[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVPB_bsh9YUGA3m0zTUUMWDqyJ2SOnbRwm4FPOjXtMes":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":37,"analysis":137,"fingerprints":776},"native-wp-cleaner","Native WP Cleaner","1.0","Oleg Komarovskyi","https:\u002F\u002Fprofiles.wordpress.org\u002Fkomarovski\u002F","\u003Cp>With help of this plugin you can easily disable native wordpress widgets, cleanup your HTML code from such native features as:\u003Cbr \u002F>\n– Embeds script;\u003Cbr \u002F>\n– EMOJI script and styles;\u003Cbr \u002F>\n– RSD link;\u003Cbr \u002F>\n– WLW Manifest link;\u003Cbr \u002F>\n– Generator meta tag;\u003Cbr \u002F>\nAlso, you can disable XML-RPC functionality, self ping, enable Honeypot on login page, prevent access to such files as: readme.html, license.txt, xmlrpc.php, wlwmanifest.xml, changelog.txt, etc.\u003Cbr \u002F>\nMoreover, you can hide different metaboxes, columns, menu pages, express bar items from administration panel.\u003Cbr \u002F>\nNative WP Cleaner – is a handy, lightweight, clean code plugin that will be useful not only for simple blog and website owners, but also for theme developers\u003C\u002Fp>\n","Disable native widgets, clean head tag from RSS, RSD, WLW Manifest links, disable XML-RPC, cleanup admin panel from columns, metaboxes, menu items.",70,2022,100,2,"2017-06-10T09:52:00.000Z","4.8.28","4.0","",[20,21,22,23,24],"disable-widgets","remove-generator-meta","remove-rsd","remove-tags-from-head","xmlrpc","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnative-wp-cleaner.1.0.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":33,"avg_security_score":26,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},"komarovski",130,30,84,"2026-04-04T08:01:17.152Z",[38,56,76,98,120],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":46,"downloaded":47,"rating":48,"num_ratings":49,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":18,"tags":53,"homepage":54,"download_link":55,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"disable-xml-rpc","Disable XML-RPC","1.0.1","Phil Erb","https:\u002F\u002Fprofiles.wordpress.org\u002Fphilerb\u002F","\u003Cp>Pretty simply, this plugin uses the built-in WordPress filter “xmlrpc_enabled” to disable the XML-RPC API on a WordPress site running 3.5 or above.\u003C\u002Fp>\n\u003Cp>Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable\u002Fenable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.\u003C\u002Fp>\n","Disables the XML-RPC API in WordPress 3.5+, which is enabled by default.",200000,604200,86,29,"2025-12-03T01:28:00.000Z","6.9.4","3.5",[24],"http:\u002F\u002Fwww.philerb.com\u002Fwp-plugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc.1.0.1.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":51,"requires_at_least":69,"requires_php":18,"tags":70,"homepage":74,"download_link":75,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"disable-xml-rpc-api","Disable XML-RPC-API","2.1.7","Amin Nazemi","https:\u002F\u002Fprofiles.wordpress.org\u002Faminnz\u002F","\u003Cp>Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>PLUGIN FEATURES\u003C\u002Fstrong>\u003Cbr \u002F>\n(These are options you can enable or disable each one)\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable access to xmlrpc.php file using .httacess file \u003C\u002Fli>\n\u003Cli>Automatically change htaccess file permission to read-only (0444)\u003C\u002Fli>\n\u003Cli>Disable X-pingback to minimize CPU usage \u003C\u002Fli>\n\u003Cli>Disable selected methods from XML-RPC\u003C\u002Fli>\n\u003Cli>Remove pingback-ping link from header\u003C\u002Fli>\n\u003Cli>Disable trackbacks and pingbacks to avoid spammers and hackers\u003C\u002Fli>\n\u003Cli>Rename XML-RPC slug to whatever you want\u003C\u002Fli>\n\u003Cli>Black list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>White list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>Some options to speed-up your wordpress website\u003C\u002Fli>\n\u003Cli>Disable JSON REST API\u003C\u002Fli>\n\u003Cli>Hide WordPress Version\u003C\u002Fli>\n\u003Cli>Disable built-in WordPress file editor\u003C\u002Fli>\n\u003Cli>Disable wlw manifest\u003C\u002Fli>\n\u003Cli>And some other options\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What is XMLRPC\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.\u003Cbr \u002F>\nBeginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable\u002Fenable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why you should disable XML-RPC\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>Xmlrpc has two main weaknesses\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Brute force attacks:\u003Cbr \u002F>\nAttackers try to login to WordPress using xmlrpc.php with as many username\u002Fpassword combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”\u003C\u002Fli>\n\u003Cli>Denial of Service Attacks via Pingback:\u003Cbr \u002F>\nBack in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website",100000,792973,82,42,"2026-02-04T06:54:00.000Z","5.0",[39,71,72,73,24],"disable-xmlrpc","pingback","stop-brute-force-attacks","https:\u002F\u002Fneatma.com\u002Fdsxmlrpc-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc-api.zip",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":86,"num_ratings":87,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":91,"tags":92,"homepage":96,"download_link":97,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"remove-xmlrpc-pingback-ping","Remove & Disable XML-RPC Pingback","1.6","cleverplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fcleverplugins\u002F","\u003Cp>Prevent your WordPress site from participating and being a victim of pingback denial of service attacks. \u003Cstrong>After activation the plugin automatically disables XML-RPC. There’s no need to configure anything.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>By disabling the XML-RPC pingback you’ll:\u003Cbr \u002F>\n* lower your server CPU usage\u003Cbr \u002F>\n* prevent malicious scripts from using your site to run pingback denial of service attacks\u003Cbr \u002F>\n* prevent malicious scripts to run denial of service attacks on your site via pingback\u003C\u002Fp>\n\u003Cp>From sucuri.net:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>Learn More\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwptavern.com\u002Fhow-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks\" rel=\"nofollow ugc\">How To Prevent WordPress From Participating In Pingback Denial of Service Attacks\u003C\u002Fa> – wptavern.com\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fblog.sucuri.net\u002F2014\u002F03\u002Fmore-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html\" rel=\"nofollow ugc\">More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack\u003C\u002Fa> – sucuri.net\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fhackguard.com\u002Fxmlrpc-php-ping-backs-hackers-denial-service-attacks\" rel=\"nofollow ugc\">xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!\u003C\u002Fa> – hackguard.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Is Your Site Attacking Others?\u003C\u002Fh4>\n\u003Cp>Use \u003Ca href=\"http:\u002F\u002Flabs.sucuri.net\u002F?is-my-wordpress-ddosing\" rel=\"nofollow ugc\">Sucuri’s WordPress DDOS Scanner\u003C\u002Fa> to check if your site is DDOS’ing other websites\u003C\u002Fp>\n\u003Ch4>Why Not Just Disable XMLRPC Altogether?\u003C\u002Fh4>\n\u003Cp>Yes, you can choose to do that, but if you use popular plugins like JetPack (that use XMLRPC) then those plugins will stop working. That is why this small plugin exists.\u003C\u002Fp>\n","Prevent pingback, XML-RPC and denial of service DDOS attacks by disabling the XML-RPC pingback functionality.",9000,94267,60,6,"2023-07-24T23:03:00.000Z","6.3.8","5.2","5.6",[93,94,72,95,24],"disable-ping","ping","xml-rpc","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fremove-xmlrpc-pingback-ping","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fremove-xmlrpc-pingback-ping.1.6.zip",{"slug":99,"name":100,"version":101,"author":102,"author_profile":103,"description":104,"short_description":105,"active_installs":106,"downloaded":107,"rating":86,"num_ratings":108,"last_updated":109,"tested_up_to":110,"requires_at_least":17,"requires_php":18,"tags":111,"homepage":117,"download_link":118,"security_score":119,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"manage-xml-rpc","Manage XML-RPC","1.0.2","brainvireinfo","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrainvireinfo\u002F","\u003Cp>You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Block XML-RPC by following way.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable pingback.ping, pingback.extensions.getPingbacks and Unset X-Pingback from HTTP headers, that will block bots to access specified method.\u003C\u002Fli>\n\u003Cli>Disable\u002FBlock XML-RPC for all users.\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable\u002FDisable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.",6000,64108,4,"2024-12-02T07:10:00.000Z","6.7.5",[112,113,114,115,116],"block-xml-rpc","brute-force-attacks","security","xml-rpc-pingback","xmlrpc-php-attack","http:\u002F\u002Fwww.brainvire.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmanage-xml-rpc.1.0.2.zip",92,{"slug":121,"name":122,"version":123,"author":124,"author_profile":125,"description":126,"short_description":127,"active_installs":106,"downloaded":128,"rating":13,"num_ratings":108,"last_updated":129,"tested_up_to":51,"requires_at_least":130,"requires_php":131,"tags":132,"homepage":18,"download_link":136,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"stop-xml-rpc-attacks","Stop XML-RPC Attacks","2.0.0","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Stop XML-RPC Attacks protects your WordPress site from XML-RPC brute force attacks, DDoS attempts, and reconnaissance probes while maintaining compatibility with essential services like Jetpack and WooCommerce.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Three security modes: Full Disable, Guest Disable, or Selective Blocking\u003C\u002Fli>\n\u003Cli>Blocks dangerous methods: system.multicall, pingback.ping, and more\u003C\u002Fli>\n\u003Cli>Compatible with Jetpack and WooCommerce\u003C\u002Fli>\n\u003Cli>Optional user enumeration blocking\u003C\u002Fli>\n\u003Cli>Attack logging for monitoring\u003C\u002Fli>\n\u003Cli>Zero configuration required – works out of the box\u003C\u002Fli>\n\u003Cli>Clean, intuitive admin interface\u003C\u002Fli>\n\u003C\u002Ful>\n","Blocks dangerous XML-RPC methods while preserving Jetpack, WooCommerce, and mobile apps compatibility.",26717,"2026-01-01T13:41:00.000Z","6.0","7.4",[133,134,135,114,24],"brute-force","ddos","jetpack","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-xml-rpc-attacks.2.0.0.zip",{"attackSurface":138,"codeSignals":341,"taintFlows":763,"riskAssessment":764,"analyzedAt":775},{"hooks":139,"ajaxHandlers":337,"restRoutes":338,"shortcodes":339,"cronEvents":340,"entryPointCount":27,"unprotectedCount":27},[140,146,150,155,158,162,167,170,174,177,180,184,187,190,193,197,202,205,208,211,214,217,220,223,226,229,232,235,238,241,244,247,250,254,258,261,264,267,271,274,278,281,284,287,290,293,296,299,302,305,308,311,314,317,320,323,326,330,333],{"type":141,"name":142,"callback":143,"file":144,"line":145},"action","init","nwpcpcode_init","native-wp-cleaner.php",18,{"type":141,"name":147,"callback":148,"file":144,"line":149},"wp_footer","nwpcpcode_disable_embeds_function",33,{"type":151,"name":152,"callback":153,"file":144,"line":154},"filter","tiny_mce_plugins","nwpcpcode_disable_emoji_smiles_tinymce_function",45,{"type":141,"name":142,"callback":156,"file":144,"line":157},"nwpcpcode_disable_emoji_smiles_function",47,{"type":151,"name":159,"callback":160,"file":144,"line":161},"emoji_svg_url","__return_false",49,{"type":151,"name":163,"callback":164,"priority":165,"file":144,"line":166},"style_loader_src","nwpcpcode_remove_css_js_versions_function",9999,54,{"type":151,"name":168,"callback":164,"priority":165,"file":144,"line":169},"script_loader_src",55,{"type":141,"name":171,"callback":172,"file":144,"line":173},"pre_ping","nwpcpcode_disable_self_ping_function",66,{"type":151,"name":175,"callback":176,"file":144,"line":11},"wp_headers","nwpcpcode_disable_xml_rpc_function",{"type":151,"name":178,"callback":160,"file":144,"line":179},"xmlrpc_enabled",71,{"type":141,"name":181,"callback":182,"file":144,"line":183},"login_form","nwpcpcode_add_honeypot_function",94,{"type":141,"name":185,"callback":182,"file":144,"line":186},"lostpassword_form",95,{"type":141,"name":188,"callback":182,"file":144,"line":189},"retrievepassword_form",96,{"type":141,"name":191,"callback":182,"file":144,"line":192},"register_form",97,{"type":151,"name":194,"callback":195,"file":144,"line":196},"wp_revisions_to_keep","nwpcpcode_revisions_limit_function",104,{"type":141,"name":198,"callback":199,"priority":200,"file":144,"line":201},"widgets_init","nwpcpcode_disable_text_widget_function",11,108,{"type":141,"name":198,"callback":203,"priority":200,"file":144,"line":204},"nwpcpcode_disable_custom_menu_widget_function",113,{"type":141,"name":198,"callback":206,"priority":200,"file":144,"line":207},"nwpcpcode_disable_image_widget_function",118,{"type":141,"name":198,"callback":209,"priority":200,"file":144,"line":210},"nwpcpcode_disable_video_widget_function",123,{"type":141,"name":198,"callback":212,"priority":200,"file":144,"line":213},"nwpcpcode_disable_audio_widget_function",128,{"type":141,"name":198,"callback":215,"priority":200,"file":144,"line":216},"nwpcpcode_disable_rss_widget_function",133,{"type":141,"name":198,"callback":218,"priority":200,"file":144,"line":219},"nwpcpcode_disable_archives_widget_function",138,{"type":141,"name":198,"callback":221,"priority":200,"file":144,"line":222},"nwpcpcode_disable_calendar_widget_function",143,{"type":141,"name":198,"callback":224,"priority":200,"file":144,"line":225},"nwpcpcode_disable_meta_widget_function",148,{"type":141,"name":198,"callback":227,"priority":200,"file":144,"line":228},"nwpcpcode_disable_tag_cloud_widget_function",153,{"type":141,"name":198,"callback":230,"priority":200,"file":144,"line":231},"nwpcpcode_disable_search_widget_function",158,{"type":141,"name":198,"callback":233,"priority":200,"file":144,"line":234},"nwpcpcode_disable_categories_widget_function",163,{"type":141,"name":198,"callback":236,"priority":200,"file":144,"line":237},"nwpcpcode_disable_recent_posts_widget_function",168,{"type":141,"name":198,"callback":239,"priority":200,"file":144,"line":240},"nwpcpcode_disable_recent_comments_widget_function",173,{"type":141,"name":198,"callback":242,"priority":200,"file":144,"line":243},"nwpcpcode_disable_pages_widget_function",178,{"type":141,"name":142,"callback":245,"file":144,"line":246},"nwpcpcode_unregister_categories_function",183,{"type":141,"name":142,"callback":248,"file":144,"line":249},"nwpcpcode_unregister_tags_function",188,{"type":151,"name":251,"callback":252,"file":144,"line":253},"manage_media_columns","nwpcpcode_hide_author_columns",194,{"type":141,"name":255,"callback":256,"file":144,"line":257},"admin_menu","nwpcpcode_hide_author_metabox",196,{"type":151,"name":251,"callback":259,"file":144,"line":260},"nwpcpcode_hide_comments_columns",202,{"type":141,"name":255,"callback":262,"file":144,"line":263},"nwpcpcode_hide_comments_metabox",204,{"type":141,"name":255,"callback":265,"file":144,"line":266},"nwpcpcode_hide_comments_menu",206,{"type":141,"name":268,"callback":269,"file":144,"line":270},"wp_before_admin_bar_render","nwpcpcode_hide_comments_admin_bar",208,{"type":141,"name":255,"callback":272,"file":144,"line":273},"nwpcpcode_hide_discussion_metabox",213,{"type":141,"name":255,"callback":275,"priority":276,"file":144,"line":277},"nwpcpcode_hide_discussion_menu",999,215,{"type":141,"name":255,"callback":279,"file":144,"line":280},"nwpcpcode_hide_slug_metabox",220,{"type":141,"name":255,"callback":282,"file":144,"line":283},"nwpcpcode_hide_trackbacks_metabox",225,{"type":141,"name":255,"callback":285,"file":144,"line":286},"nwpcpcode_hide_excerpt_metabox",230,{"type":141,"name":255,"callback":288,"file":144,"line":289},"nwpcpcode_hide_custom_fields_metabox",235,{"type":141,"name":255,"callback":291,"file":144,"line":292},"nwpcpcode_hide_tools_menu",240,{"type":141,"name":255,"callback":294,"priority":276,"file":144,"line":295},"nwpcpcode_hide_writing_menu",245,{"type":141,"name":255,"callback":297,"priority":276,"file":144,"line":298},"nwpcpcode_hide_reading_menu",250,{"type":141,"name":255,"callback":300,"priority":276,"file":144,"line":301},"nwpcpcode_hide_media_menu",255,{"type":141,"name":255,"callback":303,"priority":276,"file":144,"line":304},"nwpcpcode_hide_permalinks_menu",260,{"type":141,"name":255,"callback":306,"priority":276,"file":144,"line":307},"nwpcpcode_hide_file_editors_theme",265,{"type":141,"name":255,"callback":309,"priority":276,"file":144,"line":310},"nwpcpcode_hide_file_editors_plugin",267,{"type":141,"name":268,"callback":312,"file":144,"line":313},"nwpcpcode_hide_admin_bar_logo_item",272,{"type":141,"name":268,"callback":315,"file":144,"line":316},"nwpcpcode_hide_admin_bar_customize_item",277,{"type":141,"name":268,"callback":318,"file":144,"line":319},"nwpcpcode_hide_admin_bar_new_media_item",282,{"type":141,"name":268,"callback":321,"file":144,"line":322},"nwpcpcode_hide_admin_bar_new_user_item",287,{"type":141,"name":268,"callback":324,"file":144,"line":325},"nwpcpcode_hide_admin_bar_themes_items",292,{"type":141,"name":327,"callback":328,"file":144,"line":329},"login_enqueue_scripts","nwpcpcode_hide_logo_login_page_function",297,{"type":141,"name":255,"callback":331,"file":144,"line":332},"nwpcpcode_tab",730,{"type":141,"name":334,"callback":335,"file":144,"line":336},"admin_init","nwpcpcode_settings",735,[],[],[],[],{"dangerousFunctions":342,"sqlUsage":343,"outputEscaping":345,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":762},[],{"prepared":27,"raw":27,"locations":344},[],{"escaped":27,"rawEcho":346,"locations":347},207,[348,351,353,355,357,359,361,363,365,367,369,371,373,375,377,379,381,383,385,387,389,391,393,395,397,399,401,403,405,407,409,411,413,415,417,419,421,423,425,427,429,431,433,435,437,439,441,443,445,447,449,451,453,455,457,459,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522,524,526,528,530,532,534,536,538,540,542,544,546,548,550,552,554,556,558,560,562,564,566,568,570,572,574,576,578,580,582,584,586,588,590,592,594,596,598,600,602,604,606,608,610,612,614,616,618,620,622,624,626,628,630,632,634,636,638,640,642,644,646,648,650,652,654,656,658,660,662,664,666,668,670,672,674,676,678,680,682,684,686,688,690,692,694,696,698,700,702,704,706,708,710,712,714,716,718,720,722,724,726,728,730,732,734,736,738,740,742,744,746,748,750,752,754,756,758,760],{"file":144,"line":349,"context":350},306,"raw output",{"file":144,"line":352,"context":350},308,{"file":144,"line":354,"context":350},309,{"file":144,"line":356,"context":350},310,{"file":144,"line":358,"context":350},311,{"file":144,"line":360,"context":350},312,{"file":144,"line":362,"context":350},313,{"file":144,"line":364,"context":350},318,{"file":144,"line":366,"context":350},321,{"file":144,"line":368,"context":350},323,{"file":144,"line":370,"context":350},324,{"file":144,"line":372,"context":350},325,{"file":144,"line":374,"context":350},329,{"file":144,"line":376,"context":350},331,{"file":144,"line":378,"context":350},332,{"file":144,"line":380,"context":350},333,{"file":144,"line":382,"context":350},337,{"file":144,"line":384,"context":350},339,{"file":144,"line":386,"context":350},340,{"file":144,"line":388,"context":350},341,{"file":144,"line":390,"context":350},345,{"file":144,"line":392,"context":350},347,{"file":144,"line":394,"context":350},348,{"file":144,"line":396,"context":350},349,{"file":144,"line":398,"context":350},353,{"file":144,"line":400,"context":350},355,{"file":144,"line":402,"context":350},356,{"file":144,"line":404,"context":350},357,{"file":144,"line":406,"context":350},361,{"file":144,"line":408,"context":350},363,{"file":144,"line":410,"context":350},364,{"file":144,"line":412,"context":350},365,{"file":144,"line":414,"context":350},369,{"file":144,"line":416,"context":350},371,{"file":144,"line":418,"context":350},372,{"file":144,"line":420,"context":350},373,{"file":144,"line":422,"context":350},377,{"file":144,"line":424,"context":350},380,{"file":144,"line":426,"context":350},382,{"file":144,"line":428,"context":350},383,{"file":144,"line":430,"context":350},384,{"file":144,"line":432,"context":350},388,{"file":144,"line":434,"context":350},390,{"file":144,"line":436,"context":350},391,{"file":144,"line":438,"context":350},392,{"file":144,"line":440,"context":350},396,{"file":144,"line":442,"context":350},398,{"file":144,"line":444,"context":350},399,{"file":144,"line":446,"context":350},400,{"file":144,"line":448,"context":350},404,{"file":144,"line":450,"context":350},406,{"file":144,"line":452,"context":350},407,{"file":144,"line":454,"context":350},408,{"file":144,"line":456,"context":350},412,{"file":144,"line":458,"context":350},414,{"file":144,"line":458,"context":350},{"file":144,"line":461,"context":350},415,{"file":144,"line":463,"context":350},419,{"file":144,"line":465,"context":350},422,{"file":144,"line":467,"context":350},424,{"file":144,"line":469,"context":350},425,{"file":144,"line":471,"context":350},426,{"file":144,"line":473,"context":350},430,{"file":144,"line":475,"context":350},432,{"file":144,"line":477,"context":350},433,{"file":144,"line":479,"context":350},434,{"file":144,"line":481,"context":350},438,{"file":144,"line":483,"context":350},440,{"file":144,"line":485,"context":350},441,{"file":144,"line":487,"context":350},442,{"file":144,"line":489,"context":350},446,{"file":144,"line":491,"context":350},448,{"file":144,"line":493,"context":350},449,{"file":144,"line":495,"context":350},450,{"file":144,"line":497,"context":350},454,{"file":144,"line":499,"context":350},456,{"file":144,"line":501,"context":350},457,{"file":144,"line":503,"context":350},458,{"file":144,"line":505,"context":350},462,{"file":144,"line":507,"context":350},464,{"file":144,"line":509,"context":350},465,{"file":144,"line":511,"context":350},466,{"file":144,"line":513,"context":350},470,{"file":144,"line":515,"context":350},472,{"file":144,"line":517,"context":350},473,{"file":144,"line":519,"context":350},474,{"file":144,"line":521,"context":350},478,{"file":144,"line":523,"context":350},480,{"file":144,"line":525,"context":350},481,{"file":144,"line":527,"context":350},482,{"file":144,"line":529,"context":350},486,{"file":144,"line":531,"context":350},488,{"file":144,"line":533,"context":350},489,{"file":144,"line":535,"context":350},490,{"file":144,"line":537,"context":350},494,{"file":144,"line":539,"context":350},496,{"file":144,"line":541,"context":350},497,{"file":144,"line":543,"context":350},498,{"file":144,"line":545,"context":350},502,{"file":144,"line":547,"context":350},504,{"file":144,"line":549,"context":350},505,{"file":144,"line":551,"context":350},506,{"file":144,"line":553,"context":350},510,{"file":144,"line":555,"context":350},512,{"file":144,"line":557,"context":350},513,{"file":144,"line":559,"context":350},514,{"file":144,"line":561,"context":350},518,{"file":144,"line":563,"context":350},520,{"file":144,"line":565,"context":350},521,{"file":144,"line":567,"context":350},522,{"file":144,"line":569,"context":350},526,{"file":144,"line":571,"context":350},528,{"file":144,"line":573,"context":350},529,{"file":144,"line":575,"context":350},530,{"file":144,"line":577,"context":350},534,{"file":144,"line":579,"context":350},536,{"file":144,"line":581,"context":350},537,{"file":144,"line":583,"context":350},538,{"file":144,"line":585,"context":350},542,{"file":144,"line":587,"context":350},545,{"file":144,"line":589,"context":350},547,{"file":144,"line":591,"context":350},548,{"file":144,"line":593,"context":350},549,{"file":144,"line":595,"context":350},553,{"file":144,"line":597,"context":350},555,{"file":144,"line":599,"context":350},556,{"file":144,"line":601,"context":350},557,{"file":144,"line":603,"context":350},561,{"file":144,"line":605,"context":350},563,{"file":144,"line":607,"context":350},564,{"file":144,"line":609,"context":350},565,{"file":144,"line":611,"context":350},569,{"file":144,"line":613,"context":350},571,{"file":144,"line":615,"context":350},572,{"file":144,"line":617,"context":350},573,{"file":144,"line":619,"context":350},577,{"file":144,"line":621,"context":350},579,{"file":144,"line":623,"context":350},580,{"file":144,"line":625,"context":350},581,{"file":144,"line":627,"context":350},585,{"file":144,"line":629,"context":350},587,{"file":144,"line":631,"context":350},588,{"file":144,"line":633,"context":350},589,{"file":144,"line":635,"context":350},593,{"file":144,"line":637,"context":350},595,{"file":144,"line":639,"context":350},596,{"file":144,"line":641,"context":350},597,{"file":144,"line":643,"context":350},601,{"file":144,"line":645,"context":350},603,{"file":144,"line":647,"context":350},604,{"file":144,"line":649,"context":350},605,{"file":144,"line":651,"context":350},609,{"file":144,"line":653,"context":350},611,{"file":144,"line":655,"context":350},612,{"file":144,"line":657,"context":350},613,{"file":144,"line":659,"context":350},617,{"file":144,"line":661,"context":350},619,{"file":144,"line":663,"context":350},620,{"file":144,"line":665,"context":350},621,{"file":144,"line":667,"context":350},625,{"file":144,"line":669,"context":350},627,{"file":144,"line":671,"context":350},628,{"file":144,"line":673,"context":350},629,{"file":144,"line":675,"context":350},633,{"file":144,"line":677,"context":350},635,{"file":144,"line":679,"context":350},636,{"file":144,"line":681,"context":350},637,{"file":144,"line":683,"context":350},641,{"file":144,"line":685,"context":350},643,{"file":144,"line":687,"context":350},644,{"file":144,"line":689,"context":350},645,{"file":144,"line":691,"context":350},649,{"file":144,"line":693,"context":350},651,{"file":144,"line":695,"context":350},652,{"file":144,"line":697,"context":350},653,{"file":144,"line":699,"context":350},657,{"file":144,"line":701,"context":350},659,{"file":144,"line":703,"context":350},660,{"file":144,"line":705,"context":350},661,{"file":144,"line":707,"context":350},665,{"file":144,"line":709,"context":350},668,{"file":144,"line":711,"context":350},670,{"file":144,"line":713,"context":350},671,{"file":144,"line":715,"context":350},672,{"file":144,"line":717,"context":350},676,{"file":144,"line":719,"context":350},678,{"file":144,"line":721,"context":350},679,{"file":144,"line":723,"context":350},680,{"file":144,"line":725,"context":350},684,{"file":144,"line":727,"context":350},686,{"file":144,"line":729,"context":350},687,{"file":144,"line":731,"context":350},688,{"file":144,"line":733,"context":350},692,{"file":144,"line":735,"context":350},694,{"file":144,"line":737,"context":350},695,{"file":144,"line":739,"context":350},696,{"file":144,"line":741,"context":350},700,{"file":144,"line":743,"context":350},702,{"file":144,"line":745,"context":350},703,{"file":144,"line":747,"context":350},704,{"file":144,"line":749,"context":350},708,{"file":144,"line":751,"context":350},711,{"file":144,"line":753,"context":350},713,{"file":144,"line":755,"context":350},714,{"file":144,"line":757,"context":350},715,{"file":144,"line":759,"context":350},720,{"file":144,"line":761,"context":350},724,[],[],{"summary":765,"deductions":766},"The \"native-wp-cleaner\" v1.0 plugin exhibits a mixed security posture.  On the positive side, the static analysis reveals no dangerous functions, no raw SQL queries, and no file operations or external HTTP requests, which are common sources of vulnerabilities.  The absence of recorded vulnerabilities in its history also suggests a relatively stable past.\n\nHowever, a significant concern is the complete lack of output escaping. With 207 outputs identified and 0% properly escaped, this presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities.  Additionally, the absence of nonce checks and capability checks across all entry points (even though the attack surface is reported as zero) is concerning, as it implies a lack of proper authorization and protection against CSRF attacks if any entry points were to be discovered or introduced in future versions. The taint analysis returning no flows is positive but could also be influenced by the limited scope or nature of the code analyzed.\n\nIn conclusion, while the plugin avoids some common pitfalls, the pervasive lack of output escaping creates a high risk for XSS. The absence of authorization checks, though seemingly mitigated by a zero attack surface, warrants caution. The plugin's strength lies in its apparent avoidance of direct SQL injection or file manipulation risks, but the XSS risk is a critical weakness.",[767,770,773],{"reason":768,"points":769},"Output escaping is completely missing",15,{"reason":771,"points":772},"No nonce checks on entry points",5,{"reason":774,"points":772},"No capability checks on entry points","2026-03-16T21:39:42.729Z",{"wat":777,"direct":784},{"assetPaths":778,"generatorPatterns":779,"scriptPaths":780,"versionParams":781},[],[],[],[782,783],"native-wp-cleaner\u002Fstyle.css?ver=","native-wp-cleaner\u002Fscript.js?ver=",{"cssClasses":785,"htmlComments":786,"htmlAttributes":787,"restEndpoints":788,"jsGlobals":789,"shortcodeOutput":790},[],[],[],[],[331],[791],"\u003Cp style=\"visibility:hidden;height:1px;\">\u003Clabel for=\"username-login\">Name\u003Cbr>\u003Cinput type=\"text\" name=\"username-login\" value=\"\"\u002F>\u003C\u002Flabel>\u003C\u002Fp>"]