[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGanSfY4fuE14LCyBVMRs4Tx7sSrn1TK_4q1Mjg3YPWI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":21,"security_score":22,"vuln_count":23,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":59,"crawl_stats":33,"alternatives":67,"analysis":68,"fingerprints":483},"one-page-express-companion","One Page Express Companion","1.6.46","Horea Radu","https:\u002F\u002Fprofiles.wordpress.org\u002Fhorearadu\u002F","\u003Cp>The One Page Express Companion plugin adds drag and drop page builder functionality to the One Page Express theme.\u003C\u002Fp>\n\u003Cp>The One Page Express Companion plugin features include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Beautiful ready-made homepage\u003C\u002Fli>\n\u003Cli>Drag and drop page customization\u003C\u002Fli>\n\u003Cli>25 predefined content sections\u003C\u002Fli>\n\u003Cli>Live content editing \u003C\u002Fli>\n\u003Cli>and many other features\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>One Page Express Companion WordPress plugin, Copyright (C) 2017 Horea Radu\u003Cbr \u002F>\nOne Page Express Companion WordPress plugin is licensed under the GPL3 (https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.en.html).\u003C\u002Fp>\n\u003Cp>Unless otherwise specified, all the theme files and scripts are licensed under GNU General Public License.\u003C\u002Fp>\n\u003Cp>The exceptions to this license are as follows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Hammer.JS – v2.0.8 – http:\u002F\u002Fhammerjs.github.io\u002F\u003Cbr \u002F>\nLicensed under the MIT license (https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\u003Cbr \u002F>\nCopyright (c) Jorik Tangelder;\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>modernizr v3.3.1 – https:\u002F\u002Fmodernizr.com\u002Fdownload?-setclasses-dontmin\u003Cbr \u002F>\nLicensed under the MIT license (https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\u003Cbr \u002F>\nCopyright (c) Faruk Ates, Paul Irish, Alex Sexton, Ryan Seddon, Patrick Kettner, Stu Cox, Richard Herrera\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Spectrum Colorpicker v1.8.0 – https:\u002F\u002Fgithub.com\u002Fbgrins\u002Fspectrum\u003Cbr \u002F>\nLicensed under the MIT license (https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\u003Cbr \u002F>\nCopyright (c) Brian Grinstead\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>SpeakingURL – https:\u002F\u002Fgithub.com\u002Fpid\u002Fspeakingurl\u003Cbr \u002F>\nLicensed under the BSD3 license (https:\u002F\u002Fopensource.org\u002Flicenses\u002FBSD-3-Clause)\u003Cbr \u002F>\nCopyright (c) 2013-2017 Sascha Droste \u003Ca href=\"mailto:pid@posteo.net\" rel=\"nofollow ugc\">pid@posteo.net\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Kirki by Aristeides Stathopoulos – https:\u002F\u002Fgithub.com\u002Faristath\u002Fkirki\u003Cbr \u002F>\nLicensed under the MIT license (https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Images\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The following images used in the plugin are distributed under Creative Commons Zero license, http:\u002F\u002Fcreativecommons.org\u002Fpublicdomain\u002Fzero\u002F1.0\u002F\u003C\u002Fp>\n\u003Cpre>\u003Ccode>* sections\u002Fimages\u002Fface2.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@mariyageorgieva?photo=0O6Fv3Ff_XI - Copyright (c) Mariya Georgieva\n\n* sections\u002Fimages\u002Fface3.jpg\nSource: https:\u002F\u002Fpixabay.com\u002Fen\u002Fcoat-fashion-man-model-person-1846187\u002F\n\n* sections\u002Fimages\u002Fface4.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@seteales?photo=C_1jjFJioWg - Copyright (c) Allef Vinicius\n\n* sections\u002Fimages\u002Fface5.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@jgalafa?photo=2QiU4kgINVA - Copyright (c) Juan Galafa\n\n* sections\u002Fimages\u002Fface6.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@tamarabellis?photo=Brl7bqld05E - Copyright (c) Tamara Bellis\n\n* sections\u002Fimages\u002Fface7.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@mariyageorgieva?photo=0O6Fv3Ff_XI - Copyright (c) Mariya Georgieva\n\n* sections\u002Fimages\u002Fface9.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@marty?photo=h1BuNJZzpC8 - Copyright (c) Matthew Dix\n\n* sections\u002Fimages\u002Fface10.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@reddangelo16?photo=dfh54HEvEGI - Copyright (c) Redd Angelo\n\n* sections\u002Fimages\u002Fface11.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@ismaelnieto?photo=G-eETuefh8Y - Copyright (c) Cristian Newman\n\n* sections\u002Fimages\u002Ffeature-1.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@drewjohncollins?photo=a7Y9Oy1Lprk - Copyright (c) Drew Collins\n\n* sections\u002Fimages\u002Ffeature-2.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@ultralinx?photo=_8S9nEmCZK0 - Copyright (c) Oliur Rahman\n\n* sections\u002Fimages\u002Ffeature-3.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@bramnaus?photo=n8Qb1ZAkK88 - Copyright (c) Bram Naus\n\n* sections\u002Fimages\u002Ffeature-4.jpg\nSource: https:\u002F\u002Funsplash.com\u002Fsearch\u002Fcoffee?photo=F_EfOSXh0sI - Copyright (c) frankie\n\n* sections\u002Fimages\u002Fproject1.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@firmbee?photo=jrh5lAq-mIs - Copyright (c) William Iven\n\n* sections\u002Fimages\u002Fproject2.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@kmuza?photo=hpjSkU2UYSU - Copyright (c) Carlos Muza\n\n* sections\u002Fimages\u002Fproject3.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@crew?photo=A5-Xr7WyktQ - Copyright (c) Crew\n\n* sections\u002Fimages\u002Ffull-height-column.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@flenjoore?photo=unRkg2jH1j0 - Copyright (c) Olu Eletu\n\n* sections\u002Fimages\u002FTravel_through_New_York_wallpaper-1920x1200.jpg\nSource: http:\u002F\u002Fwww.uhdwallpapers.org\u002F2015\u002F05\u002Ftravel-new-york-wallpapers-free-photos.html - Copyright (c) Julian Alexander\n\n* sections\u002Fimages\u002Fdrew-collins-155674.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@drewjohncollins?photo=a7Y9Oy1Lprk - Copyright (c) Drew Collins\n\n* sections\u002Fimages\u002Fir5likvfqc4-william-iven-1920x1275.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@firmbee?photo=ir5lIkVFqC4 - Copyright (c) William Iven\n\n* sections\u002Fimages\u002Fnordwood-themes-180852.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@nordwood?photo=Sf2TRU7ShO8 - Copyright (c) NordWood Themes\n\n* sections\u002Fimages\u002Frodion-kutsaev-184298-1920x1280.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@frostroomhead?photo=0VGG7cqTwCo - Copyright (c) Rodion Kutsaev\n\n* sections\u002Fimages\u002Ftimothy-muza-572-1920x1281.jpg\nSource: https:\u002F\u002Funsplash.com\u002F@timothymuza?photo=6VjPmyMj5KM - Copyright (c) Timothy Muza\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Images used as logo examples in the “clients” sections are distributed under Creative Commons Attribution 4.0, https:\u002F\u002Fcreativecommons.org\u002Flicenses\u002Fby\u002F4.0\u002F\u003C\u002Fp>\n\u003Cpre>\u003Ccode>* sections\u002Fimages\u002Flogo1.png\n* sections\u002Fimages\u002Flogo2.png\n* sections\u002Fimages\u002Flogo3.png\n* sections\u002Fimages\u002Flogo5.png\n* sections\u002Fimages\u002Flogo6.png\n* sections\u002Fimages\u002Flogo7.png\n* sections\u002Fimages\u002Flogo9.png\n* sections\u002Fimages\u002Flogo10.png\nSources:\nhttp:\u002F\u002Fwww.logoopenstock.com\u002Fdownload-logo\u002F64883\u002Fcreative-cube-logo-icons\nhttp:\u002F\u002Fwww.logoopenstock.com\u002Fdownload-logo\u002F64885\u002Freal-estate-logo-icon-pack\nhttp:\u002F\u002Fwww.logoopenstock.com\u002Fdownload-logo\u002F64885\u002Freal-estate-logo-icon-pack\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The following images are exported from Font Awesome\u003C\u002Fp>\n\u003Cp>Font Awesome 4.7.0 by @davegandy – http:\u002F\u002Ffontawesome.io – @fontawesome\u003Cbr \u002F>\nLicense – http:\u002F\u002Ffontawesome.io\u002Flicense (Font: SIL OFL 1.1, CSS: MIT License)\u003C\u002Fp>\n\u003Cpre>\u003Ccode>* customizer\u002Fassets\u002Ficons\u002Fbrush-hover.png\n* customizer\u002Fassets\u002Ficons\u002Fbrush.png\n* customizer\u002Fassets\u002Ficons\u002Fcheck.png\n* customizer\u002Fassets\u002Ficons\u002Fchevron-right.png\n* customizer\u002Fassets\u002Ficons\u002Fclose.png\n* customizer\u002Fassets\u002Ficons\u002Fcog-white.png\n* customizer\u002Fassets\u002Ficons\u002Fcog.png\n* customizer\u002Fassets\u002Ficons\u002Fplus-black.png\n* customizer\u002Fassets\u002Ficons\u002Fplus.png\n* customizer\u002Fassets\u002Ficons\u002Fswap.png\n* customizer\u002Fassets\u002Ficons\u002Ftoggle-menu-active.png\n* customizer\u002Fassets\u002Ficons\u002Ftoggle-menu.png\n* customizer\u002Fassets\u002Ficons\u002Ftoolbar-cog.png\n* customizer\u002Fassets\u002Ficons\u002Ftrash-o.png\n* customizer\u002Fassets\u002Ficons\u002Ftrash.png\n* customizer\u002Fassets\u002Ficons\u002Fup-down.png\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The following images are the creation of Horea Radu and are distributed under the Creative Commons Zero License, http:\u002F\u002Fcreativecommons.org\u002Fpublicdomain\u002Fzero\u002F1.0\u002F\u003C\u002Fp>\n\u003Cul>\n\u003Cli>sections\u002Fimages\u002Fquote.png\u003C\u002Fli>\n\u003Cli>customizer\u002Fassets\u002Ficons\u002Freorder-handler.png\u003C\u002Fli>\n\u003C\u002Ful>\n","The One Page Express Companion plugin adds drag and drop page builder functionality to the One Page Express theme.",10000,682168,94,11,"2025-11-24T11:50:00.000Z","6.9.4","5.6","",[20],"onepage-companion-drag-drop-builder","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fone-page-express-companion.zip",98,2,0,"2025-10-16 00:00:00","2026-03-15T15:16:48.613Z",[28,44],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":35,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":25,"updated_date":40,"references":41,"days_to_patch":43},"CVE-2025-62052","one-page-express-companion-missing-authorization","One Page Express Companion \u003C= 1.6.43 - Missing Authorization","The One Page Express Companion plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.43. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.",null,"\u003C=1.6.43","1.6.44","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-10-23 14:12:41",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F421ed38f-cf0b-437f-a477-5bae7963e9e6?source=api-prod",8,{"id":45,"url_slug":46,"title":47,"description":48,"plugin_slug":4,"theme_slug":33,"affected_versions":49,"patched_in_version":50,"severity":36,"cvss_score":51,"cvss_vector":52,"vuln_type":53,"published_date":54,"updated_date":55,"references":56,"days_to_patch":58},"CVE-2024-4703","one-page-express-companion-authenticated-contributor-stored-cross-site-scripting-via-onepageexpresscontactform-shortcode","One Page Express Companion \u003C= 1.6.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode","The One Page Express Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's one_page_express_contact_form shortcode in all versions up to, and including, 1.6.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=1.6.37","1.6.38",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-06-06 00:00:00","2024-06-07 07:35:28",[57],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa00a5c41-b211-45e4-acf8-01fd8e64b1c0?source=api-prod",1,{"slug":60,"display_name":7,"profile_url":8,"plugin_count":61,"total_installs":62,"avg_security_score":63,"avg_patch_time_days":64,"trust_score":65,"computed_at":66},"horearadu",3,76000,97,181,77,"2026-04-04T22:01:56.447Z",[],{"attackSurface":69,"codeSignals":322,"taintFlows":439,"riskAssessment":475,"analyzedAt":482},{"hooks":70,"ajaxHandlers":283,"restRoutes":309,"shortcodes":310,"cronEvents":320,"entryPointCount":321,"unprotectedCount":58},[71,77,82,86,90,94,98,103,107,110,114,117,120,125,129,131,134,137,140,144,147,150,155,159,164,168,173,177,181,183,187,192,195,197,200,205,209,213,216,218,221,223,225,227,230,232,235,238,242,245,248,250,253,257,261,265,269,272,275,278,280],{"type":72,"name":73,"callback":74,"file":75,"line":76},"filter","one_page_exress_companion_installed","__return_true","src\\Companion.php",26,{"type":78,"name":79,"callback":80,"file":75,"line":81},"action","init","initCompanion",49,{"type":72,"name":83,"callback":84,"file":75,"line":85},"cloudpress\\companion\\cp_data","getInstanceData",52,{"type":72,"name":87,"callback":88,"priority":24,"file":75,"line":89},"page_row_actions","addEditInCustomizer",89,{"type":78,"name":91,"callback":92,"file":75,"line":93},"admin_footer","addAdminScripts",91,{"type":78,"name":95,"callback":96,"file":75,"line":97},"media_buttons","addEditInCustomizerPageButtons",93,{"type":72,"name":99,"callback":100,"priority":101,"file":75,"line":102},"is_protected_meta","isProtectedMeta",10,95,{"type":78,"name":104,"callback":105,"file":75,"line":106},"enqueue_block_editor_assets","gutenbergEditInCustomizerButton",105,{"type":72,"name":108,"callback":74,"file":75,"line":109},"cloudpress\\customizer\\supports",196,{"type":72,"name":111,"callback":112,"priority":101,"file":75,"line":113},"http_request_args","closure",261,{"type":72,"name":115,"callback":74,"file":75,"line":116},"is_shortcode_refresh",867,{"type":72,"name":118,"callback":112,"priority":101,"file":75,"line":119},"wp_resource_hints",891,{"type":72,"name":121,"callback":122,"file":123,"line":124},"customize_dynamic_setting_args","__autoSettingsOptions","src\\Customizer\\Customizer.php",41,{"type":72,"name":126,"callback":127,"priority":101,"file":123,"line":128},"customize_dynamic_setting_class","__autoSettingsClass",42,{"type":78,"name":130,"callback":112,"file":123,"line":65},"admin_enqueue_scripts",{"type":78,"name":132,"callback":112,"file":123,"line":133},"customize_controls_print_scripts",111,{"type":78,"name":135,"callback":112,"file":123,"line":136},"customize_controls_print_footer_scripts",145,{"type":78,"name":138,"callback":112,"file":123,"line":139},"wp_footer",311,{"type":78,"name":141,"callback":142,"file":123,"line":143},"customize_register","anonymous",555,{"type":78,"name":145,"callback":142,"file":123,"line":146},"customize_controls_enqueue_scripts",559,{"type":78,"name":148,"callback":142,"file":123,"line":149},"customize_preview_init",563,{"type":78,"name":151,"callback":152,"file":153,"line":154},"cloudpress\\customizer\\global_scripts","__popupsTemplates","src\\Customizer\\Panels\\ContentPanel.php",13,{"type":78,"name":156,"callback":157,"file":153,"line":158},"cloudpress\\customizer\\preview_scripts","loadWPEditor",14,{"type":72,"name":160,"callback":161,"priority":101,"file":162,"line":163},"cloudpress\\customizer\\temp_mod_exists","tempKeyExists","src\\Customizer\\Settings\\ObjectSetting.php",43,{"type":72,"name":165,"callback":166,"priority":101,"file":162,"line":167},"cloudpress\\customizer\\temp_mod_content","__tempContent",44,{"type":72,"name":169,"callback":170,"file":171,"line":172},"cloudpress\\customizer\\global_data","__prepareStaticSections","src\\Customizer\\Template.php",18,{"type":72,"name":174,"callback":175,"priority":24,"file":171,"line":176},"the_content","filterContent",20,{"type":72,"name":178,"callback":179,"file":171,"line":180},"template_include","filterTemplateFile",22,{"type":78,"name":182,"callback":112,"file":171,"line":113},"widgets_init",{"type":78,"name":184,"callback":112,"priority":24,"file":185,"line":186},"admin_notices","src\\Notify\\Notification.php",112,{"type":72,"name":188,"callback":189,"file":190,"line":191},"http_request_timeout","requestTimeout","src\\Notify\\NotificationsManager.php",68,{"type":78,"name":193,"callback":112,"file":190,"line":194},"admin_head",122,{"type":78,"name":91,"callback":112,"file":190,"line":196},156,{"type":78,"name":198,"callback":112,"file":199,"line":23},"cloudpress\\companion\\activated\\one-page-express","support\\wp-5.8.php",{"type":72,"name":201,"callback":202,"file":203,"line":204},"show_inactive_plugin_infos","__return_false","theme-data\\one-page-express\\functions.php",4,{"type":72,"name":206,"callback":207,"file":203,"line":208},"excerpt_length","one_page_express_latest_news_excerpt_length",39,{"type":72,"name":210,"callback":211,"file":203,"line":212},"excerpt_more","one_page_express_latest_excerpt_more",40,{"type":72,"name":214,"callback":112,"file":203,"line":215},"cloudpress\\template\\page_content",133,{"type":72,"name":83,"callback":112,"priority":101,"file":203,"line":217},146,{"type":78,"name":219,"callback":112,"file":203,"line":220},"cloudpress\\template\\load_assets",170,{"type":78,"name":156,"callback":112,"file":203,"line":222},189,{"type":78,"name":151,"callback":112,"file":203,"line":224},203,{"type":78,"name":198,"callback":112,"file":203,"line":226},399,{"type":78,"name":228,"callback":112,"file":203,"line":229},"cloudpress\\companion\\deactivated\\one-page-express",406,{"type":78,"name":193,"callback":112,"file":203,"line":231},412,{"type":72,"name":233,"callback":112,"priority":101,"file":203,"line":234},"cloudpress\\companion\\front_page_content",460,{"type":72,"name":236,"callback":112,"priority":101,"file":203,"line":237},"cloudpress\\companion\\template",471,{"type":72,"name":239,"callback":240,"file":203,"line":241},"body_class","one_page_express_homepage_class",485,{"type":72,"name":239,"callback":243,"file":203,"line":244},"one_page_express_maintaibale_class",489,{"type":72,"name":246,"callback":112,"file":203,"line":247},"cloudpress\\customizer\\control\\content_sections\\data",522,{"type":72,"name":249,"callback":112,"priority":101,"file":203,"line":143},"cloudpress\\customizer\\control\\content_sections\\category_label",{"type":78,"name":251,"callback":112,"file":203,"line":252},"wp_head",579,{"type":78,"name":254,"callback":255,"file":203,"line":256},"edit_form_after_title","one_page_express_add_maintainable_filter",609,{"type":72,"name":258,"callback":259,"file":203,"line":260},"tiny_mce_before_init","one_page_express_maintainable_pages_tinymce_init",624,{"type":78,"name":262,"callback":263,"file":203,"line":264},"edit_form_after_editor","one_page_express_remove_page_attribute_support",655,{"type":72,"name":266,"callback":267,"file":203,"line":268},"one_page_express_header_presets","one_page_express_header_presets_pro_info",658,{"type":78,"name":270,"callback":112,"file":203,"line":271},"admin_init",736,{"type":78,"name":184,"callback":273,"file":203,"line":274},"one_page_express_discount_notice",741,{"type":78,"name":91,"callback":276,"file":203,"line":277},"one_page_express_discount_notice_script",742,{"type":78,"name":151,"callback":112,"file":203,"line":279},744,{"type":78,"name":193,"callback":112,"file":281,"line":282},"theme-data\\one-page-express\\notifications.php",54,[284,290,294,298,302,306],{"action":285,"nopriv":286,"callback":287,"hasNonce":288,"hasCapCheck":286,"file":75,"line":289},"create_home_page",false,"createFrontPage",true,84,{"action":291,"nopriv":286,"callback":292,"hasNonce":288,"hasCapCheck":288,"file":75,"line":293},"cp_open_in_customizer","openPageInCustomizer",86,{"action":295,"nopriv":286,"callback":296,"hasNonce":288,"hasCapCheck":288,"file":75,"line":297},"cp_shortcode_refresh","shortcodeRefresh",87,{"action":299,"nopriv":286,"callback":300,"hasNonce":288,"hasCapCheck":288,"file":190,"line":301},"extendthemes_get_remote_data_notifications","getRemoteNotifications",104,{"action":303,"nopriv":286,"callback":304,"hasNonce":288,"hasCapCheck":288,"file":190,"line":305},"cp_dismiss_notification","dismissNotification",153,{"action":307,"nopriv":286,"callback":112,"hasNonce":286,"hasCapCheck":286,"file":203,"line":308},"one_page_express_discount_notice_dismiss",707,[],[311,314,317],{"tag":312,"callback":312,"file":203,"line":313},"one_page_express_latest_news",82,{"tag":315,"callback":315,"file":203,"line":316},"one_page_express_blog_link",96,{"tag":318,"callback":318,"file":203,"line":319},"one_page_express_contact_form",131,[],9,{"dangerousFunctions":323,"sqlUsage":324,"outputEscaping":328,"fileOperations":61,"externalRequests":23,"nonceChecks":436,"capabilityChecks":437,"bundledLibraries":438},[],{"prepared":23,"raw":58,"locations":325},[326],{"file":203,"line":124,"context":327},"$wpdb->query() with variable interpolation",{"escaped":329,"rawEcho":282,"locations":330},242,[331,333,335,337,339,341,343,345,347,350,352,354,357,360,361,362,363,364,365,367,369,371,373,375,377,379,381,383,385,387,389,391,393,395,397,399,401,403,405,407,409,411,413,415,417,419,421,423,425,427,429,431,432,434],{"file":75,"line":217,"context":332},"raw output",{"file":75,"line":334,"context":332},147,{"file":75,"line":336,"context":332},644,{"file":75,"line":338,"context":332},702,{"file":75,"line":340,"context":332},717,{"file":75,"line":342,"context":332},791,{"file":75,"line":344,"context":332},881,{"file":75,"line":346,"context":332},997,{"file":348,"line":349,"context":332},"src\\Customizer\\Controls\\BackroundTypesControl.php",19,{"file":348,"line":351,"context":332},45,{"file":348,"line":353,"context":332},46,{"file":355,"line":356,"context":332},"src\\Customizer\\Controls\\MultiImageControl.php",33,{"file":358,"line":359,"context":332},"src\\Customizer\\Controls\\RowsListControl.php",32,{"file":358,"line":128,"context":332},{"file":358,"line":93,"context":332},{"file":358,"line":63,"context":332},{"file":358,"line":63,"context":332},{"file":358,"line":63,"context":332},{"file":123,"line":366,"context":332},175,{"file":123,"line":368,"context":332},204,{"file":123,"line":370,"context":332},208,{"file":123,"line":372,"context":332},220,{"file":123,"line":374,"context":332},226,{"file":123,"line":376,"context":332},231,{"file":123,"line":378,"context":332},241,{"file":123,"line":380,"context":332},342,{"file":171,"line":382,"context":332},199,{"file":185,"line":384,"context":332},132,{"file":190,"line":386,"context":332},169,{"file":190,"line":388,"context":332},172,{"file":203,"line":390,"context":332},59,{"file":203,"line":392,"context":332},117,{"file":203,"line":394,"context":332},119,{"file":203,"line":396,"context":332},275,{"file":203,"line":398,"context":332},279,{"file":203,"line":400,"context":332},280,{"file":203,"line":402,"context":332},281,{"file":203,"line":404,"context":332},287,{"file":203,"line":406,"context":332},288,{"file":203,"line":408,"context":332},289,{"file":203,"line":410,"context":332},379,{"file":203,"line":412,"context":332},380,{"file":203,"line":414,"context":332},381,{"file":203,"line":416,"context":332},385,{"file":203,"line":418,"context":332},386,{"file":203,"line":420,"context":332},387,{"file":203,"line":422,"context":332},391,{"file":203,"line":424,"context":332},589,{"file":203,"line":426,"context":332},598,{"file":203,"line":428,"context":332},698,{"file":203,"line":430,"context":332},728,{"file":281,"line":180,"context":332},{"file":281,"line":433,"context":332},38,{"file":281,"line":435,"context":332},47,6,5,[],[440,457,466],{"entryPoint":441,"graph":442,"unsanitizedCount":24,"severity":456},"openPageInCustomizer (src\\Companion.php:751)",{"nodes":443,"edges":454},[444,449],{"id":445,"type":446,"label":447,"file":75,"line":448},"n0","source","$_REQUEST",756,{"id":450,"type":451,"label":452,"file":75,"line":342,"wp_function":453},"n1","sink","echo() [XSS]","echo",[455],{"from":445,"to":450,"sanitized":288},"low",{"entryPoint":458,"graph":459,"unsanitizedCount":24,"severity":456},"shortcodeRefresh (src\\Companion.php:860)",{"nodes":460,"edges":464},[461,463],{"id":445,"type":446,"label":447,"file":75,"line":462},869,{"id":450,"type":451,"label":452,"file":75,"line":344,"wp_function":453},[465],{"from":445,"to":450,"sanitized":288},{"entryPoint":467,"graph":468,"unsanitizedCount":24,"severity":456},"\u003CCompanion> (src\\Companion.php:0)",{"nodes":469,"edges":473},[470,472],{"id":445,"type":446,"label":471,"file":75,"line":448},"$_REQUEST (x2)",{"id":450,"type":451,"label":452,"file":75,"line":342,"wp_function":453},[474],{"from":445,"to":450,"sanitized":288},{"summary":476,"deductions":477},"The one-page-express-companion plugin v1.6.46 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and output escaping, certain aspects raise concerns. The presence of one unprotected AJAX handler presents a direct attack vector that could be exploited without proper authentication.  Despite a relatively low number of entry points, this unprotected handler is a significant weakness.\n\nThe vulnerability history shows a past of medium severity issues, specifically related to missing authorization and cross-site scripting. Although there are currently no unpatched vulnerabilities, the recurring nature of these vulnerability types suggests potential underlying coding patterns that might lead to similar issues in the future if not addressed comprehensively. The plugin's static analysis reveals no critical or high-severity taint flows, which is a positive sign, but the unprotected AJAX handler remains a notable risk.\n\nIn conclusion, the plugin has strengths in its secure handling of SQL and output, but the unprotected AJAX endpoint is a critical flaw that demands immediate attention. The history of medium vulnerabilities, though patched, warrants vigilance.  Addressing the unprotected AJAX handler is paramount to improving the plugin's overall security. ",[478,480],{"reason":479,"points":101},"Unprotected AJAX handler",{"reason":481,"points":101},"Past medium severity vulnerabilities (Missing Auth, XSS)","2026-03-16T17:35:57.218Z",{"wat":484,"direct":496},{"assetPaths":485,"generatorPatterns":489,"scriptPaths":490,"versionParams":493},[486,487,488],"\u002Fwp-content\u002Fplugins\u002Fone-page-express-companion\u002Fassets\u002Fjs\u002Fcustomizer\u002Fcustomizer-base.js","\u002Fwp-content\u002Fplugins\u002Fone-page-express-companion\u002Fassets\u002Fjs\u002Fcustomizer\u002Fmulti-image-control.js","\u002Fwp-content\u002Fplugins\u002Fone-page-express-companion\u002Fassets\u002Fjs\u002Fcustomizer\u002Frow-list-control.js",[],[491,492],"\u002Fwp-content\u002Fplugins\u002Fone-page-express-companion\u002Fvendor\u002Fframework\u002Fassets\u002Fjs\u002Fapp.js","\u002Fwp-content\u002Fplugins\u002Fone-page-express-companion\u002Fvendor\u002Fframework\u002Fassets\u002Fjs\u002Fcustomizer\u002Fapp.js",[494,495],"one-page-express-companion\u002Fstyle.css?ver=","one-page-express-companion\u002Fscript.js?ver=",{"cssClasses":497,"htmlComments":509,"htmlAttributes":512,"restEndpoints":524,"jsGlobals":525,"shortcodeOutput":529},[498,499,500,501,502,503,504,505,506,507,508],"cp-multi-image-manager","cp-multi-image-item","rows-list","available-item","already-in-page","list-holder","image-holder","available-item-hover-button","checked-icon","pro-icon","item-preview",[510,511],"\u003C!-- Section is already in page -->","\u003C!-- Pro Only -->",[513,514,515,516,517,518,519,520,521,522,523],"data-type=\"cp-multi-image-manager\"","data-min","data-max","data-setting-link","data-name","data-selection","data-type=\"row-list-control\"","data-apply","data-id","data-varname","data-preview",[],[526,527,528],"cpMultiImageTexts","CP_Customizer.openMediaBrowser","cp_preset_changer_",[]]