[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpKudgC-MjFIn6834lYMSkG40Etyl9cM-ZoKgGXyqiOc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":120,"fingerprints":647},"nis2-compliance","NIS2 Compliance","1.5.2","Babini Mazzari","https:\u002F\u002Fprofiles.wordpress.org\u002Fbabinimazzari\u002F","\u003Cp>NIS2 provides activity logging, file integrity monitoring, access protection and vulnerability scanning to help sites comply with the EU NIS2 directive.\u003C\u002Fp>\n\u003Ch3>NIS2 Compliance: The 1st WordPress NIS2 Plugin\u003C\u002Fh3>\n\u003Cp>NIS2 is the second iteration of the EU’s Network and Information Security (NIS) directive, a primary cybersecurity law that expands the scope of the original NIS directive to cover more sectors and entities, such as energy, transport, banking, healthcare, and digital infrastructure.\u003C\u002Fp>\n\u003Cp>The directive mandates stricter security requirements, includes supply chain security, and assigns personal accountability to management for non-compliance.\u003C\u002Fp>\n\u003Ch3>Quick and easy setup\u003C\u002Fh3>\n\u003Cp>Choose which modules you want to enable, configure their settings and start monitoring your site in minutes.\u003C\u002Fp>\n\u003Cp>Available modules are:\u003Cbr \u002F>\n– \u003Cstrong>Activity Logger:\u003C\u002Fstrong> logs important events such as user logins, content changes, plugin\u002Ftheme installations and more.\u003Cbr \u002F>\n– \u003Cstrong>File Integrity Monitoring:\u003C\u002Fstrong> monitors core WordPress files, themes and plugins for unauthorized changes.\u003Cbr \u002F>\n– \u003Cstrong>Access Protection:\u003C\u002Fstrong> protects login and admin pages with Google reCAPTCHA v2 and limits access\u003Cbr \u002F>\n– \u003Cstrong>Vulnerability Scanner:\u003C\u002Fstrong> scans installed plugins and themes for known vulnerabilities using the WPScan database.\u003Cbr \u002F>\n– \u003Cstrong>Compliance Checklist:\u003C\u002Fstrong> provides a checklist of security best practices to help you improve your site’s security posture\u003C\u002Fp>\n\u003Ch3>Third party services\u003C\u002Fh3>\n\u003Cp>This plugin relies on the following third-party\u002Fexternal services:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Google reCAPTCHA v2\u003C\u002Fstrong>\u003Cbr \u002F>\nUsed to protect the WordPress login forms against automated abuse and spam.\u003Cbr \u002F>\n– Data sent: when a user interacts with the login form, the plugin loads the reCAPTCHA JavaScript API and sends the user’s IP address and form interaction data to Google’s reCAPTCHA service in order to validate the request.\u003Cbr \u002F>\n– Service provider: Google LLC\u003Cbr \u002F>\n– Terms of Service: https:\u002F\u002Fwww.google.com\u002Fintl\u002Fen\u002Fpolicies\u002Fterms\u002F\u003Cbr \u002F>\n– Privacy Policy: https:\u002F\u002Fpolicies.google.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>\u003Cstrong>IP-API.com\u003C\u002Fstrong>\u003Cbr \u002F>\nUsed to perform basic geolocation based on the visitor’s IP address (e.g., country, city, ISP).\u003Cbr \u002F>\n– Data sent: the visitor’s public IP address is queried against the ip-api.com service. No additional personal or sensitive data is transmitted.\u003Cbr \u002F>\n– Service provider: IP-API.com\u003Cbr \u002F>\n– Terms of Service: https:\u002F\u002Fip-api.com\u002Fdocs\u002Flegal\u003Cbr \u002F>\n– Privacy Policy: https:\u002F\u002Fip-api.com\u002Fdocs\u002Flegal\u003C\u002Fp>\n\u003Ch3>F.A.Q.\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Does the plugin conflict with security plugins?\u003C\u002Fstrong>\u003Cbr \u002F>\nNo. NIS2 detects other popular security plugins and integrates with them when possible.\u003C\u002Fp>\n","A comprehensive security compliance plugin implementing logging, monitoring and vulnerability management features.",10,575,0,"2025-12-18T00:49:00.000Z","6.8.5","6.0","7.4",[19,20,21,22,23],"compliance","logging","monitoring","security","vulnerability","https:\u002F\u002Fnis2.babinimazzari.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnis2-compliance.1.5.2.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"babinimazzari",1,30,94,"2026-04-04T14:17:25.030Z",[37,56,74,90,106],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":13,"num_ratings":13,"last_updated":47,"tested_up_to":15,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":54,"download_link":55,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"simple-ip-logger","Simple IP Logger","1.0.1","ネトデジ編集部","https:\u002F\u002Fprofiles.wordpress.org\u002Fminikuru\u002F","\u003Cp>Simple IP Logger is a lightweight WordPress plugin that lets you:\u003Cbr \u002F>\n– Log visitor IP addresses when accessing specific pages or all pages\u003Cbr \u002F>\n– View logs with access date\u002Ftime, IP address, post ID, and referer\u003Cbr \u002F>\n– Set target post IDs to monitor\u003Cbr \u002F>\n– Exclude IPs such as admin\u002Fstaff from being logged\u003Cbr \u002F>\n– Check logs from the admin screen with pagination and filters\u003Cbr \u002F>\n– View access statistics by unique IPs and access counts\u003Cbr \u002F>\n– Use asynchronous logging via Ajax for performance\u003C\u002Fp>\n\u003Cp>This plugin is useful for confirming actual visits from ads (e.g. Google Ads), detecting suspicious access patterns, or simply tracking visitor behavior without user accounts.\u003C\u002Fp>\n\u003Cp>No external tracking, no bloat – just simple, self-hosted logging.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>日本語による説明：\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Simple IP Logger（シンプルIPロガー）は、特定のページまたは全ページへのアクセスIPを記録・可視化できる軽量なWordPressプラグインです。\u003C\u002Fp>\n\u003Cul>\n\u003Cli>投稿・固定ページのアクセスIPを記録\u003C\u002Fli>\n\u003Cli>記録された日時・IP・投稿ID・リファラーを管理画面で一覧表示\u003C\u002Fli>\n\u003Cli>特定の投稿IDのみ記録する、除外IPを設定する、など柔軟なログ管理が可能\u003C\u002Fli>\n\u003Cli>Google広告などの広告流入が「実際にあったかどうか」も確認できます\u003C\u002Fli>\n\u003Cli>Ajaxによる軽量な記録方式で、ユーザーの表示速度に影響を与えません\u003C\u002Fli>\n\u003Cli>IP別アクセス統計も管理画面から確認可能\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>使いやすく、かつ自己完結型でプライバシーを重視した設計です。\u003C\u002Fp>\n","ページ単位でアクセスIPアドレスを記録する軽量プラグイン。アクセス傾向の監視、不要なIPのフィルタリング、広告トラフィックの検証に役立ちます。",40,468,"2025-04-20T10:47:00.000Z","5.6","7.2",[51,52,21,22,53],"analytics","ip-logging","statistics","https:\u002F\u002Fminikuru.co.jp\u002Fproducts-tools\u002Fwordpress-plugins\u002Fsimple-ip-logger\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-ip-logger.1.0.1.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":13,"downloaded":64,"rating":13,"num_ratings":13,"last_updated":65,"tested_up_to":66,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":72,"download_link":73,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"nyambush","Nyambush","1.0.2","y1uda","https:\u002F\u002Fprofiles.wordpress.org\u002Fy1uda\u002F","\u003Cp>Nyambush is an Attack Surface Management (ASM) plugin that connects your WordPress site to the \u003Ca href=\"https:\u002F\u002Fnyambush.app\" rel=\"nofollow ugc\">Nyambush platform\u003C\u002Fa> for continuous security monitoring.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic Environment Scanning\u003C\u002Fstrong> – Collects WordPress version, PHP version, installed plugins, themes, and security configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Vulnerability Detection\u003C\u002Fstrong> – Cross-references your plugins and themes against known vulnerability databases\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dashboard Widget\u003C\u002Fstrong> – View your security status at a glance from the WordPress admin dashboard\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scheduled Sync\u003C\u002Fstrong> – Automatically syncs your site data at configurable intervals\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Encrypted API Key Storage\u003C\u002Fstrong> – Your API key is encrypted at rest using AES-256-GCM\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data Minimization\u003C\u002Fstrong> – Only collects configuration data; never collects passwords, database credentials, or post content\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How It Works:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Sign up at \u003Ca href=\"https:\u002F\u002Fnyambush.app\" rel=\"nofollow ugc\">nyambush.app\u003C\u002Fa> and add your domain\u003C\u002Fli>\n\u003Cli>Generate a WordPress verification API key\u003C\u002Fli>\n\u003Cli>Install this plugin and enter your API key\u003C\u002Fli>\n\u003Cli>Your site will be automatically monitored for vulnerabilities\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Privacy:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin sends the following data to nyambush.app:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress and PHP versions\u003C\u002Fli>\n\u003Cli>List of installed plugins and themes (names, versions, active status)\u003C\u002Fli>\n\u003Cli>Number of users by role\u003C\u002Fli>\n\u003Cli>Debug mode and SSL status\u003C\u002Fli>\n\u003Cli>File permissions for critical files (wp-config.php, .htaccess)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>No passwords, database credentials, post content, or personal user data is collected or transmitted.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fnyambush.app\u002Fterms\" rel=\"nofollow ugc\">Nyambush Terms of Service\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fnyambush.app\u002Fprivacy\" rel=\"nofollow ugc\">Nyambush Privacy Policy\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Connect your WordPress site to Nyambush ASM platform for continuous vulnerability monitoring and security assessment.",144,"2026-02-26T23:12:00.000Z","6.9.4","4.0","7.0",[70,21,71,22,23],"attack-surface","scanner","https:\u002F\u002Fnyambush.app","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnyambush.1.0.2.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":13,"downloaded":82,"rating":13,"num_ratings":13,"last_updated":83,"tested_up_to":66,"requires_at_least":84,"requires_php":17,"tags":85,"homepage":88,"download_link":89,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"onyxflo-watchdog","OnyxFlo Watchdog for WooCommerce","1.0.0","Seth Broder","https:\u002F\u002Fprofiles.wordpress.org\u002Fbroderconsulting\u002F","\u003Cp>OnyxFlo Watchdog quietly monitors your WooCommerce orders in the background and takes snapshots at key points in the order lifecycle (checkout, thank you page, and status changes). It then compares those snapshots to detect suspicious changes or data inconsistencies.\u003C\u002Fp>\n\u003Cp>OnyxFlo Watchdog uses a lightweight custom database table (\u003Ccode>{prefix}onyxflo_watchdog_snapshots\u003C\u002Fcode>) to store order snapshots. Uninstalling the plugin does not automatically delete existing snapshot data, so you can retain a historical audit log if needed.\u003C\u002Fp>\n\u003Cp>Examples of what OnyxFlo Watchdog can help catch:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Orders where the cart or subtotal has changed between checkout and payment.\u003C\u002Fli>\n\u003Cli>Orders that have been modified after payment but before fulfillment.\u003C\u002Fli>\n\u003Cli>Data mismatches caused by buggy plugins, imports, or external integrations.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>When a potential issue is found:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The order is changed to a custom status: \u003Cstrong>Watchdog Flagged\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>A clear warning notice appears on the order screen in wp-admin.\u003C\u002Fli>\n\u003Cli>(Optional) An email alert can be sent to a configured address.\u003C\u002Fli>\n\u003Cli>A snapshot history is stored so you can see what changed and when.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is aimed at stores that care about data integrity and want an extra layer of safety before orders are shipped or refunded.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Order snapshots\u003C\u002Fstrong>\u003Cbr \u002F>\nAutomatically logs snapshots of WooCommerce orders at:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Checkout (classic and block checkout)\u003C\u002Fli>\n\u003Cli>Thank you page\u003C\u002Fli>\n\u003Cli>Order status changes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Mismatch detection\u003C\u002Fstrong>\u003Cbr \u002F>\nCompares snapshots to detect:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Cart changes (items added\u002Fremoved\u002Fquantities changed)\u003C\u002Fli>\n\u003Cli>Subtotal changes over a tolerance threshold\u003C\u002Fli>\n\u003Cli>(Extensible for more rules later)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Custom order status: “Watchdog Flagged”\u003C\u002Fstrong>\u003Cbr \u002F>\nSuspicious orders are moved into a dedicated status:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Highlighted in the admin order list\u003C\u002Fli>\n\u003Cli>Clearly labeled so your team knows to review before fulfilling\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Snapshot viewer\u003C\u002Fstrong>\u003Cbr \u002F>\nView the snapshot history for a given order directly in wp-admin to see what changed over time.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Logging\u003C\u002Fstrong>\u003Cbr \u002F>\nOptional file logging for debugging and audit trails, stored inside the WordPress uploads directory (\u003Ccode>\u002Fwp-content\u002Fuploads\u002Fonyxflo-watchdog\u002F\u003C\u002Fcode>).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Lightweight and focused\u003C\u002Fstrong>\u003Cbr \u002F>\nNo bloat, no marketing overlays, no tracking. Just tools to help you protect your orders.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WooCommerce (latest major version recommended)\u003C\u002Fli>\n\u003Cli>WordPress 5.8+\u003C\u002Fli>\n\u003Cli>PHP 7.4+ (PHP 8.x supported)\u003C\u002Fli>\n\u003C\u002Ful>\n","Monitors WooCommerce orders for changes or mismatches and automatically flags suspicious orders to help ensure accuracy and prevent errors.",104,"2025-12-11T20:35:00.000Z","5.8",[20,21,86,22,87],"orders","woocommerce","https:\u002F\u002Fonyxflo.com\u002Fplugins\u002Fonyxflo-watchdog","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fonyxflo-watchdog.1.0.0.zip",{"slug":91,"name":92,"version":93,"author":94,"author_profile":95,"description":96,"short_description":97,"active_installs":13,"downloaded":98,"rating":13,"num_ratings":13,"last_updated":99,"tested_up_to":66,"requires_at_least":16,"requires_php":17,"tags":100,"homepage":104,"download_link":105,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"resilience-compliance-manager","Resilience Compliance Manager","1.2.12","bean1352","https:\u002F\u002Fprofiles.wordpress.org\u002Fbean1352\u002F","\u003Cp>If you sell a WordPress plugin or theme to anyone in the EU, the EU Cyber Resilience Act (Regulation 2024\u002F2847) applies to you. It does not matter where you are based or whether your product is free. Agencies distributing custom plugins or themes to EU clients are also in scope.\u003C\u002Fp>\n\u003Cp>From September 11, 2026, you need a documented vulnerability reporting process, the required security documents, and a way to monitor your products for known vulnerabilities. ResilienceWP is built for WordPress developers — plugin developers, theme developers, and agencies — to cover all of that in one place.\u003C\u002Fp>\n\u003Cp>Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover. Authorities can also force non-compliant products off the EU market.\u003C\u002Fp>\n\u003Cp>The free plan covers the paperwork side of compliance: checklist, five document templates, and the CRA education guide. Paid plans add automated vulnerability scanning, email alerts, the Incident Center for ENISA notification management, and downloadable compliance reports, all directly inside your WordPress admin. Pro plans also include webhook integrations for CI\u002FCD pipelines and external tools — get real-time notifications when scans complete or vulnerabilities are found.\u003C\u002Fp>\n\u003Cp>For pricing, documentation, and more details visit \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\" rel=\"nofollow ugc\">resiliencewp.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Compliance Checklist (Free)\u003C\u002Fh4>\n\u003Cp>26 actionable items, each mapped to a specific CRA article. Five categories cover everything the regulation requires:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Risk Assessment: documenting threats, attack surfaces, and mitigations\u003C\u002Fli>\n\u003Cli>Secure Development: secure defaults, no known exploitable vulnerabilities at release\u003C\u002Fli>\n\u003Cli>Vulnerability Handling: disclosure policy, coordinated reporting, user notification\u003C\u002Fli>\n\u003Cli>Required Documentation: SBOM, Declaration of Conformity, technical file\u003C\u002Fli>\n\u003Cli>Post-Market Obligations: ongoing monitoring, security updates, end-of-life policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Every item has a plain-English explanation of what it means and why it matters. Check items off as you complete them. Progress saves automatically.\u003C\u002Fp>\n\u003Ch4>Document Generator (Free)\u003C\u002Fh4>\n\u003Cp>Generate the five documents the CRA requires before you can legally place a product on the EU market:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Vulnerability Disclosure Policy (Article 13(6)): your public process for receiving and handling security reports from researchers\u003C\u002Fli>\n\u003Cli>Incident Response Plan: your internal procedure when a vulnerability is discovered or actively exploited\u003C\u002Fli>\n\u003Cli>EU Declaration of Conformity: the formal self-declaration that your product meets CRA essential requirements\u003C\u002Fli>\n\u003Cli>Software Bill of Materials (SBOM) (Article 13): a structured inventory of your plugin’s components, dependencies, and third-party libraries\u003C\u002Fli>\n\u003Cli>security.txt: the machine-readable contact file security researchers use to reach you, placed at \u002F.well-known\u002Fsecurity.txt\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Fill in your plugin name, contact details, and a few specifics. Download in text or markdown format. No starting from scratch, no lawyer needed for the first draft.\u003C\u002Fp>\n\u003Ch4>CRA Education Centre (Free)\u003C\u002Fh4>\n\u003Cp>An article-by-article breakdown of Regulation (EU) 2024\u002F2847, written for developers rather than legal teams. Understand what each obligation actually requires: what counts as “active exploitation,” what an SBOM needs to contain, what the 24-hour reporting window really means.\u003C\u002Fp>\n\u003Ch4>Vulnerability Scanner (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Connect your account to ResilienceWP and it monitors your plugins against the WPScan vulnerability database on a regular schedule. Weekly on Basic, daily on Pro.\u003C\u002Fp>\n\u003Cp>You can monitor any plugin by its WordPress.org slug, not just the plugins currently installed on your site. If your plugin depends on WooCommerce, ACF, or any other third-party plugin, you can add those slugs directly and track vulnerabilities in your dependencies. Plugins can also be added directly from your installed plugins list.\u003C\u002Fp>\n\u003Cp>The moment a new vulnerability is found, you get an email with the severity rating, CVE ID, affected version range, and fix version if one is available. Back in your WordPress admin, vulnerabilities are grouped by plugin and sorted by date discovered, so you can see at a glance which plugins have open issues and how old they are.\u003C\u002Fp>\n\u003Cp>Each vulnerability card shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Severity (Critical \u002F High \u002F Medium \u002F Low \u002F Info) with colour coding\u003C\u002Fli>\n\u003Cli>CVE identifier linked directly to the NVD entry\u003C\u002Fli>\n\u003Cli>The fix version (or “no fix available yet”)\u003C\u002Fli>\n\u003Cli>An action hint: whether to update, acknowledge, or open an incident\u003C\u002Fli>\n\u003Cli>A button to report the incident directly to the Incident Center\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Status tracking lets you mark vulnerabilities as Open, Acknowledged, In Progress, Resolved, or False Positive. Export the full vulnerability list as CSV for your compliance records.\u003C\u002Fp>\n\u003Ch4>Incident Center (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>When a vulnerability in your plugin is being actively exploited, the CRA requires you to notify ENISA within 24 hours. The Incident Center tracks that deadline from the moment you log first awareness and guides you through the complete regulatory workflow.\u003C\u002Fp>\n\u003Cp>Creating a new incident logs the discovery timestamp and starts all three countdown timers simultaneously:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Early Warning: due within 24 hours of first awareness\u003C\u002Fli>\n\u003Cli>Vulnerability Notification: due within 72 hours, with full technical details\u003C\u002Fli>\n\u003Cli>Final Report: due within 14 days, including root cause and remediation steps\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The case view shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Live countdown timers for each notification deadline, turning amber at 6 hours and red when overdue\u003C\u002Fli>\n\u003Cli>A completeness score on your incident report so you know exactly what information is still missing\u003C\u002Fli>\n\u003Cli>A “Where to Submit” section with direct links to ENISA’s reporting portal, the EU CSIRT network directory, and the CVE Programme at MITRE\u003C\u002Fli>\n\u003Cli>A full audit log recording every action taken, every field updated, and every notification submitted\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>On Pro, you can export the full incident case including all notifications and the complete audit log, formatted for submission to regulators or for your compliance archive.\u003C\u002Fp>\n\u003Ch4>Dashboard and Compliance Score\u003C\u002Fh4>\n\u003Cp>The dashboard gives you a live compliance score (0-100) with a transparent breakdown:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>-15 points per open critical vulnerability\u003C\u002Fli>\n\u003Cli>-7 points per open high vulnerability\u003C\u002Fli>\n\u003Cli>-3 points per open medium vulnerability\u003C\u002Fli>\n\u003Cli>-20 points per overdue incident (past the 24-hour ENISA deadline)\u003C\u002Fli>\n\u003Cli>-5 points per active open incident\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It is not a vanity metric. It is a working indicator of where you stand against your CRA obligations at any point in time, with the exact deductions shown so you know what to fix first.\u003C\u002Fp>\n\u003Ch4>Compliance Reports and SBOM Export (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Generate a PDF compliance report for auditors or regulators covering your vulnerability history, resolution timeline, and document status. Export your Software Bill of Materials in standard format, as required by CRA Article 13.\u003C\u002Fp>\n\u003Ch4>Webhook Integrations (Pro)\u003C\u002Fh4>\n\u003Cp>Connect ResilienceWP to your CI\u002FCD pipeline, Slack, or any external tool with webhook callbacks. Configure webhook endpoints in Settings and receive real-time HTTP POST notifications with HMAC-SHA256 signed payloads when:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A scheduled or manual scan completes\u003C\u002Fli>\n\u003Cli>A new vulnerability is found in one of your monitored plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Each webhook delivery is logged with status codes and response data, so you can debug integration issues directly from your WordPress admin. Manage up to 5 webhook endpoints per account, toggle them on and off, and filter by event type.\u003C\u002Fp>\n\u003Ch4>Who needs to comply\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Commercial plugin developers: selling to EU customers through any channel (your site, Envato, direct) makes you the manufacturer under the CRA\u003C\u002Fli>\n\u003Cli>WordPress agencies: distributing custom-built plugins to EU clients, even for a single client, counts as placing a product on the market\u003C\u002Fli>\n\u003Cli>Freemium developers: having a free version does not exempt you; any commercial activity tied to the product brings you in scope\u003C\u002Fli>\n\u003Cli>Theme developers: themes with shortcodes, API integrations, or custom post types may qualify as “products with digital elements”\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key dates\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>10 December 2024: CRA entered into force. Transition period began.\u003C\u002Fli>\n\u003Cli>11 September 2026: Vulnerability and incident reporting obligations apply.\u003C\u002Fli>\n\u003Cli>11 December 2027: Full CRA application. All requirements in effect.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Source Code\u003C\u002Fh4>\n\u003Cp>The admin dashboard is built with React and compiled using Vite. The uncompiled source is included in the plugin ZIP under admin\u002Fsrc\u002F. To rebuild from source:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install Node.js 20+ and pnpm 10+\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm install\u003C\u002Fcode> in the plugin directory\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm build\u003C\u002Fcode> to recompile the admin dashboard\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>External Services\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>ResilienceWP API\u003C\u002Fstrong> (https:\u002F\u002Fapi.resiliencewp.com)\u003Cbr \u002F>\nUsed for API key verification, vulnerability scanning, incident management, and report generation. Data sent: API key, WordPress site URL, plugin slugs and versions.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fterms\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fprivacy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WPScan\u003C\u002Fstrong> (via ResilienceWP API)\u003Cbr \u002F>\nPlugin vulnerability data is sourced from the WPScan database. Plugin slugs are sent through the ResilienceWP API. No personal data is sent from your WordPress installation directly to WPScan.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fterms\" rel=\"nofollow ugc\">WPScan Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fprivacy\" rel=\"nofollow ugc\">WPScan Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Paddle\u003C\u002Fstrong> (payments)\u003Cbr \u002F>\nSubscription payments are processed by Paddle as merchant of record. Payment data is handled entirely by Paddle and never passes through our servers.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fterms\" rel=\"nofollow ugc\">Paddle Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fprivacy\" rel=\"nofollow ugc\">Paddle Privacy\u003C\u002Fa>\u003C\u002Fp>\n","CRA compliance for WordPress developers. Checklist, document generator, vulnerability scanner, and incident reporting for the 2026 EU deadline.",567,"2026-03-11T17:21:00.000Z",[101,19,102,22,103],"audit","gdpr","vulnerability-scanner","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresilience-compliance-manager.1.2.12.zip",{"slug":107,"name":108,"version":77,"author":109,"author_profile":110,"description":111,"short_description":112,"active_installs":13,"downloaded":113,"rating":13,"num_ratings":13,"last_updated":114,"tested_up_to":15,"requires_at_least":84,"requires_php":17,"tags":115,"homepage":118,"download_link":119,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"sochq-log-agent","SOCHQ AI Log Agent","cyberneticsplus","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberneticsplus\u002F","\u003Cp>\u003Cstrong>SOCHQ Log Agent\u003C\u002Fstrong> collects lightweight PHP request telemetry from your WordPress site and periodically ships it as JSON to your HTTPS Webhook. Designed for minimal footprint and simple setup: paste a Webhook URL and you’re set.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Ownership\u002FTrademark:\u003C\u002Fstrong> SOCHQ is a product of \u003Cstrong>Cyberneticsplus Services Pvt. Ltd.\u003C\u002Fstrong> (https:\u002F\u002Fcyberneticsplus.com). Service homepage: https:\u002F\u002Fsochq.com\u002F\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Key features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Batched delivery\u003C\u002Fstrong> via WP-Cron (default: every 15 minutes).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Minimal fields by default\u003C\u002Fstrong> to reduce sensitivity and payload size.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Webhook URL\u003C\u002Fstrong> (HTTPS required).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Graceful failures\u003C\u002Fstrong>: queues and retries when delivery fails.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Opt-out fields\u003C\u002Fstrong>: ability to disable optional fields if present in settings.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>What data is sent?\u003C\u002Fh3>\n\u003Cp>By default, the plugin aims to send low-sensitivity request telemetry such as:\u003Cbr \u002F>\n– Timestamp, HTTP method, request URI\u002Fpath, response status code\u003Cbr \u002F>\n– Execution time (ms) and memory usage (if available)\u003Cbr \u002F>\n– Site identifier (non-PII, e.g., hashed home URL)\u003Cbr \u002F>\n– Optional: user agent, referrer, client IP (can be disabled)\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> Exact fields depend on your configuration and the plugin settings available in your version. Review your settings before enabling optional fields.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Security & performance\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Uses \u003Cstrong>HTTPS\u003C\u002Fstrong> for outbound webhook calls.\u003C\u002Fli>\n\u003Cli>Sends \u003Cstrong>batched\u003C\u002Fstrong> JSON to reduce overhead.\u003C\u002Fli>\n\u003Cli>Non-blocking operation—collection is lightweight and scheduled via WP-Cron.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin can send site telemetry to an external endpoint you control. Configure it to avoid personal data unless you have a lawful basis and have disclosed it to users. For your privacy policy, disclose:\u003Cbr \u002F>\n– What you collect (telemetry fields),\u003Cbr \u002F>\n– Why you collect it,\u003Cbr \u002F>\n– Where you send it (your Webhook),\u003Cbr \u002F>\n– How long you retain it.\u003C\u002Fp>\n\u003Cp>Cyberneticsplus Services Pvt. Ltd. product site: https:\u002F\u002Fsochq.com\u003Cbr \u002F>\nCompany site: https:\u002F\u002Fcyberneticsplus.com\u003C\u002Fp>\n\u003Ch3>Ownership and Trademark\u003C\u002Fh3>\n\u003Cp>SOCHQ is a product of \u003Cstrong>Cyberneticsplus Services Pvt. Ltd.\u003C\u002Fstrong> (https:\u002F\u002Fcyberneticsplus.com). This is an official plugin authored and maintained by Cyberneticsplus.\u003C\u002Fp>\n","Capture PHP request telemetry and ship JSON batches to your HTTPS webhook every 15 minutes. Minimal setup: set a Webhook URL.",201,"2025-09-02T09:12:00.000Z",[116,117,20,21,22],"ai-security","log-analysis","https:\u002F\u002Fsochq.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsochq-log-agent.1.0.0.zip",{"attackSurface":121,"codeSignals":406,"taintFlows":526,"riskAssessment":637,"analyzedAt":646},{"hooks":122,"ajaxHandlers":308,"restRoutes":388,"shortcodes":389,"cronEvents":402,"entryPointCount":405,"unprotectedCount":32},[123,129,132,136,141,145,149,153,157,160,164,168,172,176,181,186,189,193,196,200,204,208,212,216,220,224,228,232,236,240,244,248,251,255,259,263,266,269,272,276,278,282,286,290,293,298,302,305],{"type":124,"name":125,"callback":126,"file":127,"line":128},"action","admin_init","register_settings","admin\\class-nis2-admin.php",27,{"type":124,"name":130,"callback":130,"file":127,"line":131},"admin_notices",28,{"type":133,"name":134,"callback":134,"file":127,"line":135},"filter","admin_body_class",29,{"type":124,"name":137,"callback":138,"file":139,"line":140},"wp_login_failed","handle_failed_login","includes\\class-nis2-access-protection.php",43,{"type":124,"name":142,"callback":143,"priority":32,"file":139,"line":144},"wp_authenticate_user","check_ip_blocking",44,{"type":133,"name":146,"callback":147,"priority":33,"file":139,"line":148},"authenticate","check_login_attempts",45,{"type":124,"name":150,"callback":151,"file":139,"line":152},"login_enqueue_scripts","closure",49,{"type":124,"name":154,"callback":155,"file":139,"line":156},"login_form","add_captcha_to_login",59,{"type":133,"name":142,"callback":158,"priority":11,"file":139,"line":159},"verify_captcha",60,{"type":124,"name":161,"callback":162,"file":139,"line":163},"rest_api_init","init_rest_api_rate_limiting",70,{"type":124,"name":165,"callback":166,"file":139,"line":167},"nis2_daily_scan","cleanup_old_attempts",78,{"type":133,"name":169,"callback":170,"priority":11,"file":139,"line":171},"rest_pre_dispatch","check_rest_api_rate_limit",395,{"type":124,"name":165,"callback":173,"file":174,"line":175},"daily_compliance_check","includes\\class-nis2-compliance-checker.php",186,{"type":133,"name":177,"callback":178,"file":179,"line":180},"pre_get_ready_cron_jobs","handle_schedule_crons_on_cron_ready_check","includes\\class-nis2-cron.php",19,{"type":124,"name":182,"callback":183,"priority":11,"file":184,"line":185},"nis2_log_event","log_event","includes\\class-nis2-logger.php",68,{"type":124,"name":165,"callback":187,"file":184,"line":188},"cleanup_old_logs",72,{"type":124,"name":190,"callback":191,"priority":11,"file":184,"line":192},"wp_login","log_user_login",80,{"type":124,"name":137,"callback":194,"file":184,"line":195},"log_failed_login",81,{"type":124,"name":197,"callback":198,"file":184,"line":199},"wp_logout","log_user_logout",82,{"type":124,"name":201,"callback":202,"file":184,"line":203},"activated_plugin","log_plugin_activation",85,{"type":124,"name":205,"callback":206,"file":184,"line":207},"deactivated_plugin","log_plugin_deactivation",86,{"type":124,"name":209,"callback":210,"file":184,"line":211},"switch_theme","log_theme_switch",87,{"type":124,"name":213,"callback":214,"file":184,"line":215},"user_register","log_user_registration",90,{"type":124,"name":217,"callback":218,"file":184,"line":219},"delete_user","log_user_deletion",91,{"type":124,"name":221,"callback":222,"file":184,"line":223},"profile_update","log_profile_update",92,{"type":124,"name":225,"callback":226,"file":184,"line":227},"_core_updated_successfully","log_core_update",95,{"type":124,"name":229,"callback":230,"priority":11,"file":184,"line":231},"save_post","log_post_save",98,{"type":124,"name":233,"callback":234,"file":184,"line":235},"delete_post","log_post_deletion",99,{"type":124,"name":237,"callback":238,"priority":11,"file":184,"line":239},"updated_option","log_option_update",102,{"type":133,"name":241,"callback":242,"file":184,"line":243},"wp_handle_upload","log_file_upload",105,{"type":124,"name":245,"callback":246,"file":247,"line":148},"nis2_integrity_check","run_integrity_check","includes\\class-nis2-monitor.php",{"type":124,"name":225,"callback":249,"file":247,"line":250},"update_core_baseline",55,{"type":124,"name":252,"callback":253,"priority":11,"file":247,"line":254},"upgrader_process_complete","update_baseline_after_upgrade",56,{"type":124,"name":256,"callback":257,"priority":11,"file":247,"line":258},"update_option_nis2_integrity_enabled","handle_enable_disable_toggle",62,{"type":124,"name":260,"callback":261,"file":262,"line":243},"nis2_vulnerability_check","run_vulnerability_scan","includes\\class-nis2-vulnerability-scanner.php",{"type":124,"name":252,"callback":264,"priority":11,"file":262,"line":265},"check_after_update",112,{"type":124,"name":130,"callback":267,"file":262,"line":268},"show_vulnerability_notices",118,{"type":124,"name":270,"callback":257,"priority":11,"file":262,"line":271},"update_option_nis2_vulnerability_scanning_enabled",121,{"type":124,"name":273,"callback":274,"priority":11,"file":275,"line":250},"init","init_modules","includes\\class-nis2.php",{"type":124,"name":125,"callback":125,"file":275,"line":277},64,{"type":124,"name":279,"callback":280,"file":275,"line":281},"admin_menu","add_admin_menu",65,{"type":124,"name":283,"callback":284,"file":275,"line":285},"admin_enqueue_scripts","enqueue_admin_scripts",66,{"type":124,"name":287,"callback":288,"file":275,"line":289},"wp_enqueue_scripts","enqueue_public_scripts",67,{"type":133,"name":291,"callback":151,"file":275,"line":292},"nis2_registered_crons",642,{"type":124,"name":294,"callback":295,"file":296,"line":297},"plugins_loaded","nis2_init","nis2.php",39,{"type":124,"name":299,"callback":300,"file":301,"line":128},"wp_head","add_meta_tags","public\\class-nis2-public.php",{"type":124,"name":303,"callback":304,"file":301,"line":131},"wp_footer","add_footer_content",{"type":124,"name":273,"callback":306,"file":307,"line":128},"register_shortcodes","public\\class-nis2-shortcodes.php",[309,315,319,323,327,331,335,339,342,346,350,353,357,360,364,368,372,376,380,384],{"action":310,"nopriv":311,"callback":312,"hasNonce":313,"hasCapCheck":313,"file":127,"line":314},"nis2_toggle_suppress_toggle",false,"ajax_toggle_suppress_toggle",true,32,{"action":316,"nopriv":311,"callback":317,"hasNonce":313,"hasCapCheck":313,"file":139,"line":318},"nis2_unblock_ip","unblock_ip",73,{"action":320,"nopriv":311,"callback":321,"hasNonce":313,"hasCapCheck":313,"file":139,"line":322},"nis2_add_whitelist_ip","add_whitelist_ip",74,{"action":324,"nopriv":311,"callback":325,"hasNonce":311,"hasCapCheck":311,"file":139,"line":326},"nis2_remove_whitelist_ip","remove_whitelist_ip",75,{"action":328,"nopriv":311,"callback":329,"hasNonce":313,"hasCapCheck":313,"file":174,"line":330},"nis2_check_compliance","ajax_check_compliance",184,{"action":332,"nopriv":311,"callback":333,"hasNonce":313,"hasCapCheck":313,"file":174,"line":334},"nis2_get_compliance_report","ajax_get_compliance_report",185,{"action":336,"nopriv":311,"callback":337,"hasNonce":313,"hasCapCheck":313,"file":184,"line":338},"nis2_export_logs","export_logs",69,{"action":340,"nopriv":311,"callback":341,"hasNonce":313,"hasCapCheck":313,"file":184,"line":163},"nis2_clear_logs","clear_logs",{"action":343,"nopriv":311,"callback":344,"hasNonce":313,"hasCapCheck":313,"file":184,"line":345},"nis2_create_test_log","create_test_log",71,{"action":347,"nopriv":311,"callback":348,"hasNonce":313,"hasCapCheck":313,"file":247,"line":349},"nis2_manual_integrity_check","manual_integrity_check",46,{"action":351,"nopriv":311,"callback":348,"hasNonce":313,"hasCapCheck":313,"file":247,"line":352},"nis2_only_core_integrity_check",47,{"action":354,"nopriv":311,"callback":355,"hasNonce":313,"hasCapCheck":313,"file":247,"line":356},"nis2_reset_file_baseline","reset_file_baseline",48,{"action":358,"nopriv":311,"callback":359,"hasNonce":313,"hasCapCheck":313,"file":247,"line":152},"nis2_ignore_file_change","ignore_file_change",{"action":361,"nopriv":311,"callback":362,"hasNonce":313,"hasCapCheck":313,"file":247,"line":363},"nis2_bulk_ignore_file_change","ignore_bulk_file_change",50,{"action":365,"nopriv":311,"callback":366,"hasNonce":313,"hasCapCheck":313,"file":247,"line":367},"nis2_all_ignore_file_change","ignore_all_file_change",51,{"action":369,"nopriv":311,"callback":370,"hasNonce":313,"hasCapCheck":313,"file":247,"line":371},"nis2_export_monitor","export_monitor",52,{"action":373,"nopriv":311,"callback":374,"hasNonce":313,"hasCapCheck":313,"file":262,"line":375},"nis2_manual_vulnerability_scan","manual_vulnerability_scan",106,{"action":377,"nopriv":311,"callback":378,"hasNonce":313,"hasCapCheck":313,"file":262,"line":379},"nis2_mark_vulnerability_resolved","mark_vulnerability_resolved",107,{"action":381,"nopriv":311,"callback":382,"hasNonce":313,"hasCapCheck":313,"file":262,"line":383},"nis2_ignore_vulnerability","ignore_vulnerability",108,{"action":385,"nopriv":311,"callback":386,"hasNonce":313,"hasCapCheck":313,"file":262,"line":387},"nis2_export_vulnerability","export_vulnerability",109,[],[390,394,398],{"tag":391,"callback":392,"file":307,"line":393},"nis2_status","compliance_status_shortcode",34,{"tag":395,"callback":396,"file":307,"line":397},"nis2_security_badge","security_badge_shortcode",35,{"tag":399,"callback":400,"file":307,"line":401},"nis2_last_update","last_update_shortcode",36,[403],{"hook":260,"callback":260,"file":262,"line":404},525,23,{"dangerousFunctions":407,"sqlUsage":408,"outputEscaping":454,"fileOperations":522,"externalRequests":523,"nonceChecks":409,"capabilityChecks":524,"bundledLibraries":525},[],{"prepared":397,"raw":409,"locations":410},20,[411,414,417,419,421,423,425,428,430,432,434,436,438,440,442,444,446,448,450,452],{"file":139,"line":412,"context":413},808,"$wpdb->query() with variable interpolation",{"file":174,"line":415,"context":416},380,"$wpdb->get_var() with variable interpolation",{"file":174,"line":418,"context":416},496,{"file":184,"line":420,"context":413},582,{"file":184,"line":422,"context":416},618,{"file":184,"line":424,"context":416},738,{"file":184,"line":426,"context":427},742,"$wpdb->get_results() with variable interpolation",{"file":184,"line":429,"context":427},752,{"file":247,"line":431,"context":427},141,{"file":247,"line":433,"context":416},858,{"file":247,"line":435,"context":427},866,{"file":247,"line":437,"context":427},884,{"file":247,"line":439,"context":416},929,{"file":247,"line":441,"context":416},931,{"file":247,"line":443,"context":416},933,{"file":247,"line":445,"context":416},935,{"file":247,"line":447,"context":427},1080,{"file":262,"line":449,"context":416},669,{"file":262,"line":451,"context":427},723,{"file":262,"line":453,"context":427},833,{"escaped":455,"rawEcho":314,"locations":456},446,[457,460,462,464,466,468,470,472,474,477,479,481,482,485,486,488,490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520],{"file":127,"line":458,"context":459},256,"raw output",{"file":127,"line":461,"context":459},283,{"file":127,"line":463,"context":459},285,{"file":127,"line":465,"context":459},287,{"file":127,"line":467,"context":459},288,{"file":127,"line":469,"context":459},293,{"file":127,"line":471,"context":459},295,{"file":127,"line":473,"context":459},309,{"file":475,"line":476,"context":459},"admin\\class-nis2-dashboard.php",485,{"file":475,"line":478,"context":459},490,{"file":480,"line":314,"context":459},"admin\\views\\compliance.php",{"file":480,"line":156,"context":459},{"file":483,"line":484,"context":459},"admin\\views\\dashboard.php",61,{"file":483,"line":326,"context":459},{"file":483,"line":487,"context":459},97,{"file":483,"line":489,"context":459},127,{"file":483,"line":491,"context":459},132,{"file":483,"line":493,"context":459},198,{"file":483,"line":495,"context":459},238,{"file":483,"line":497,"context":459},271,{"file":483,"line":499,"context":459},354,{"file":483,"line":501,"context":459},389,{"file":483,"line":503,"context":459},399,{"file":483,"line":505,"context":459},410,{"file":483,"line":507,"context":459},424,{"file":483,"line":509,"context":459},429,{"file":483,"line":511,"context":459},444,{"file":483,"line":513,"context":459},449,{"file":139,"line":515,"context":459},335,{"file":262,"line":517,"context":459},677,{"file":262,"line":519,"context":459},689,{"file":301,"line":521,"context":459},54,3,5,21,[],[527,545,553,566,579,588,605,615],{"entryPoint":528,"graph":529,"unsanitizedCount":13,"severity":544},"ajax_toggle_suppress_toggle (admin\\class-nis2-admin.php:360)",{"nodes":530,"edges":542},[531,536],{"id":532,"type":533,"label":534,"file":127,"line":535},"n0","source","$_POST",375,{"id":537,"type":538,"label":539,"file":127,"line":540,"wp_function":541},"n1","sink","update_option() [Settings Manipulation]",378,"update_option",[543],{"from":532,"to":537,"sanitized":313},"low",{"entryPoint":546,"graph":547,"unsanitizedCount":13,"severity":544},"\u003Cclass-nis2-admin> (admin\\class-nis2-admin.php:0)",{"nodes":548,"edges":551},[549,550],{"id":532,"type":533,"label":534,"file":127,"line":535},{"id":537,"type":538,"label":539,"file":127,"line":540,"wp_function":541},[552],{"from":532,"to":537,"sanitized":313},{"entryPoint":554,"graph":555,"unsanitizedCount":13,"severity":544},"\u003Cclass-nis2-access-protection> (includes\\class-nis2-access-protection.php:0)",{"nodes":556,"edges":564},[557,560],{"id":532,"type":533,"label":558,"file":139,"line":559},"$_SERVER",675,{"id":537,"type":538,"label":561,"file":139,"line":562,"wp_function":563},"wp_remote_get() [SSRF]",700,"wp_remote_get",[565],{"from":532,"to":537,"sanitized":313},{"entryPoint":567,"graph":568,"unsanitizedCount":13,"severity":544},"\u003Cclass-nis2-logger> (includes\\class-nis2-logger.php:0)",{"nodes":569,"edges":577},[570,573],{"id":532,"type":533,"label":571,"file":184,"line":572},"$_GET",613,{"id":537,"type":538,"label":574,"file":184,"line":575,"wp_function":576},"get_results() [SQLi]",622,"get_results",[578],{"from":532,"to":537,"sanitized":313},{"entryPoint":580,"graph":581,"unsanitizedCount":32,"severity":587},"display_log_page (includes\\class-nis2-logger.php:607)",{"nodes":582,"edges":585},[583,584],{"id":532,"type":533,"label":571,"file":184,"line":572},{"id":537,"type":538,"label":574,"file":184,"line":575,"wp_function":576},[586],{"from":532,"to":537,"sanitized":311},"high",{"entryPoint":589,"graph":590,"unsanitizedCount":32,"severity":587},"ignore_file_change (includes\\class-nis2-monitor.php:440)",{"nodes":591,"edges":602},[592,594,597],{"id":532,"type":533,"label":534,"file":247,"line":593},454,{"id":537,"type":595,"label":596,"file":247,"line":593},"transform","→ process_ignore_file_change()",{"id":598,"type":538,"label":599,"file":247,"line":600,"wp_function":601},"n2","get_row() [SQLi]",653,"get_row",[603,604],{"from":532,"to":537,"sanitized":311},{"from":537,"to":598,"sanitized":311},{"entryPoint":606,"graph":607,"unsanitizedCount":32,"severity":587},"display_integrity_page (includes\\class-nis2-monitor.php:838)",{"nodes":608,"edges":613},[609,611],{"id":532,"type":533,"label":571,"file":247,"line":610},845,{"id":537,"type":538,"label":574,"file":247,"line":612,"wp_function":576},862,[614],{"from":532,"to":537,"sanitized":311},{"entryPoint":616,"graph":617,"unsanitizedCount":522,"severity":587},"\u003Cclass-nis2-monitor> (includes\\class-nis2-monitor.php:0)",{"nodes":618,"edges":632},[619,621,622,623,625,628,630],{"id":532,"type":533,"label":534,"file":247,"line":620},448,{"id":537,"type":538,"label":599,"file":247,"line":600,"wp_function":601},{"id":598,"type":533,"label":571,"file":247,"line":610},{"id":624,"type":538,"label":574,"file":247,"line":612,"wp_function":576},"n3",{"id":626,"type":533,"label":627,"file":247,"line":593},"n4","$_POST (x3)",{"id":629,"type":595,"label":596,"file":247,"line":593},"n5",{"id":631,"type":538,"label":599,"file":247,"line":600,"wp_function":601},"n6",[633,634,635,636],{"from":532,"to":537,"sanitized":313},{"from":598,"to":624,"sanitized":313},{"from":626,"to":629,"sanitized":311},{"from":629,"to":631,"sanitized":311},{"summary":638,"deductions":639},"The \"nis2-compliance\" plugin v1.5.2 presents a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of properly escaped outputs and a strong reliance on prepared statements for SQL queries. The absence of any historical CVEs is a significant strength, suggesting a history of stable and secure development.  However, the static analysis reveals notable concerns. The presence of one AJAX handler without authentication checks creates a potential entry point for unauthorized actions. Furthermore, the taint analysis indicates four flows with unsanitized paths, all classified as high severity. This is a critical weakness, as unsanitized input can lead to severe vulnerabilities if not handled correctly, despite the absence of critical severity taint flows.\n\nThe plugin's vulnerability history is excellent, with zero recorded CVEs. This indicates a likely proactive approach to security by the developers. However, the static analysis findings, particularly the unprotected AJAX handler and the high-severity unsanitized taint flows, cannot be ignored. The strength in output escaping and SQL preparedness is commendable, but these are undermined by the identified input sanitization issues and the direct attack surface. The overall risk is moderate, with significant potential for exploitation if the unsanitized taint flows are indeed exploitable.",[640,643],{"reason":641,"points":642},"Unprotected AJAX handler",8,{"reason":644,"points":645},"High severity unsanitized taint flows (4)",12,"2026-03-17T00:08:39.920Z",{"wat":648,"direct":658},{"assetPaths":649,"generatorPatterns":652,"scriptPaths":653,"versionParams":655},[650,651],"\u002Fwp-content\u002Fplugins\u002Fnis2-compliance\u002Fassets\u002Fcss\u002Fnis2-compliance.css","\u002Fwp-content\u002Fplugins\u002Fnis2-compliance\u002Fassets\u002Fjs\u002Fnis2-compliance.js",[],[654],"https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi.js",[656,657],"nis2-compliance\u002Fassets\u002Fcss\u002Fnis2-compliance.css?ver=","nis2-compliance\u002Fassets\u002Fjs\u002Fnis2-compliance.js?ver=",{"cssClasses":659,"htmlComments":661,"htmlAttributes":663,"restEndpoints":664,"jsGlobals":668,"shortcodeOutput":670},[660],"nis2-compliance-settings",[662],"NIS2 Compliance Settings",[],[665,666,667],"\u002Fwp-json\u002Fnis2-compliance\u002Fv1\u002Fsettings","\u002Fwp-json\u002Fnis2-compliance\u002Fv1\u002Fscan","\u002Fwp-json\u002Fnis2-compliance\u002Fv1\u002Flogs",[669],"nis2_compliance_ajax_object",[]]