[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFM_vhErDSE1YXAUekFDhttXlk_GHEwXYpjJoidDVo4I":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":36,"analysis":37,"fingerprints":190},"omnisearch","Global Admin Search","0.9.1","George Stephanis","https:\u002F\u002Fprofiles.wordpress.org\u002Fgeorgestephanis\u002F","\u003Cp>More details forthcoming.\u003C\u002Fp>\n","This is a proposal for inclusion in Core in 3.8",10,2963,100,1,"2013-10-27T20:54:00.000Z","3.7.41","3.5","",[20,4],"core-plugins","https:\u002F\u002Fgithub.com\u002Fgeorgestephanis\u002Fomnisearch","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fomnisearch.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":31,"avg_security_score":32,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"georgestephanis",16,15630,86,30,84,"2026-04-04T14:53:40.960Z",[],{"attackSurface":38,"codeSignals":96,"taintFlows":127,"riskAssessment":174,"analyzedAt":189},{"hooks":39,"ajaxHandlers":88,"restRoutes":93,"shortcodes":94,"cronEvents":95,"entryPointCount":14,"unprotectedCount":14},[40,46,48,51,53,56,61,64,68,72,76,81,85],{"type":41,"name":42,"callback":43,"priority":11,"file":44,"line":45},"filter","wp_search_results","search","wp-admin\\includes\\class-wp-search-comments.php",12,{"type":41,"name":47,"callback":47,"file":44,"line":30},"comment_row_actions",{"type":41,"name":42,"callback":43,"priority":11,"file":49,"line":50},"wp-admin\\includes\\class-wp-search-media.php",11,{"type":41,"name":42,"callback":43,"priority":11,"file":52,"line":50},"wp-admin\\includes\\class-wp-search-plugins.php",{"type":41,"name":42,"callback":43,"priority":11,"file":54,"line":55},"wp-admin\\includes\\class-wp-search-posts.php",17,{"type":57,"name":58,"callback":59,"file":54,"line":60},"action","page_row_actions","filter_row_actions",21,{"type":57,"name":62,"callback":59,"file":54,"line":63},"post_row_actions",22,{"type":41,"name":65,"callback":66,"file":54,"line":67},"the_title","esc_html",88,{"type":57,"name":69,"callback":70,"file":71,"line":45},"admin_init","add_providers","wp-admin\\includes\\class-wp-search.php",{"type":57,"name":73,"callback":73,"priority":74,"file":71,"line":75},"admin_menu",20,13,{"type":57,"name":77,"callback":78,"priority":79,"file":71,"line":80},"admin_bar_menu","admin_bar_search",4,14,{"type":41,"name":82,"callback":83,"file":71,"line":84},"wp_search_num_results","search_num_results",15,{"type":41,"name":86,"callback":87,"file":71,"line":30},"wp_search_auto_post_types","filter_post_types",[89],{"action":90,"nopriv":91,"callback":92,"hasNonce":91,"hasCapCheck":91,"file":52,"line":45},"wp_search_plugins",false,"wp_ajax_wp_search_plugins",[],[],[],{"dangerousFunctions":97,"sqlUsage":98,"outputEscaping":100,"fileOperations":24,"externalRequests":24,"nonceChecks":24,"capabilityChecks":125,"bundledLibraries":126},[],{"prepared":24,"raw":24,"locations":99},[],{"escaped":63,"rawEcho":80,"locations":101},[102,105,107,109,111,113,114,116,117,118,119,121,122,124],{"file":52,"line":103,"context":104},61,"raw output",{"file":54,"line":106,"context":104},76,{"file":71,"line":108,"context":104},72,{"file":71,"line":110,"context":104},91,{"file":71,"line":112,"context":104},146,{"file":71,"line":112,"context":104},{"file":71,"line":115,"context":104},148,{"file":71,"line":115,"context":104},{"file":71,"line":115,"context":104},{"file":71,"line":115,"context":104},{"file":71,"line":120,"context":104},150,{"file":71,"line":120,"context":104},{"file":71,"line":123,"context":104},152,{"file":71,"line":123,"context":104},3,[],[128,145,154,166],{"entryPoint":129,"graph":130,"unsanitizedCount":14,"severity":144},"wp_ajax_wp_search_plugins (wp-admin\\includes\\class-wp-search-plugins.php:58)",{"nodes":131,"edges":142},[132,137],{"id":133,"type":134,"label":135,"file":52,"line":136},"n0","source","$_REQUEST",59,{"id":138,"type":139,"label":140,"file":52,"line":103,"wp_function":141},"n1","sink","echo() [XSS]","echo",[143],{"from":133,"to":138,"sanitized":91},"medium",{"entryPoint":146,"graph":147,"unsanitizedCount":14,"severity":153},"\u003Cclass-wp-search-plugins> (wp-admin\\includes\\class-wp-search-plugins.php:0)",{"nodes":148,"edges":151},[149,150],{"id":133,"type":134,"label":135,"file":52,"line":136},{"id":138,"type":139,"label":140,"file":52,"line":103,"wp_function":141},[152],{"from":133,"to":138,"sanitized":91},"low",{"entryPoint":155,"graph":156,"unsanitizedCount":24,"severity":153},"search_page (wp-admin\\includes\\class-wp-search.php:62)",{"nodes":157,"edges":163},[158,161],{"id":133,"type":134,"label":159,"file":71,"line":160},"$_GET",64,{"id":138,"type":139,"label":140,"file":71,"line":162,"wp_function":141},87,[164],{"from":133,"to":138,"sanitized":165},true,{"entryPoint":167,"graph":168,"unsanitizedCount":24,"severity":153},"\u003Cclass-wp-search> (wp-admin\\includes\\class-wp-search.php:0)",{"nodes":169,"edges":172},[170,171],{"id":133,"type":134,"label":159,"file":71,"line":160},{"id":138,"type":139,"label":140,"file":71,"line":162,"wp_function":141},[173],{"from":133,"to":138,"sanitized":165},{"summary":175,"deductions":176},"The Omnisearch v0.9.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and avoiding dangerous functions, file operations, and external HTTP requests. It also has a clean vulnerability history with no recorded CVEs, suggesting a relatively stable and secure codebase historically.\n\nHowever, significant concerns arise from the static analysis. The plugin has a single entry point via an AJAX handler that lacks authentication checks. This unprotected AJAX endpoint presents a clear risk, as it could be exploited by unauthenticated users to trigger arbitrary actions or disclose information. Furthermore, the taint analysis revealed two flows with unsanitized paths, indicating potential vulnerabilities that could be leveraged if an attacker can control the input leading to these paths.\n\nWhile the absence of known CVEs is encouraging, the presence of an unprotected AJAX endpoint and unsanitized paths in the taint analysis are critical findings that cannot be overlooked. The plugin has a small attack surface, but the unprotected nature of its sole entry point is a major weakness. Robust security would necessitate authentication and capability checks on all AJAX handlers, and proper sanitization of any data flowing through identified unsanitized paths.",[177,180,183,186],{"reason":178,"points":179},"Unprotected AJAX handler",8,{"reason":181,"points":182},"Flows with unsanitized paths (taint analysis)",6,{"reason":184,"points":185},"Limited capability checks",2,{"reason":187,"points":188},"Output escaping concerns (61% proper)",5,"2026-03-16T23:54:32.391Z",{"wat":191,"direct":197},{"assetPaths":192,"generatorPatterns":194,"scriptPaths":195,"versionParams":196},[193],"\u002Fwp-content\u002Fplugins\u002Fomnisearch\u002Fcss\u002Fglobal-search.css",[],[],[],{"cssClasses":198,"htmlComments":208,"htmlAttributes":209,"restEndpoints":211,"jsGlobals":213,"shortcodeOutput":216},[199,200,201,202,203,204,205,206,207],"global-search","wp-search-form","wp-search","wp-search-submit","add-new-h2","no-results","jump-to","wp-search-results","back-to-top",[],[210],"data-label",[212],"\u002Fwp-json\u002Fomnisearch\u002F",[214,215],"search_term","num_results",[]]