label":417,"file":193,"line":418},{"id":397,"type":398,"label":420,"file":193,"line":421,"wp_function":422},[476],{"from":392,"to":397,"sanitized":301},"low",{"summary":479,"deductions":480},"The \"media-vault\" plugin v0.8.12 exhibits a mixed security posture. On the positive side, it has a clean vulnerability history with no known CVEs, and a significant majority of its SQL queries utilize prepared statements, indicating good database interaction practices. The plugin also implements a reasonable number of nonce and capability checks, along with proper output escaping in most cases.\n\nHowever, several concerns warrant attention. The presence of two AJAX handlers, with one lacking authentication checks, creates a direct attack vector. The use of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if untrusted data is passed to it. Furthermore, the taint analysis reveals that a high proportion of analyzed flows have unsanitized paths, suggesting potential vulnerabilities in how data is handled, even if no critical or high-severity issues were identified in this specific scan.\n\nOverall, while the lack of historical vulnerabilities is encouraging, the identified code-level risks, particularly the unprotected AJAX handler and the use of `unserialize`, necessitate careful consideration. The plugin has several strengths in its handling of database queries and output escaping, but the identified entry points and potentially unsafe function usage introduce notable risks that should be addressed to improve its security.",[481,484,486],{"reason":482,"points":483},"Unprotected AJAX handler",8,{"reason":485,"points":67},"Use of unserialize function",{"reason":487,"points":383},"Flows with unsanitized paths","2026-03-16T19:17:48.134Z",{"wat":490,"direct":501},{"assetPaths":491,"generatorPatterns":495,"scriptPaths":496,"versionParams":497},[492,493,494],"\u002Fwp-content\u002Fplugins\u002Fmedia-vault\u002Fmv-admin\u002Fcss\u002Fmv-admin.css","\u002Fwp-content\u002Fplugins\u002Fmedia-vault\u002Fmv-admin\u002Fjs\u002Fmv-admin.js","\u002Fwp-content\u002Fplugins\u002Fmedia-vault\u002Fmv-public\u002Fcss\u002Fmv-public.css",[],[493],[498,499,500],"media-vault\u002Fmv-admin\u002Fcss\u002Fmv-admin.css?ver=","media-vault\u002Fmv-admin\u002Fjs\u002Fmv-admin.js?ver=","media-vault\u002Fmv-public\u002Fcss\u002Fmv-public.css?ver=",{"cssClasses":502,"htmlComments":504,"htmlAttributes":505,"restEndpoints":507,"jsGlobals":508,"shortcodeOutput":510},[503],"mv-options-wrap",[],[506],"data-mv-item-id",[],[509],"mediaVaultAdmin",[]]