[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmHqtnYCXNlEbWYZrEWu5jsjzgiSZ4qyTPLlzCwLEiOI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":14,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":44,"crawl_stats":33,"alternatives":49,"analysis":50,"fingerprints":107},"neon-text","Neon text","1.3","ERALION","https:\u002F\u002Fprofiles.wordpress.org\u002Ffreeben\u002F","\u003Cp>Plugin for neon text effect.\u003Cbr \u002F>\nNeon text allows you to create easily shortcode to customize your pages and posts with neon text effect. The shortcode generator helps you through the options for the shortcode.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.eralion.com\u002Fexpert-wordpress\u002F#plugin_wordpress_neon_text\" rel=\"nofollow ugc\">DEMO\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>This plugin uses chuckyglitch’s jQuery script “novacancy” (https:\u002F\u002Fgithub.com\u002Fchuckyglitch\u002Fnovacancy.js) and makes it easy to use with shortcodes.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Available options :\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>reblinkProbability: probability of reblink(0 to 1), Number, optional, default: (1\u002F3)\u003C\u002Fli>\n\u003Cli>blinkMin: time(sec.) of minimum blink, Number, optional, default: 0.01\u003C\u002Fli>\n\u003Cli>blinkMax: time(sec.) of maximum blink, Number, optional, default: 0.5\u003C\u002Fli>\n\u003Cli>loopMin: time(sec.) of minimum trigger blink, Number, optional, default: 0.5\u003C\u002Fli>\n\u003Cli>loopMax: time(sec.) of maximum trigger blink, Number, optional, default: 2\u003C\u002Fli>\n\u003Cli>color: colors, String, optional default: ‘ORANGE’\u003C\u002Fli>\n\u003Cli>glow: array of text-shadow colors, Array, optional, default: ‘0 0 80px Orange’, ‘0 0 30px Red’, ‘0 0 6px Yellow’\u003C\u002Fli>\n\u003Cli>off: amount of off chars, Number, optional, default: 0\u003C\u002Fli>\n\u003Cli>blink: amount of blink chars, Number, optional, default: 0, (0 means all chars)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you have a problem, you can \u003Ca href=\"https:\u002F\u002Fwww.eralion.com\u002Fcontact\u002F\" rel=\"nofollow ugc\">contact me\u003C\u002Fa>.\u003C\u002Fp>\n","Plugin for neon text effect.",200,5202,100,1,"2023-10-26T07:58:00.000Z","6.3.8","4.1","5.4",[20],"animated-counters","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fneon-text.zip",85,0,"2023-10-26 00:00:00","2026-03-15T15:16:48.613Z",[28],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":35,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":25,"updated_date":40,"references":41,"days_to_patch":43},"CVE-2023-5817","neon-text-authenticated-contributor-stored-cross-site-scripting","Neon text \u003C= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes (color). This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.1","1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff9998485-e272-48fc-b2f1-9e30158d0d16?source=api-prod",89,{"slug":45,"display_name":7,"profile_url":8,"plugin_count":46,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":43,"trust_score":47,"computed_at":48},"freeben",2,78,"2026-04-04T15:31:40.801Z",[],{"attackSurface":51,"codeSignals":79,"taintFlows":93,"riskAssessment":94,"analyzedAt":106},{"hooks":52,"ajaxHandlers":67,"restRoutes":68,"shortcodes":69,"cronEvents":78,"entryPointCount":46,"unprotectedCount":24},[53,59,63],{"type":54,"name":55,"callback":56,"file":57,"line":58},"action","plugins_loaded","neontext_init","neon-text.php",11,{"type":54,"name":60,"callback":61,"file":57,"line":62},"wp_enqueue_scripts","neontext_add_scripts",25,{"type":54,"name":64,"callback":65,"file":57,"line":66},"admin_menu","neontext_menu",72,[],[],[70,74],{"tag":71,"callback":72,"file":57,"line":73},"neontext","neontext_shortcode",62,{"tag":75,"callback":76,"file":57,"line":77},"neontext_box","neontext_box_shortcode",67,[],{"dangerousFunctions":80,"sqlUsage":81,"outputEscaping":83,"fileOperations":24,"externalRequests":24,"nonceChecks":24,"capabilityChecks":24,"bundledLibraries":92},[],{"prepared":24,"raw":24,"locations":82},[],{"escaped":24,"rawEcho":84,"locations":85},3,[86,89,90],{"file":57,"line":87,"context":88},91,"raw output",{"file":57,"line":13,"context":88},{"file":57,"line":91,"context":88},115,[],[],{"summary":95,"deductions":96},"The neon-text plugin version 1.3 exhibits a mixed security posture. On the positive side, the static analysis reveals no dangerous function calls, no raw SQL queries (all use prepared statements), no file operations, no external HTTP requests, and no bundled libraries. This suggests an effort to adhere to secure coding practices in these areas. The absence of AJAX handlers and REST API routes, along with zero unprotected entry points, is also a good sign, minimizing common attack vectors.\n\nHowever, a significant concern arises from the output escaping. With 3 total outputs and 0% properly escaped, this indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. This is further corroborated by the vulnerability history, which shows one past CVE specifically related to XSS, and the fact that this vulnerability was only recently patched. The absence of nonce and capability checks on the identified entry points (shortcodes) also presents a risk, as it potentially allows for unauthorized actions or data manipulation if these shortcodes accept user-controlled input.\n\nIn conclusion, while the plugin has strengths in its avoidance of dangerous functions and raw SQL, the critical lack of output escaping and the historical pattern of XSS vulnerabilities are substantial weaknesses. The absence of authentication checks on shortcodes adds another layer of concern. Users should be particularly wary of the XSS risk until this is definitively addressed and verified.",[97,100,103],{"reason":98,"points":99},"0% output escaping",8,{"reason":101,"points":102},"No capability checks on entry points",5,{"reason":104,"points":105},"Past XSS vulnerability",7,"2026-03-16T20:25:53.541Z",{"wat":108,"direct":119},{"assetPaths":109,"generatorPatterns":113,"scriptPaths":114,"versionParams":115},[110,111,112],"\u002Fwp-content\u002Fplugins\u002Fneon-text\u002Fcss\u002Fapp.css","\u002Fwp-content\u002Fplugins\u002Fneon-text\u002Fjs\u002Fjquery.novacancy.min.js","\u002Fwp-content\u002Fplugins\u002Fneon-text\u002Fjs\u002Fapp.js",[],[111,112],[116,117,118],"neon-text\u002Fcss\u002Fapp.css?ver=","neon-text\u002Fjs\u002Fjquery.novacancy.min.js?ver=","neon-text\u002Fjs\u002Fapp.js?ver=",{"cssClasses":120,"htmlComments":125,"htmlAttributes":126,"restEndpoints":136,"jsGlobals":137,"shortcodeOutput":138},[121,122,123,124],"novacancy","nbneontext","board_wrap","board",[],[127,128,129,130,131,132,133,134,135],"novacancy-id","data-color","data-reblinkProbability","data-blinkMin","data-blinkMax","data-loopMin","data-loopMax","data-glow","data-off",[],[122],[139,140,141,142,143],"\u003Cspan id=\"nbneontext_","class=\"nbneontext\"","\u003Cdata class=\"novacancy on\">","\u003Cdiv class=\"board_wrap\">\u003Cdiv class=\"board\">\u003Ch1>","\u003C\u002Fh1>\u003C\u002Fdiv>\u003C\u002Fdiv>"]