[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fy3hM42qeKFzFPI-2WJ8rWf9aCtKQX4O-f4D9tvQbJtI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":13,"vuln_count":23,"unpatched_count":23,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":27,"crawl_stats":24,"alternatives":34,"analysis":35,"fingerprints":102},"notification-attachments-for-gravity-forms","Notification Attachments for Gravity Forms","0.6.3","kgmservizi","https:\u002F\u002Fprofiles.wordpress.org\u002Fkgmservizi\u002F","\u003Cp>\u003Cstrong>REQUIREMENTS\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>LATEST VERSION IS COMPATIBLE ONLY WITH GRAVITY FORMS > 2.5+\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Don’t work? Open ticket, we answer in max 48h.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>This plugin requires Gravity Forms.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Send attachment in Gravity Forms Notification, you can add easily from Gravity Forms Notification setting.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Filter\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>For allow other plugins\u002Fthemes to update the attachment_path as they need.\u003C\u002Fp>\n\u003Cp>add_filter(‘gf_kgm_notification_attachment_path’, $path, $attachment_id, $form, $lead)\u003C\u002Fp>\n","Send attachment in Gravity Forms Notification",2000,26538,100,12,"2025-11-30T20:59:00.000Z","6.8.5","5.0","7.4",[20],"gravity-forms-notification-attachments","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnotification-attachments-for-gravity-forms.0.6.3.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":30,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},7,14740,99,30,93,"2026-04-03T23:05:29.829Z",[],{"attackSurface":36,"codeSignals":78,"taintFlows":93,"riskAssessment":94,"analyzedAt":101},{"hooks":37,"ajaxHandlers":74,"restRoutes":75,"shortcodes":76,"cronEvents":77,"entryPointCount":23,"unprotectedCount":23},[38,44,50,54,59,63,67,71],{"type":39,"name":40,"callback":41,"file":42,"line":43},"action","init","gf_kgm_notification_attachment_init","gf-kgm-notification-attachment.php",29,{"type":45,"name":46,"callback":47,"priority":48,"file":42,"line":49},"filter","gform_notification","gf_kgm_notification_attachment_send",20,43,{"type":39,"name":51,"callback":52,"file":42,"line":53},"admin_enqueue_scripts","gf_kgm_notification_attachment_attach_script",44,{"type":45,"name":55,"callback":56,"priority":57,"file":42,"line":58},"gform_pre_notification_save","gf_kgm_notification_attachment_save",10,45,{"type":45,"name":60,"callback":61,"file":42,"line":62},"gform_noconflict_scripts","gf_kgm_notification_attachment_gform_noconflict",46,{"type":45,"name":64,"callback":65,"priority":57,"file":42,"line":66},"gform_notification_settings_fields","gf_kgm_notification_attachment_editor",47,{"type":39,"name":68,"callback":69,"file":42,"line":70},"admin_notices","gf_kgm_notification_attachment_check_conflicts",56,{"type":39,"name":68,"callback":72,"file":42,"line":73},"gf_kgm_notification_attachment_admin_notices",60,[],[],[],[],{"dangerousFunctions":79,"sqlUsage":80,"outputEscaping":82,"fileOperations":23,"externalRequests":23,"nonceChecks":23,"capabilityChecks":23,"bundledLibraries":92},[],{"prepared":23,"raw":23,"locations":81},[],{"escaped":83,"rawEcho":84,"locations":85},16,2,[86,90],{"file":87,"line":88,"context":89},"includes\\notification.php",22,"raw output",{"file":87,"line":91,"context":89},37,[],[],{"summary":95,"deductions":96},"The plugin 'notification-attachments-for-gravity-forms' version 0.6.3 exhibits a generally positive security posture based on the provided static analysis and vulnerability history.  The absence of known CVEs and a clean taint analysis indicate a lack of publicly disclosed or easily discoverable critical vulnerabilities. Furthermore, the code analysis reveals no dangerous functions, no raw SQL queries (all use prepared statements), no file operations, and no external HTTP requests, all of which are strong security indicators. The high percentage of properly escaped output is also commendable, minimizing the risk of cross-site scripting vulnerabilities.\n\nHowever, a significant concern arises from the complete lack of capability checks and nonce checks. While the static analysis reports zero entry points, this does not guarantee future security if new entry points are introduced or if existing ones are not properly secured. The absence of capability checks means that even if an entry point exists, it might be accessible to users without appropriate permissions, potentially leading to privilege escalation or unauthorized actions. The lack of nonce checks on any potential AJAX handlers (even if currently zero) is a critical oversight, as it leaves any future or undiscovered handlers vulnerable to Cross-Site Request Forgery (CSRF) attacks. The vulnerability history, while clean, also indicates a limited scope of past analysis or a lack of historical reporting, which can sometimes mask emerging issues.\n\nIn conclusion, the plugin demonstrates good coding practices in several key areas, particularly regarding data handling and avoiding dangerous functions. The absence of historical vulnerabilities is a positive sign. Nevertheless, the complete reliance on the static analysis reporting zero unprotected entry points as the sole security measure, combined with the absence of critical security controls like capability and nonce checks, represents a notable weakness. This leaves the plugin vulnerable to attacks if its attack surface expands or if existing entry points are misconfigured in the future. A more robust security approach would incorporate these fundamental checks regardless of the current reported entry points.",[97,99],{"reason":98,"points":57},"No capability checks",{"reason":100,"points":57},"No nonce checks","2026-03-16T18:30:24.383Z",{"wat":103,"direct":110},{"assetPaths":104,"generatorPatterns":106,"scriptPaths":107,"versionParams":108},[105],"\u002Fwp-content\u002Fplugins\u002Fnotification-attachments-for-gravity-forms\u002Fassets\u002Fscript.js",[],[],[109],"notification-attachments-for-gravity-forms\u002Fassets\u002Fscript.js?ver=",{"cssClasses":111,"htmlComments":113,"htmlAttributes":123,"restEndpoints":125,"jsGlobals":126,"shortcodeOutput":128},[112],"gf-kgm-remove-attachment",[114,115,116,117,118,118,119,120,121,122],"\u003C!-- Code for form inside Gravity Forms Notification setting (edited for Gravity Forms 2.5 -> https:\u002F\u002Fdocs.gravityforms.com\u002Fgform_notification_settings_fields\u002F) -->","\u003C!-- Security check: verify user has permission to edit Gravity Forms notifications -->","\u003C!-- Security check: verify we're in admin context -->","\u003C!-- Note: Nonce verification is handled by Gravity Forms since this is integrated in their form -->","\u003C!-- phpcs:ignore WordPress.Security.NonceVerification.Missing -- Gravity Forms handles nonce verification for the entire form -->","\u003C!-- Unslash and sanitize input before processing (WordPress Coding Standards requirement) -->","\u003C!-- Sanitize attachment ID before use -->","\u003C!-- Skip invalid attachment IDs -->","\u003C!-- Skip if attachment doesn't exist -->",[124],"data-id",[],[127],"gf_kgm_notification_attachment",[]]