[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcKF6VFSAlBSfa5OAU3O3dNW_epmOyaNaC1R1o19hm4I":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":19,"download_link":20,"security_score":21,"vuln_count":11,"unpatched_count":11,"last_vuln_date":22,"fetched_at":23,"vulnerabilities":24,"developer":25,"crawl_stats":22,"alternatives":32,"analysis":33,"fingerprints":124},"mws-click-to-reveal","MWS Click-to-reveal","1.0.3","Modern Web Services","https:\u002F\u002Fprofiles.wordpress.org\u002Fmodernwebservices\u002F","\u003Cp>The plugin leverages Google’s invisible reCaptcha technology. These keys must be input via the plugin’s admin integrations page.\u003C\u002Fp>\n\u003Cp>The main admin page enables admins to manage a list of key\u002Fvalue pairs, where the key is the name of the pair, and the value is the protected value that should only be revealed once a user has proved they are human.\u003C\u002Fp>\n\u003Cp>When editing post\u002Fpage content, a TinyMCE integration enables the post author to click a button to generate a shortcode.\u003Cbr \u002F>\nThe author will be prompted to select the pair they wish to render, along with a initial value to display.\u003C\u002Fp>\n\u003Cp>When the page is rendered, the initial value is rendered into the page. Users can click the initial value to reveal the protected value.\u003C\u002Fp>\n","Prevent spam-bots from harvesting your email address or other sensitive information form your website by requiring users to click to reveal the inform …",0,1117,"2018-10-14T12:23:00.000Z","4.9.29","4.0","",[18],"spambot-recaptcha","https:\u002F\u002Fgithub.com\u002Fandrewryantech\u002Fwp-plugin-recaptcha-click-to-reveal","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmws-click-to-reveal.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":21,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"modernwebservices",2,300,30,84,"2026-04-04T06:54:21.250Z",[],{"attackSurface":34,"codeSignals":85,"taintFlows":113,"riskAssessment":114,"analyzedAt":123},{"hooks":35,"ajaxHandlers":81,"restRoutes":82,"shortcodes":83,"cronEvents":84,"entryPointCount":11,"unprotectedCount":11},[36,42,45,50,54,58,63,66,69,72,77],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","init","addTinyMceButtonsToEditor","src\\Controller.php",46,{"type":37,"name":38,"callback":43,"file":40,"line":44},"check_protected_value_lookup",49,{"type":46,"name":47,"callback":48,"file":40,"line":49},"filter","mce_buttons","register_tiny_mce_buttons",58,{"type":46,"name":51,"callback":52,"file":40,"line":53},"mce_external_plugins","register_tiny_mce_javascript",59,{"type":37,"name":55,"callback":56,"file":40,"line":57},"admin_head","list_protected_value_names",63,{"type":37,"name":59,"callback":60,"file":61,"line":62},"admin_menu","add_submenu_page","src\\Pages\\Admin\\CredentialsPage.php",31,{"type":37,"name":38,"callback":64,"file":61,"line":65},"handle_form",32,{"type":37,"name":59,"callback":67,"file":68,"line":29},"add_options_page_to_main_menu","src\\Pages\\Admin\\ProtectedValuesPage.php",{"type":37,"name":70,"callback":71,"file":68,"line":62},"admin_init","enqueue_scripts",{"type":37,"name":73,"callback":73,"priority":74,"file":75,"line":76},"wp_enqueue_scripts",1000,"src\\Pages\\PublicPages.php",33,{"type":46,"name":78,"callback":79,"file":75,"line":80},"widget_text","do_shortcode",36,[],[],[],[],{"dangerousFunctions":86,"sqlUsage":87,"outputEscaping":89,"fileOperations":11,"externalRequests":90,"nonceChecks":27,"capabilityChecks":11,"bundledLibraries":109},[],{"prepared":11,"raw":11,"locations":88},[],{"escaped":90,"rawEcho":91,"locations":92},1,7,[93,96,98,101,104,106,107],{"file":40,"line":94,"context":95},82,"raw output",{"file":68,"line":97,"context":95},112,{"file":99,"line":100,"context":95},"src\\templates\\admin\\protected_values.php",39,{"file":102,"line":103,"context":95},"src\\templates\\admin\\recaptcha_credentials_display.php",22,{"file":102,"line":105,"context":95},29,{"file":102,"line":76,"context":95},{"file":102,"line":108,"context":95},37,[110],{"name":111,"version":22,"knownCves":112},"TinyMCE",[],[],{"summary":115,"deductions":116},"The \"mws-click-to-reveal\" plugin v1.0.3 presents a generally good security posture with no known historical vulnerabilities and a seemingly limited attack surface.  The absence of CVEs and the plugin's focus on prepared statements for SQL queries are positive indicators.  However, there are notable concerns regarding output escaping, with only 13% of outputs being properly escaped. This could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is displayed without sufficient sanitization.  While taint analysis shows no critical or high-severity flows, the limited scope of this analysis (0 flows analyzed) means it's not a definitive guarantee of safety.  The presence of a bundled library (TinyMCE) also introduces a potential risk if it's outdated and unpatched, though no specific version information is provided to assess this.\n\nOverall, the plugin demonstrates good practices in areas like SQL querying and the absence of historical vulnerabilities. The primary weakness lies in the insufficient output escaping, which requires immediate attention to mitigate XSS risks. The limited taint analysis and lack of specific versioning for bundled libraries mean that further investigation may be warranted. The plugin's strengths lie in its minimal attack surface and SQL security, but the output escaping issue is a significant vulnerability that must be addressed.",[117,120],{"reason":118,"points":119},"Insufficient output escaping (13% escaped)",8,{"reason":121,"points":122},"Bundled library (TinyMCE) without version info",3,"2026-03-17T06:52:26.943Z",{"wat":125,"direct":132},{"assetPaths":126,"generatorPatterns":128,"scriptPaths":129,"versionParams":130},[127],"\u002Fwp-content\u002Fplugins\u002Fmws-click-to-reveal\u002Fsrc\u002Fjs\u002Fadmin\u002Ftinymce-plugin.js",[],[],[131],"mws-click-to-reveal\u002Fstyle.css?ver=",{"cssClasses":133,"htmlComments":134,"htmlAttributes":135,"restEndpoints":136,"jsGlobals":137,"shortcodeOutput":139},[],[],[],[],[138],"mws_ctr_protected_value_names",[]]