[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTkjRrpdXgab-630pIasqLBRGfdLDCwhjzcNoFa-JFwk":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":20,"download_link":21,"security_score":22,"vuln_count":23,"unpatched_count":23,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":27,"crawl_stats":24,"alternatives":35,"analysis":36,"fingerprints":124},"multisite-media-display","Multisite Media Display","1.42","Rick Hellewell","https:\u002F\u002Fprofiles.wordpress.org\u002Frhellewellgmailcom\u002F","\u003Cp>Creates shortcodes to display\u002Fedit of media items on pages\u002Fposts, showing all media on all subsites in a multisite installation. See all media on all sites without using each site’s Media page. Exclude items by placing ‘noshow’ in a picture’s caption. Can also be used on single (non-multisite) sites. An easy way to automatically display all media on a post\u002Fpage. Shortcode parameters allow selection of last x days, items displayed, and showing of captions or upload date.\u003C\u002Fp>\n","Use shortcodes on a page\u002Fpost to display\u002Fedit all media items on all multisite subsites.",10,2568,100,1,"2020-03-24T18:55:00.000Z","5.3.21","4.6","",[4],"http:\u002F\u002Fcellarweb.com\u002Fwordpress-plugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmultisite-media-display.zip",85,0,null,"2026-03-15T14:54:45.397Z",[],{"slug":28,"display_name":7,"profile_url":8,"plugin_count":29,"total_installs":30,"avg_security_score":31,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"rhellewellgmailcom",16,1040,91,30,88,"2026-04-04T15:31:34.945Z",[],{"attackSurface":37,"codeSignals":86,"taintFlows":117,"riskAssessment":118,"analyzedAt":123},{"hooks":38,"ajaxHandlers":67,"restRoutes":68,"shortcodes":69,"cronEvents":84,"entryPointCount":85,"unprotectedCount":23},[39,45,49,52,55,59,63],{"type":40,"name":41,"callback":42,"file":43,"line":44},"action","admin_init","mmd_disable_plugin","mutlisite-media-display.php",42,{"type":40,"name":46,"callback":47,"file":43,"line":48},"admin_notices","mmd_show_notice",43,{"type":40,"name":50,"callback":42,"file":43,"line":51},"network_admin_init",44,{"type":40,"name":53,"callback":47,"file":43,"line":54},"network_admin_notices",45,{"type":40,"name":56,"callback":57,"file":43,"line":58},"admin_menu","mmd_add_plugin_page",64,{"type":40,"name":60,"callback":61,"file":43,"line":62},"init","mmd_shortcodes_init",194,{"type":40,"name":64,"callback":65,"file":43,"line":66},"wp_enqueue_style","mmd_site_gallery_css",217,[],[],[70,74,77,81],{"tag":71,"callback":72,"file":43,"line":73},"mmd_display","mmd_media_display",188,{"tag":75,"callback":72,"file":43,"line":76},"mmd-display",189,{"tag":78,"callback":79,"file":43,"line":80},"mmd_edit","mmd_media_edit",190,{"tag":82,"callback":79,"file":43,"line":83},"mmd-edit",191,[],4,{"dangerousFunctions":87,"sqlUsage":88,"outputEscaping":90,"fileOperations":23,"externalRequests":23,"nonceChecks":23,"capabilityChecks":14,"bundledLibraries":116},[],{"prepared":23,"raw":23,"locations":89},[],{"escaped":23,"rawEcho":91,"locations":92},11,[93,96,98,100,102,104,106,108,110,112,114],{"file":43,"line":94,"context":95},107,"raw output",{"file":43,"line":97,"context":95},153,{"file":43,"line":99,"context":95},212,{"file":43,"line":101,"context":95},214,{"file":43,"line":103,"context":95},236,{"file":43,"line":105,"context":95},238,{"file":43,"line":107,"context":95},271,{"file":43,"line":109,"context":95},310,{"file":43,"line":111,"context":95},313,{"file":43,"line":113,"context":95},353,{"file":43,"line":115,"context":95},359,[],[],{"summary":119,"deductions":120},"The \"multisite-media-display\" v1.42 plugin exhibits a mixed security posture.  On the positive side, it demonstrates good practices by not utilizing dangerous functions, having no file operations, and using prepared statements for all SQL queries.  The absence of known CVEs and a clean vulnerability history are also strong indicators of a secure past.  However, a significant concern arises from the complete lack of output escaping, with 100% of analyzed outputs being unescaped. This exposes the plugin to Cross-Site Scripting (XSS) vulnerabilities, allowing malicious scripts to be injected into the site if user-supplied data is rendered directly without proper sanitization. The absence of taint analysis results (0 flows analyzed) suggests that either the analysis tools were not fully comprehensive or the code structure did not lend itself to complex taint flows, which is not necessarily a strength but rather an unknown area given the lack of data.\n\nWhile the plugin has a relatively small attack surface (4 shortcodes) and no unprotected entry points, the critical issue of unescaped output presents a tangible and common security risk.  The lack of capability checks on shortcodes, while not directly highlighted as a risk by the static analysis (as they are considered entry points, not necessarily vulnerable ones without further analysis), could be a secondary concern if the shortcodes handle sensitive data or operations.  In conclusion, the plugin's adherence to secure coding practices regarding SQL and its clean vulnerability history are commendable. Nevertheless, the pervasive lack of output escaping is a serious flaw that requires immediate attention to prevent potential XSS attacks.",[121],{"reason":122,"points":29},"0% of outputs properly escaped","2026-03-16T23:36:37.903Z",{"wat":125,"direct":136},{"assetPaths":126,"generatorPatterns":130,"scriptPaths":131,"versionParams":132},[127,128,129],"\u002Fwp-content\u002Fplugins\u002Fmultisite-media-display\u002Fjs\u002Fmmd_functions.js","\u002Fwp-content\u002Fplugins\u002Fmultisite-media-display\u002Fcss\u002Fmmd_styles.css","\u002Fwp-content\u002Fplugins\u002Fmultisite-media-display\u002Fjs\u002Fmmd_ajax.js",[],[127,129],[133,134,135],"multisite-media-display\u002Fjs\u002Fmmd_functions.js?ver=","multisite-media-display\u002Fcss\u002Fmmd_styles.css?ver=","multisite-media-display\u002Fjs\u002Fmmd_ajax.js?ver=",{"cssClasses":137,"htmlComments":142,"htmlAttributes":147,"restEndpoints":150,"jsGlobals":151,"shortcodeOutput":153},[138,139,140,141],"mmd-display-item-meta","mmd-display-wrapper","mmd-gallery-image","mmd-edit-link",[143,144,145,146,143,144,145],"\u003C!-- display the top info part of the page -->","\u003C!-- empty area for any WP status areas -->","\u003C!-- display bottom info stuff -->","\u003C!-- Information about Multisite Media Display from CellarWeb.com -->",[148,149],"data-mmd-post-id","data-mmd-attachment-id",[],[152],"var mmd_ajax_url",[154,155,156,157,156,157],"[mmd_display]","[mmd_edit]","[mmd_display days=","[mmd_edit days="]