[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAhWY0Fq1op4qQ2J_6fei4BJZTUF438abVJO9ly1KhtY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":17,"download_link":19,"security_score":20,"vuln_count":13,"unpatched_count":13,"last_vuln_date":21,"fetched_at":22,"vulnerabilities":23,"developer":24,"crawl_stats":21,"alternatives":31,"analysis":32,"fingerprints":193},"mythic-wp-management","Mythic Beasts WordPress Management","1.8.1","Mythic Beasts","https:\u002F\u002Fprofiles.wordpress.org\u002Fmythic_beasts\u002F","\u003Cp>This plugin enables automated data collection as part of the third party Mythic Beasts Managed WordPress Hosting service, and provides relevant notices to administrative users. Without this service the plugin will have very limited functionality.\u003C\u002Fp>\n\u003Cp>When enabled, it stores a randomly generated key in the WordPress options, then allows querying the following information when that key is provided:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>IP Address of the server, and an identifier which is generated from the IP address and sites install path.\u003C\u002Fli>\n\u003Cli>System User Name, user and group ID numbers WordPress is running as.\u003C\u002Fli>\n\u003Cli>PHP Version, handler and extentions available to WordPress.\u003C\u002Fli>\n\u003Cli>Location of WordPress on the server, along with URLs it’s configured with.\u003C\u002Fli>\n\u003Cli>WordPress core version and automatic update setting.\u003C\u002Fli>\n\u003Cli>Email address of the configured WordPress administrator.\u003C\u002Fli>\n\u003Cli>A list of Plugins installed, and information about available updates.\u003C\u002Fli>\n\u003Cli>A list of Themes installed, and information about available updates.\u003C\u002Fli>\n\u003Cli>Hashes of the core, plugin and theme files.\u003C\u002Fli>\n\u003Cli>Various other variables.\u003C\u002Fli>\n\u003Cli>A timestamp of when this information was last queried.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No information is sent automatically, and this plugin only outputs the data when the stored key is provided in a normal web request.\u003C\u002Fp>\n\u003Cp>More information on the Mythic Beasts Managed WordPress Hosting service is available at https:\u002F\u002Fwww.mythic-beasts.com\u002Fapps\u002Fwordpress.\u003C\u002Fp>\n\u003Cp>Terms and Conditions as well as the Privacy Policy for this service are avaialble at https:\u002F\u002Fwww.mythic-beasts.com\u002Fterms\u002Foverview.\u003C\u002Fp>\n","Enables data collection as part of the Mythic Beasts Managed WordPress Hosting service.",200,3745,0,"2026-02-21T13:28:00.000Z","6.9.4","4.0","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmythic-wp-management.1.8.1.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":25,"display_name":7,"profile_url":8,"plugin_count":26,"total_installs":27,"avg_security_score":20,"avg_patch_time_days":28,"trust_score":29,"computed_at":30},"mythic_beasts",2,400,30,94,"2026-04-04T18:41:28.950Z",[],{"attackSurface":33,"codeSignals":74,"taintFlows":127,"riskAssessment":176,"analyzedAt":192},{"hooks":34,"ajaxHandlers":68,"restRoutes":69,"shortcodes":70,"cronEvents":71,"entryPointCount":13,"unprotectedCount":13},[35,41,44,49,53,57,61,65],{"type":36,"name":37,"callback":38,"file":39,"line":40},"filter","plugins_auto_update_enabled","__return_false","mythic-wp-management.php",42,{"type":36,"name":42,"callback":38,"file":39,"line":43},"themes_auto_update_enabled",43,{"type":45,"name":46,"callback":47,"file":39,"line":48},"action","mythic_wp_last_cron_check","mythic_wp_last_cron_update",89,{"type":45,"name":50,"callback":51,"file":39,"line":52},"plugins_loaded","mythic_wp_management_page",410,{"type":45,"name":54,"callback":55,"file":39,"line":56},"admin_notices","mythic_wp_management_notice",471,{"type":45,"name":58,"callback":59,"file":39,"line":60},"admin_menu","mythic_wp_management_disable_core_upgrade_nag",482,{"type":45,"name":62,"callback":63,"file":39,"line":64},"wp_dashboard_setup","mythic_wp_management_disable_php_version_nag",492,{"type":36,"name":66,"callback":38,"file":39,"line":67},"site_status_should_suggest_persistent_object_cache",498,[],[],[],[72],{"hook":46,"callback":46,"file":39,"line":73},86,{"dangerousFunctions":75,"sqlUsage":76,"outputEscaping":78,"fileOperations":125,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":126},[],{"prepared":13,"raw":13,"locations":77},[],{"escaped":79,"rawEcho":80,"locations":81},134,21,[82,85,87,89,91,93,95,97,99,101,103,105,107,109,111,113,115,117,119,121,123],{"file":39,"line":83,"context":84},181,"raw output",{"file":39,"line":86,"context":84},254,{"file":39,"line":88,"context":84},281,{"file":39,"line":90,"context":84},285,{"file":39,"line":92,"context":84},286,{"file":39,"line":94,"context":84},287,{"file":39,"line":96,"context":84},288,{"file":39,"line":98,"context":84},289,{"file":39,"line":100,"context":84},294,{"file":39,"line":102,"context":84},295,{"file":39,"line":104,"context":84},322,{"file":39,"line":106,"context":84},326,{"file":39,"line":108,"context":84},337,{"file":39,"line":110,"context":84},339,{"file":39,"line":112,"context":84},352,{"file":39,"line":114,"context":84},355,{"file":39,"line":116,"context":84},358,{"file":39,"line":118,"context":84},361,{"file":39,"line":120,"context":84},364,{"file":39,"line":122,"context":84},367,{"file":39,"line":124,"context":84},370,1,[],[128,162],{"entryPoint":129,"graph":130,"unsanitizedCount":26,"severity":161},"mythic_wp_management_report (mythic-wp-management.php:142)",{"nodes":131,"edges":155},[132,137,143,147,149,151],{"id":133,"type":134,"label":135,"file":39,"line":136},"n0","source","$_SERVER (x3)",150,{"id":138,"type":139,"label":140,"file":39,"line":141,"wp_function":142},"n1","sink","echo() [XSS]",151,"echo",{"id":144,"type":134,"label":145,"file":39,"line":146},"n2","$_SERVER",154,{"id":148,"type":139,"label":140,"file":39,"line":108,"wp_function":142},"n3",{"id":150,"type":134,"label":145,"file":39,"line":146},"n4",{"id":152,"type":139,"label":153,"file":39,"line":108,"wp_function":154},"n5","file_get_contents() [SSRF\u002FLFI]","file_get_contents",[156,158,160],{"from":133,"to":138,"sanitized":157},true,{"from":144,"to":148,"sanitized":159},false,{"from":150,"to":152,"sanitized":159},"medium",{"entryPoint":163,"graph":164,"unsanitizedCount":26,"severity":161},"\u003Cmythic-wp-management> (mythic-wp-management.php:0)",{"nodes":165,"edges":172},[166,167,168,169,170,171],{"id":133,"type":134,"label":135,"file":39,"line":136},{"id":138,"type":139,"label":140,"file":39,"line":141,"wp_function":142},{"id":144,"type":134,"label":145,"file":39,"line":146},{"id":148,"type":139,"label":140,"file":39,"line":108,"wp_function":142},{"id":150,"type":134,"label":145,"file":39,"line":146},{"id":152,"type":139,"label":153,"file":39,"line":108,"wp_function":154},[173,174,175],{"from":133,"to":138,"sanitized":157},{"from":144,"to":148,"sanitized":159},{"from":150,"to":152,"sanitized":159},{"summary":177,"deductions":178},"The \"mythic-wp-management\" plugin v1.8.1 exhibits a generally good security posture based on the provided static analysis. There are no identified AJAX handlers, REST API routes, or shortcodes that present an immediate attack surface. The plugin also demonstrates a strong commitment to secure coding practices by utilizing prepared statements for all SQL queries and properly escaping a significant majority (86%) of its output. The absence of known CVEs and a clean vulnerability history further reinforces this positive outlook, suggesting consistent security awareness from the developers.\n\nHowever, a few areas warrant attention. The presence of a single cron event without explicit mention of authentication or capability checks is a potential, albeit small, risk. More critically, the taint analysis reveals two flows with unsanitized paths. While these flows are not classified as critical or high severity, unsanitized paths can, in certain circumstances, lead to vulnerabilities if they interact with file operations or user-supplied input in an insecure manner. The plugin also has zero nonce checks and zero capability checks recorded, which, when combined with other factors, can be a concern, especially if the attack surface were to grow or if the cron event has potential security implications.\n\nIn conclusion, \"mythic-wp-management\" v1.8.1 is on a solid security foundation, with developers adhering to many best practices. The primary concerns revolve around the potential for issues with the unsanitized paths in the taint analysis and the lack of explicit authentication\u002Fcapability checks on the cron event. Addressing these specific points would further solidify the plugin's security.",[179,182,185,188,190],{"reason":180,"points":181},"Taint flows with unsanitized paths detected",8,{"reason":183,"points":184},"Cron event without apparent auth\u002Fcap checks",3,{"reason":186,"points":187},"Zero nonce checks recorded",5,{"reason":189,"points":187},"Zero capability checks recorded",{"reason":191,"points":26},"Less than 100% output escaping","2026-03-16T20:18:23.942Z",{"wat":194,"direct":199},{"assetPaths":195,"generatorPatterns":196,"scriptPaths":197,"versionParams":198},[],[],[],[],{"cssClasses":200,"htmlComments":201,"htmlAttributes":202,"restEndpoints":203,"jsGlobals":204,"shortcodeOutput":206},[],[],[],[],[205],"mythic_wp_management_options",[]]