[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fU8bYHJL4SDUcFMPMCtrEyYlK-68UeFzkKkUJwqVz0Dw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":132,"fingerprints":451},"network-mass-email","Network Mass Email","1.5","Kenny Zaron","https:\u002F\u002Fprofiles.wordpress.org\u002Fkzaron\u002F","\u003Cp>This plugin allows for network administrators on WordPress multisite environments to send an email to users that\u003Cbr \u002F>\nthey select based on the users’ roles in individual sites. For example, checking only “editors” will go through\u003Cbr \u002F>\neach active site and add anyone with the role of “editor” to your list of emails to send to.\u003C\u002Fp>\n\u003Cp>To use the plugin after installation & activation, find Users \u002F Mass Email in the network admin dashboard in your\u003Cbr \u002F>\nmultisite install. Then, select the user types you wish to email and click on the button for “Load the List”. This\u003Cbr \u002F>\nwill load the list of users to email. Then you may compose your email in the boxes provided and click the send\u003Cbr \u002F>\nbutton at the bottom of the screen. If all goes well you will be presented with a confirmation page indicating\u003Cbr \u002F>\nthat your email was sent successfully.\u003C\u002Fp>\n\u003Cp>This plugin is NOT intended for administrators to be sending unsolicited spam to their users. In fact, it was\u003Cbr \u002F>\ncreated with more formal environments in mind. One example would be a University setting where administrators\u003Cbr \u002F>\nof the network may need to notify students and faculty of potential downtime. With the plugin’s implementation\u003Cbr \u002F>\nI would imagine it would be a highly inefficient way of sending spam anyway.\u003C\u002Fp>\n","Allows network admins to send a manually created notification email to all registered users based on user role.",10,4674,86,4,"2013-01-23T16:39:00.000Z","3.5.2","3.3","",[20,21,22],"email","multisite","network","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fnetwork-mass-email\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnetwork-mass-email.1.5.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"kzaron",1,30,84,"2026-04-04T05:26:10.606Z",[37,58,78,98,116],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":18,"tags":52,"homepage":55,"download_link":56,"security_score":34,"vuln_count":32,"unpatched_count":26,"last_vuln_date":57,"fetched_at":28},"unconfirmed","Unconfirmed","1.3.7","Boone Gorges","https:\u002F\u002Fprofiles.wordpress.org\u002Fboonebgorges\u002F","\u003Cp>If you run a WordPress or BuddyPress installation, you probably know that some of the biggest administrative headaches come from the activation process. Activation emails may be caught by spam filters, deleted unwillingly, or simply not understood. Yet WordPress itself has no UI for viewing and managing unactivated members.\u003C\u002Fp>\n\u003Cp>Unconfirmed creates a Dashboard panel under the Users menu (Network Admin > Users on Multisite) that shows a list of unactivated user registrations. For each registration, you have the option of resending the original activation email, or manually activating the user.\u003C\u002Fp>\n\u003Cp>Note that the plugin works for the following configurations:\u003Cbr \u002F>\n1. Multisite, with or without BuddyPress\u003Cbr \u002F>\n2. Single site, with BuddyPress used for user registration\u003C\u002Fp>\n\u003Cp>There is currently no support for single-site WP registration without BuddyPress.\u003C\u002Fp>\n","Allows WordPress admins to manage unactivated users, by activating them manually, deleting their pending registrations, or resending the activation em &hellip;",2000,246166,90,47,"2023-12-04T19:58:00.000Z","6.4.8","3.1",[53,54,20,21,22],"activate","activation","http:\u002F\u002Fgithub.com\u002Fboonebgorges\u002Funconfirmed","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funconfirmed.1.3.7.zip","2014-04-11 00:00:00",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":26,"num_ratings":26,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":76,"download_link":77,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"metro-share-widget","Metro Share Widget","1.0.1","WPManiax","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpmaniax\u002F","\u003Cp>This plugin ads \u003Cstrong>Metro style social share widget\u003C\u002Fstrong> to your sidebar.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>5 most popular\u003C\u002Fstrong> social networks supported.\u003C\u002Fp>\n\u003Cp>Metro Share Widget is super easy to install and configure.\u003C\u002Fp>\n\u003Cp>More \u003Ca href=\"http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget\u002F\" rel=\"nofollow ugc\">screenshots and live sample\u003C\u002Fa> you can see on plugins’ home page\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Main Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Easy to install and configure\u003C\u002Fli>\n\u003Cli>Most popular social networks supported (Facebook, Twitter, Google Plus, LinkedIn, Reddit )\u003C\u002Fli>\n\u003Cli>Fully responsive\u003C\u002Fli>\n\u003Cli>Configure where to show (posts, pages, home)\u003C\u002Fli>\n\u003Cli>Metro style elegant design\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Feedback\u003C\u002Fh3>\n\u003Cp>http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget\u002F\u003C\u002Fp>\n","Add Metro style social share widget to your sidebar. 5 most popular social networks supported",100,4010,"2017-11-09T10:45:00.000Z","4.9.29","3.6","5.4",[73,74,20,75,22],"bookmark","e-mail","link","http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmetro-share-widget.1.0.1.zip",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":66,"downloaded":86,"rating":66,"num_ratings":87,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":18,"tags":91,"homepage":95,"download_link":96,"security_score":97,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"network-username-restrictions-override","Network Username Restrictions Override","1.3","Daniel Westermann-Clark","https:\u002F\u002Fprofiles.wordpress.org\u002Fdwc\u002F","\u003Cp>By default, WordPress network usernames cannot contain anything but lowercase letters and numbers. This plugin adds network options to let you include hyphens, underscores, or uppercase letters, if desired.\u003C\u002Fp>\n\u003Cp>Furthermore, this plugin gives you the option to allow email addresses as usernames, or to allow all-numeric usernames (e.g. “1234”).\u003C\u002Fp>\n\u003Cp>Finally, this plugin lets you override the minimum length for usernames (which defaults to four characters).\u003C\u002Fp>\n\u003Cp>To follow updates to this plugin, visit:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fdanieltwc.com\u002F\u003C\u002Fp>\n\u003Cp>For help with this version, visit:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fdanieltwc.com\u002F2011\u002Fnetwork-username-restrictions-override-1-0\u002F\u003C\u002Fp>\n","Override restrictions on WordPress network usernames.",10464,2,"2024-04-24T14:02:00.000Z","6.5.8","3.4",[92,93,21,22,94],"admin","authentication","wpmu","https:\u002F\u002Fdanieltwc.com\u002F2011\u002Fnetwork-username-restrictions-override-1-0\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnetwork-username-restrictions-override.1.3.zip",92,{"slug":99,"name":100,"version":101,"author":102,"author_profile":103,"description":104,"short_description":105,"active_installs":66,"downloaded":106,"rating":97,"num_ratings":107,"last_updated":108,"tested_up_to":69,"requires_at_least":109,"requires_php":18,"tags":110,"homepage":18,"download_link":115,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"plugin-activation-status","Plugin Activation Status","1.0.2.1","Curtiss Grymala","https:\u002F\u002Fprofiles.wordpress.org\u002Fcgrymala\u002F","\u003Cp>Plugin Activation Status makes it easier for owners of multisite and multi-network WordPress installations to perform plugin audits on their installations. The plugin generates a list of plugins that are not currently active on any sites or networks. It generates a separate list of plugins that are active somewhere within the installation, and provides details about where and how those plugins are activated.\u003C\u002Fp>\n\u003Cp>This plugin first retrieves a full list of all of the plugins that are network-activated throughout your installation. Then, it loops through all of the sites in your installation, retrieving a list of all of the active plugins on each site. Next, it runs a diff between the full list of installed plugins and the list of all active plugins.\u003C\u002Fp>\n\u003Cp>Once it retrieves all of that information, it outputs two separate lists.\u003C\u002Fp>\n\u003Cp>The first list is the list of Inactive Plugins; all plugins that are installed, but not activated anywhere within WordPress will be listed there. The second list shows all of the Active Plugins; all plugins that are installed and activated somewhere within WordPress are shown there.\u003C\u002Fp>\n\u003Cp>Within the Active Plugins list, each plugin also has a list of all of the places the plugin is active (at the top, a list of all of the places it’s network-active; at the bottom, all of the places it’s normally-activated).\u003C\u002Fp>\n\u003Cp>When the plugin generates the lists of plugins, it stores those lists as site options in the database, so the lists can be retrieved for reference without using any additional server resources. If you would like to remove those cached lists and generate new lists, you simply have to click the Continue button on the admin page.\u003C\u002Fp>\n","Scans a multisite or multi-network installation to identify all plugins that are active or not.",26167,14,"2018-04-03T19:04:00.000Z","3.8",[111,112,21,113,114],"active","multi-network","network-active","plugins","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fplugin-activation-status.1.0.2.1.zip",{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":47,"downloaded":124,"rating":66,"num_ratings":87,"last_updated":125,"tested_up_to":16,"requires_at_least":126,"requires_php":18,"tags":127,"homepage":130,"download_link":131,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"wp-over-network","WP Over Network","0.4.4","yuka2py","https:\u002F\u002Fprofiles.wordpress.org\u002Fyuka2py\u002F","\u003Cp>Add ability to get posts from over your network sites. Supports widget, shortcode, and customizable original function.\u003C\u002Fp>\n\u003Cp>Use the following:\u003C\u002Fp>\n\u003Ch4>In template\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>\u003C?php \n\nget_header();\nthe_post();\n\n?>\n\u003Csection id=\"content-primary\">\n        \u003Cheader id=\"page-header\">\n                \u003Ch1>\u003C?php the_title() ?>\u003C\u002Fh1>\n        \u003C\u002Fheader>\n\u003C?php\n\n\u002F\u002F Getting recent posts the page and post, minus the host blog.\n\u002F\u002F Specify the \"affect_wp_query = true\", for using the wp_pagenavi.\n$posts = wponw::get_posts('exclude_blog_ids=1&post_type=post,page&affect_wp_query=true');\n\nwp_pagenavi();\n\n?>\n\u003C?php if ( ! empty ( $posts ) ) : ?>\n        \u003Csection class=\"post-list\">\n\u003C?php\n        foreach ( $posts as $post ) :\n                wponw::setup_blog_and_postdata( $post );\n?>\n                \u003Csection id=\"post-\u003C?php the_ID() ?>\" \u003C?php post_class() ?>>\n                        \u003Ch2>【\u003C?php echo $post->blog_name ?>】\u003C\u002Fh2>\n                        \u003Ch1>\u003Ca href=\"\u003C?php the_permalink() ?>\">\u003C?php the_title() ?>\u003C\u002Fa>\u003C\u002Fh1>\n                        \u003C?php echo get_the_excerpt() ?>\n                \u003C\u002Fsection>\n\u003C?php\n                wponw::restore_blog_and_postdata();\n        endforeach;\n?>\n        \u003C\u002Fsection>\n\u003C?php else : ?>\n        \u003Cp>Sorry, there is no post.\u003C\u002Fp>\n\u003C?php endif; # End of empty( $posts ) ?>\n\n\u003C\u002Fsection>\n\u003C?php\n\nwp_reset_query();\nget_sidebar();\nget_footer();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Using as Shortcode\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Display with default.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[wponw_recent_post_list]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Arguments, can be used the same as \u003Ccode>wponw::render_post_archive_to_string\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Use your template file, includes 3 post types\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[wponw_recent_post_list numberposts=8 post_type=products,promotions,information template=TemplateFileNameInYourTheme]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>NOTICE: DON’T include the file extension in TemplateFileNameInYourTheme.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>If you want to use your own rendering function.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[wponw_recent_post_list numberposts=5 post_type=products renderer=YourRenderFunction]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>To create an archive page with a page.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You create the new page, and write the below shortcode in the post content.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[wponw_recent_post_list post_type=post exclude_blog_ids=1 affect_wp_query=true]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Contact\u003C\u002Fh3>\n\u003Cp>@yuka2py on twitter\u003C\u002Fp>\n","Add ability to get posts from over your network sites. Supports widget, shortcode, and customizable original function.",6272,"2013-07-28T02:40:00.000Z","3.5",[128,21,22,129],"blogs","posts","https:\u002F\u002Fgithub.com\u002Fyuka2py\u002Fwp_over_network","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-over-network.0.4.4.zip",{"attackSurface":133,"codeSignals":149,"taintFlows":234,"riskAssessment":436,"analyzedAt":450},{"hooks":134,"ajaxHandlers":145,"restRoutes":146,"shortcodes":147,"cronEvents":148,"entryPointCount":26,"unprotectedCount":26},[135,141],{"type":136,"name":137,"callback":138,"file":139,"line":140},"action","network_admin_menu","nme_add_menu","network-mass-email.php",129,{"type":136,"name":137,"callback":142,"file":143,"line":144},"nmef_add_menu","templates.php",127,[],[],[],[],{"dangerousFunctions":150,"sqlUsage":151,"outputEscaping":182,"fileOperations":26,"externalRequests":26,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":233},[],{"prepared":152,"raw":153,"locations":154},5,12,[155,158,161,164,166,168,170,172,174,176,178,180],{"file":139,"line":156,"context":157},53,"$wpdb->get_var() with variable interpolation",{"file":139,"line":159,"context":160},55,"$wpdb->get_row() with variable interpolation",{"file":139,"line":162,"context":163},232,"$wpdb->get_results() with variable interpolation",{"file":139,"line":165,"context":157},324,{"file":139,"line":167,"context":157},336,{"file":143,"line":169,"context":157},37,{"file":143,"line":171,"context":160},39,{"file":143,"line":173,"context":157},78,{"file":143,"line":175,"context":157},104,{"file":143,"line":177,"context":157},190,{"file":143,"line":179,"context":157},215,{"file":143,"line":181,"context":157},228,{"escaped":26,"rawEcho":183,"locations":184},26,[185,188,190,192,194,196,198,199,200,202,204,206,208,210,212,213,214,215,217,219,221,223,225,227,229,231],{"file":139,"line":186,"context":187},106,"raw output",{"file":139,"line":189,"context":187},107,{"file":139,"line":191,"context":187},115,{"file":139,"line":193,"context":187},124,{"file":139,"line":195,"context":187},143,{"file":139,"line":197,"context":187},210,{"file":139,"line":197,"context":187},{"file":139,"line":179,"context":187},{"file":139,"line":201,"context":187},218,{"file":139,"line":203,"context":187},219,{"file":139,"line":205,"context":187},222,{"file":139,"line":207,"context":187},223,{"file":139,"line":209,"context":187},283,{"file":139,"line":211,"context":187},312,{"file":139,"line":211,"context":187},{"file":139,"line":211,"context":187},{"file":139,"line":211,"context":187},{"file":143,"line":216,"context":187},137,{"file":143,"line":218,"context":187},142,{"file":143,"line":220,"context":187},154,{"file":143,"line":222,"context":187},155,{"file":143,"line":224,"context":187},156,{"file":143,"line":226,"context":187},159,{"file":143,"line":228,"context":187},160,{"file":143,"line":230,"context":187},161,{"file":143,"line":232,"context":187},182,[],[235,265,279,296,316,351,366,384],{"entryPoint":236,"graph":237,"unsanitizedCount":263,"severity":264},"nme_menu_page (network-mass-email.php:147)",{"nodes":238,"edges":258},[239,243,248,251,253,256],{"id":240,"type":241,"label":242,"file":139,"line":197},"n0","source","$_POST['emailfrom']",{"id":244,"type":245,"label":246,"file":139,"line":197,"wp_function":247},"n1","sink","echo() [XSS]","echo",{"id":249,"type":241,"label":250,"file":139,"line":205},"n2","$_POST['emailsubject']",{"id":252,"type":245,"label":246,"file":139,"line":205,"wp_function":247},"n3",{"id":254,"type":241,"label":255,"file":139,"line":207},"n4","$_POST['emailmessage']",{"id":257,"type":245,"label":246,"file":139,"line":207,"wp_function":247},"n5",[259,261,262],{"from":240,"to":244,"sanitized":260},false,{"from":249,"to":252,"sanitized":260},{"from":254,"to":257,"sanitized":260},3,"medium",{"entryPoint":266,"graph":267,"unsanitizedCount":153,"severity":264},"nmef_savetemplate (templates.php:55)",{"nodes":268,"edges":276},[269,272,275],{"id":240,"type":241,"label":270,"file":143,"line":271},"$_POST (x12)",64,{"id":244,"type":273,"label":274,"file":143,"line":271},"transform","→ nmef_pagecontent()",{"id":249,"type":245,"label":246,"file":143,"line":220,"wp_function":247},[277,278],{"from":240,"to":244,"sanitized":260},{"from":244,"to":249,"sanitized":260},{"entryPoint":280,"graph":281,"unsanitizedCount":263,"severity":264},"nmef_pagecontent (templates.php:145)",{"nodes":282,"edges":292},[283,285,286,288,289,291],{"id":240,"type":241,"label":284,"file":143,"line":226},"$_POST['templatename']",{"id":244,"type":245,"label":246,"file":143,"line":226,"wp_function":247},{"id":249,"type":241,"label":287,"file":143,"line":228},"$_POST['subject']",{"id":252,"type":245,"label":246,"file":143,"line":228,"wp_function":247},{"id":254,"type":241,"label":290,"file":143,"line":230},"$_POST['message']",{"id":257,"type":245,"label":246,"file":143,"line":230,"wp_function":247},[293,294,295],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":254,"to":257,"sanitized":260},{"entryPoint":297,"graph":298,"unsanitizedCount":152,"severity":315},"nme_decider (network-mass-email.php:41)",{"nodes":299,"edges":311},[300,302,305,308,310],{"id":240,"type":241,"label":301,"file":139,"line":159},"$_POST['selecttemplate']",{"id":244,"type":245,"label":303,"file":139,"line":159,"wp_function":304},"get_row() [SQLi]","get_row",{"id":249,"type":241,"label":306,"file":139,"line":307},"$_POST (x4)",65,{"id":252,"type":273,"label":309,"file":139,"line":307},"→ nme_menu_page()",{"id":254,"type":245,"label":246,"file":139,"line":201,"wp_function":247},[312,313,314],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":252,"to":254,"sanitized":260},"high",{"entryPoint":317,"graph":318,"unsanitizedCount":153,"severity":315},"\u003Cnetwork-mass-email> (network-mass-email.php:0)",{"nodes":319,"edges":343},[320,321,322,323,324,327,328,330,332,334,336,339,341],{"id":240,"type":241,"label":301,"file":139,"line":159},{"id":244,"type":245,"label":303,"file":139,"line":159,"wp_function":304},{"id":249,"type":241,"label":242,"file":139,"line":197},{"id":252,"type":245,"label":246,"file":139,"line":197,"wp_function":247},{"id":254,"type":241,"label":325,"file":139,"line":326},"$_POST (x2)",95,{"id":257,"type":245,"label":246,"file":139,"line":201,"wp_function":247},{"id":329,"type":241,"label":250,"file":139,"line":205},"n6",{"id":331,"type":245,"label":246,"file":139,"line":205,"wp_function":247},"n7",{"id":333,"type":241,"label":255,"file":139,"line":207},"n8",{"id":335,"type":245,"label":246,"file":139,"line":207,"wp_function":247},"n9",{"id":337,"type":241,"label":338,"file":139,"line":307},"n10","$_POST (x6)",{"id":340,"type":273,"label":309,"file":139,"line":307},"n11",{"id":342,"type":245,"label":246,"file":139,"line":201,"wp_function":247},"n12",[344,345,346,347,348,349,350],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":254,"to":257,"sanitized":260},{"from":329,"to":331,"sanitized":260},{"from":333,"to":335,"sanitized":260},{"from":337,"to":340,"sanitized":260},{"from":340,"to":342,"sanitized":260},{"entryPoint":352,"graph":353,"unsanitizedCount":365,"severity":315},"nmef_loadonetemplate (templates.php:29)",{"nodes":354,"edges":361},[355,356,357,359,360],{"id":240,"type":241,"label":301,"file":143,"line":171},{"id":244,"type":245,"label":303,"file":143,"line":171,"wp_function":304},{"id":249,"type":241,"label":338,"file":143,"line":358},46,{"id":252,"type":273,"label":274,"file":143,"line":358},{"id":254,"type":245,"label":246,"file":143,"line":220,"wp_function":247},[362,363,364],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":252,"to":254,"sanitized":260},7,{"entryPoint":367,"graph":368,"unsanitizedCount":263,"severity":315},"nmef_deletetemplate (templates.php:100)",{"nodes":369,"edges":380},[370,373,376,378,379],{"id":240,"type":241,"label":371,"file":143,"line":372},"$_POST",103,{"id":244,"type":245,"label":374,"file":143,"line":186,"wp_function":375},"query() [SQLi]","query",{"id":249,"type":241,"label":325,"file":143,"line":377},118,{"id":252,"type":273,"label":274,"file":143,"line":377},{"id":254,"type":245,"label":246,"file":143,"line":220,"wp_function":247},[381,382,383],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":252,"to":254,"sanitized":260},{"entryPoint":385,"graph":386,"unsanitizedCount":435,"severity":315},"\u003Ctemplates> (templates.php:0)",{"nodes":387,"edges":422},[388,389,390,391,392,393,394,395,396,397,398,399,400,402,404,406,409,412,414,417,420],{"id":240,"type":241,"label":301,"file":143,"line":171},{"id":244,"type":245,"label":303,"file":143,"line":171,"wp_function":304},{"id":249,"type":241,"label":325,"file":143,"line":372},{"id":252,"type":245,"label":374,"file":143,"line":186,"wp_function":375},{"id":254,"type":241,"label":338,"file":143,"line":372},{"id":257,"type":245,"label":246,"file":143,"line":216,"wp_function":247},{"id":329,"type":241,"label":284,"file":143,"line":226},{"id":331,"type":245,"label":246,"file":143,"line":226,"wp_function":247},{"id":333,"type":241,"label":287,"file":143,"line":228},{"id":335,"type":245,"label":246,"file":143,"line":228,"wp_function":247},{"id":337,"type":241,"label":290,"file":143,"line":230},{"id":340,"type":245,"label":246,"file":143,"line":230,"wp_function":247},{"id":342,"type":241,"label":401,"file":143,"line":358},"$_POST (x24)",{"id":403,"type":273,"label":274,"file":143,"line":358},"n13",{"id":405,"type":245,"label":246,"file":143,"line":220,"wp_function":247},"n14",{"id":407,"type":241,"label":371,"file":143,"line":408},"n15",147,{"id":410,"type":273,"label":411,"file":143,"line":408},"n16","→ nmef_error_msg()",{"id":413,"type":245,"label":246,"file":143,"line":216,"wp_function":247},"n17",{"id":415,"type":241,"label":371,"file":143,"line":416},"n18",148,{"id":418,"type":273,"label":419,"file":143,"line":416},"n19","→ nmef_update_msg()",{"id":421,"type":245,"label":246,"file":143,"line":218,"wp_function":247},"n20",[423,424,425,426,427,428,429,430,431,432,433,434],{"from":240,"to":244,"sanitized":260},{"from":249,"to":252,"sanitized":260},{"from":254,"to":257,"sanitized":260},{"from":329,"to":331,"sanitized":260},{"from":333,"to":335,"sanitized":260},{"from":337,"to":340,"sanitized":260},{"from":342,"to":403,"sanitized":260},{"from":403,"to":405,"sanitized":260},{"from":407,"to":410,"sanitized":260},{"from":410,"to":413,"sanitized":260},{"from":415,"to":418,"sanitized":260},{"from":418,"to":421,"sanitized":260},38,{"summary":437,"deductions":438},"The plugin 'network-mass-email' v1.5 presents a concerning security posture despite having no recorded vulnerabilities in its history. The static analysis reveals a significant weakness in output escaping, with 0% of the 26 identified outputs being properly escaped. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected into the user interface via the plugin's outputs. Furthermore, the taint analysis identified 5 high-severity flows with unsanitized paths, suggesting potential for data manipulation or unauthorized access if these paths are triggered through user input. While the plugin has no known CVEs and a relatively low number of SQL queries, the complete absence of nonce checks and capability checks, combined with the output escaping issues and taint analysis findings, creates a substantial attack surface that could be exploited. The lack of these fundamental security checks on entry points (though stated as 0, this might be an artifact of analysis or very limited functionality) is a critical oversight. In conclusion, while the plugin boasts a clean vulnerability history, the static analysis points to critical underlying security flaws that require immediate attention to mitigate XSS and other potential data-related vulnerabilities.",[439,442,444,446,448],{"reason":440,"points":441},"High severity taint flows with unsanitized paths",15,{"reason":443,"points":11},"0% properly escaped output",{"reason":445,"points":152},"Missing nonce checks",{"reason":447,"points":152},"Missing capability checks",{"reason":449,"points":263},"Raw SQL queries (29% prepared)","2026-03-17T01:31:18.224Z",{"wat":452,"direct":458},{"assetPaths":453,"generatorPatterns":455,"scriptPaths":456,"versionParams":457},[454],"\u002Fwp-content\u002Fplugins\u002Fnetwork-mass-email\u002Ficon.png",[],[],[],{"cssClasses":459,"htmlComments":461,"htmlAttributes":464,"restEndpoints":472,"jsGlobals":473,"shortcodeOutput":474},[460],"nmeerror",[462,463],"Copyright 2012  Kenny Zaron (email: kzaron@gmail.com)","Mail Icon(s) courtesy of: http:\u002F\u002Fwww.iconhot.com\u002Ficon\u002Fandroid-style-icons-r1\u002Fmail-64.html",[465,466,467,468,469,470,471],"name=\"massemailform\"","id=\"nmeerror\"","name=\"emailssent\"","id=\"emailssent\"","name=\"allincsubs\"","id=\"allincsubs\"","name=\"allb",[],[],[]]