[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkg_p63pHyT-06-8iqQesPd4oNvPQsuRBZbv8MJkU9II":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":33,"analysis":34,"fingerprints":238},"mygooglepluswidget","My Google Plus Widget","1.3","Arjen Ketelaar","https:\u002F\u002Fprofiles.wordpress.org\u002Farjenketelaar\u002F","\u003Cp>The \u003Cstrong>Google Plus Widget\u003C\u002Fstrong> is based on the official Google Plus API published by Google.\u003C\u002Fp>\n\u003Cp>All you Google Plus updates will be presented in a widget. You can also show (public) updates from other Google Plus users.\u003C\u002Fp>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n\u003Cp>No text yet\u003C\u002Fp>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Cp>Ordered list:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Some feature\u003C\u002Fli>\n\u003Cli>Another feature\u003C\u002Fli>\n\u003Cli>Something else about the plugin\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Unordered list:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>something\u003C\u002Fli>\n\u003Cli>something else\u003C\u002Fli>\n\u003Cli>third thing\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Here’s a link to \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" title=\"Your favorite software\" rel=\"ugc\">WordPress\u003C\u002Fa> and one to \u003Ca href=\"http:\u002F\u002Fdaringfireball.net\u002Fprojects\u002Fmarkdown\u002Fsyntax\" title=\"Markdown is what the parser uses to process much of the readme file\" rel=\"nofollow ugc\">Markdown’s Syntax Documentation\u003C\u002Fa>.\u003Cbr \u002F>\nTitles are optional, naturally.\u003C\u002Fp>\n\u003Cp>Markdown uses email style notation for blockquotes and I’ve been told:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Asterisks for \u003Cem>emphasis\u003C\u002Fem>. Double it up  for \u003Cstrong>strong\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cpre>\u003Ccode>\u003C?php code(); \u002F\u002F goes in backticks ?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n","The Google Plus Widget is based on the official Google Plus API published by Google.",10,4008,40,1,"2011-09-21T17:45:00.000Z","3.2.1","2.0.2","",[20],"google-plus-widget-api","http:\u002F\u002Fwww.ketelaar.info\u002Fgooglepluswidget\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmygooglepluswidget.1.3.1.zip",85,0,null,"2026-03-15T14:54:45.397Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},"arjenketelaar",30,84,"2026-04-05T02:00:32.844Z",[],{"attackSurface":35,"codeSignals":58,"taintFlows":161,"riskAssessment":221,"analyzedAt":237},{"hooks":36,"ajaxHandlers":54,"restRoutes":55,"shortcodes":56,"cronEvents":57,"entryPointCount":24,"unprotectedCount":24},[37,43,46,50],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","admin_menu","gpw_plugin_add_page","googlepluswidget.php",28,{"type":38,"name":39,"callback":44,"file":41,"line":45},"gpw_create_menu",29,{"type":38,"name":47,"callback":48,"file":41,"line":49},"widgets_init","gpw_widget_register",90,{"type":38,"name":51,"callback":52,"file":41,"line":53},"admin_init","gpw_plugin_admin_init",173,[],[],[],[],{"dangerousFunctions":59,"sqlUsage":69,"outputEscaping":71,"fileOperations":159,"externalRequests":14,"nonceChecks":24,"capabilityChecks":24,"bundledLibraries":160},[60,65],{"fn":61,"file":62,"line":63,"context":64},"unserialize","google-api-php-client\\src\\cache\\apiApcCache.php",79,"return unserialize($ret['data']);",{"fn":61,"file":66,"line":67,"context":68},"google-api-php-client\\src\\cache\\apiFileCache.php",98,"$data = unserialize($data);",{"prepared":24,"raw":24,"locations":70},[],{"escaped":72,"rawEcho":73,"locations":74},2,39,[75,79,82,84,85,87,90,93,95,98,100,102,104,105,107,110,111,114,117,120,121,123,125,127,129,131,133,136,137,139,141,143,145,147,149,151,153,155,157],{"file":76,"line":77,"context":78},"google-api-php-client\\examples\\batch.php",22,"raw output",{"file":80,"line":81,"context":78},"google-api-php-client\\examples\\books\\index.php",38,{"file":80,"line":83,"context":78},69,{"file":80,"line":63,"context":78},{"file":86,"line":45,"context":78},"google-api-php-client\\examples\\books\\simple.php",{"file":88,"line":89,"context":78},"google-api-php-client\\examples\\buzz\\createPost.php",27,{"file":91,"line":92,"context":78},"google-api-php-client\\examples\\buzz\\fetchActivities.php",21,{"file":94,"line":92,"context":78},"google-api-php-client\\examples\\buzz\\fetchPeople.php",{"file":96,"line":97,"context":78},"google-api-php-client\\examples\\buzz\\includes\\displayBuzzPost.php",18,{"file":96,"line":99,"context":78},66,{"file":96,"line":101,"context":78},74,{"file":96,"line":103,"context":78},77,{"file":96,"line":23,"context":78},{"file":96,"line":106,"context":78},91,{"file":108,"line":109,"context":78},"google-api-php-client\\examples\\buzz\\includes\\header.php",26,{"file":108,"line":45,"context":78},{"file":112,"line":113,"context":78},"google-api-php-client\\examples\\latitude\\index.php",75,{"file":115,"line":116,"context":78},"google-api-php-client\\examples\\oauth2\\index.php",63,{"file":118,"line":119,"context":78},"google-api-php-client\\examples\\pagespeed\\index.php",45,{"file":118,"line":119,"context":78},{"file":118,"line":122,"context":78},46,{"file":118,"line":124,"context":78},47,{"file":118,"line":126,"context":78},48,{"file":118,"line":128,"context":78},49,{"file":118,"line":130,"context":78},50,{"file":118,"line":132,"context":78},51,{"file":134,"line":135,"context":78},"google-api-php-client\\examples\\tasks\\index.php",59,{"file":134,"line":99,"context":78},{"file":138,"line":116,"context":78},"google-api-php-client\\examples\\urlshortener\\index.php",{"file":41,"line":140,"context":78},111,{"file":41,"line":142,"context":78},114,{"file":41,"line":144,"context":78},131,{"file":41,"line":146,"context":78},143,{"file":41,"line":148,"context":78},146,{"file":41,"line":150,"context":78},234,{"file":41,"line":152,"context":78},242,{"file":41,"line":154,"context":78},250,{"file":41,"line":156,"context":78},258,{"file":41,"line":158,"context":78},266,6,[],[162,180,190,199,211],{"entryPoint":163,"graph":164,"unsanitizedCount":72,"severity":179},"\u003Cindex> (google-api-php-client\\examples\\latitude\\index.php:0)",{"nodes":165,"edges":176},[166,171],{"id":167,"type":168,"label":169,"file":112,"line":170},"n0","source","$_SERVER['HTTP_HOST'] (x2)",33,{"id":172,"type":173,"label":174,"file":112,"line":170,"wp_function":175},"n1","sink","header() [Header Injection]","header",[177],{"from":167,"to":172,"sanitized":178},false,"medium",{"entryPoint":181,"graph":182,"unsanitizedCount":14,"severity":179},"\u003Cindex> (google-api-php-client\\examples\\tasks\\index.php:0)",{"nodes":183,"edges":188},[184,187],{"id":167,"type":168,"label":185,"file":134,"line":186},"$_SERVER['HTTP_HOST']",42,{"id":172,"type":173,"label":174,"file":134,"line":186,"wp_function":175},[189],{"from":167,"to":172,"sanitized":178},{"entryPoint":191,"graph":192,"unsanitizedCount":72,"severity":179},"\u003Cindex> (google-api-php-client\\examples\\urlshortener\\index.php:0)",{"nodes":193,"edges":197},[194,196],{"id":167,"type":168,"label":169,"file":138,"line":195},32,{"id":172,"type":173,"label":174,"file":138,"line":195,"wp_function":175},[198],{"from":167,"to":172,"sanitized":178},{"entryPoint":200,"graph":201,"unsanitizedCount":72,"severity":210},"\u003Cheader> (google-api-php-client\\examples\\buzz\\includes\\header.php:0)",{"nodes":202,"edges":208},[203,205],{"id":167,"type":168,"label":204,"file":108,"line":109},"$_SERVER['SCRIPT_NAME'] (x2)",{"id":172,"type":173,"label":206,"file":108,"line":109,"wp_function":207},"echo() [XSS]","echo",[209],{"from":167,"to":172,"sanitized":178},"low",{"entryPoint":212,"graph":213,"unsanitizedCount":220,"severity":210},"\u003Cindex> (google-api-php-client\\examples\\pagespeed\\index.php:0)",{"nodes":214,"edges":218},[215,217],{"id":167,"type":168,"label":216,"file":118,"line":109},"$_GET (x4)",{"id":172,"type":173,"label":206,"file":118,"line":119,"wp_function":207},[219],{"from":167,"to":172,"sanitized":178},4,{"summary":222,"deductions":223},"The \"mygooglepluswidget\" plugin version 1.3 exhibits a mixed security posture. On one hand, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and has no recorded vulnerability history, suggesting a generally stable and secure past. The attack surface is also reported as zero, with no AJAX handlers, REST API routes, shortcodes, or cron events, which is a significant strength in minimizing potential entry points.\n\nHowever, several areas raise concerns. The presence of two \"unserialize\" function calls is a critical red flag. If the data being unserialized is not strictly controlled or sanitized from an external source, it can lead to Remote Code Execution vulnerabilities. Furthermore, the static analysis reveals a very low rate of proper output escaping (5%), indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. While the taint analysis shows no critical or high severity flows, the limited number of flows analyzed (5) and the presence of unsanitized paths in all of them warrants caution. The absence of any nonce or capability checks on the (non-existent) entry points, while seemingly positive due to the zero attack surface, means that if any entry points were ever added, they would be unprotected.\n\nIn conclusion, while the plugin has a clean vulnerability history and a seemingly small attack surface, the critical \"unserialize\" function usage and the pervasive lack of output escaping present significant security risks. The plugin developers should prioritize addressing these issues to improve its overall security posture. The low number of analyzed taint flows also suggests that a deeper, more comprehensive static analysis might be beneficial.",[224,227,229,232,235],{"reason":225,"points":226},"Dangerous function unserialize found",15,{"reason":228,"points":11},"Low percentage of properly escaped output",{"reason":230,"points":231},"Unsanitized paths in taint flows",8,{"reason":233,"points":234},"No nonce checks",5,{"reason":236,"points":234},"No capability checks","2026-03-16T23:35:54.495Z",{"wat":239,"direct":244},{"assetPaths":240,"generatorPatterns":241,"scriptPaths":242,"versionParams":243},[],[],[],[],{"cssClasses":245,"htmlComments":247,"htmlAttributes":248,"restEndpoints":249,"jsGlobals":250,"shortcodeOutput":251},[246],"gpw_widget_class",[],[],[],[],[]]