[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvLU41c8jIPnZFRTvc1eAeT9fNyrYMifvD37Mpfqg-xI":3,"$flykFAKfqiK62y1dzmcwBbdjrf9P3YE9_eyYSN0URjpA":118,"$fd3EURtBbT5KjuoJgrw_GBerZlkdFLUo0FyT1X12JY6I":123},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":19,"download_link":20,"security_score":21,"vuln_count":13,"unpatched_count":13,"last_vuln_date":22,"fetched_at":23,"discovery_status":24,"vulnerabilities":25,"developer":26,"crawl_stats":22,"alternatives":34,"analysis":35,"fingerprints":89},"password-confirm-action","Password Confirm Action","0.2.0","Stephen Harris","https:\u002F\u002Fprofiles.wordpress.org\u002Fstephenharris\u002F","\u003Ch4>Context\u003C\u002Fh4>\n\u003Cp>Please see \u003Ca href=\"https:\u002F\u002Fcore.trac.wordpress.org\u002Fticket\u002F20140\" rel=\"nofollow ugc\">Trac Ticket 20140\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>XSS attacks and ‘lunch time raid’ attacks, among others, can allow an attacker to ‘steal’ a log-in session, and act as an authenticated user without knowing that user’s password.\u003Cbr \u002F>\nThe aim of this plugin is to prevent that user from being able to engineer permanent access to the site. They may attempt to do this by doing one or more of the following:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Setting the password of the hijacked user to one of their choosing\u003C\u002Fli>\n\u003Cli>Changing the e-mail of the hijacked user\u003C\u002Fli>\n\u003Cli>Creating a new user \u003C\u002Fli>\n\u003Cli>Changing the role of their account to escalate privileges\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin prevents the attacker from doing any of these by prompting them for the user’s password.\u003C\u002Fp>\n\u003Ch4>Caveat\u003C\u002Fh4>\n\u003Cp>Of course by default WordPress allows adminstrative users the ability to install arbitrary plugins and themes, and edit existing plugins\u002Fthemes through in-built editors. These freedoms render the above solution impotent. It is outside of the immediate scope of this plugin to password protect those features, though it may be considered at later date.\u003Cbr \u002F>\nIt’s the advice of the plugin author that you should disable such features in your site’s \u003Ccode>wp-config.php\u003C\u002Fcode> by adding:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'DISALLOW_FILE_MODS', true ); \u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>as outlined in \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FEditing_wp-config.php#Disable_plugin_and_Theme_Update_and_Installation\" rel=\"nofollow ugc\">https:\u002F\u002Fcodex.wordpress.org\u002FEditing_wp-config.php#Disable_plugin_and_Theme_Update_and_Installation\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>To report bugs or feature requests, please use \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Fstephenharris\u002Fpassword-confirm-action\u002Fissues\" rel=\"nofollow ugc\">Github issues\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>Can I Help?\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Yes! Please do!\u003C\u002Fstrong>. You could do either of the following:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Use the plugin and \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Fstephenharris\u002Fpassword-confirm-action\u002Fissues\" rel=\"nofollow ugc\">report any issues\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Find an \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Fstephenharris\u002Fpassword-confirm-action\u002Fissues\" rel=\"nofollow ugc\">unassigned issue\u003C\u002Fa> and start working on it (please make PRs to the develop branch).\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If you have an expertise in accessibility I would welcome any suggestions or improvements. Or if you encounter any issues regarding accessibility please do report these.\u003C\u002Fp>\n\u003Ch4>A special thanks\u003C\u002Fh4>\n\u003Cp>A special thanks to Human Made whose \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fhumanmade\u002Fhm-require-password\" rel=\"nofollow ugc\">Require Password\u003C\u002Fa> plugin (written by Jenny Wong) served as an inspiration for this plugin.\u003C\u002Fp>\n","Prompts the user for their password whenever they try to perform an action which could be used by an attacker to escalate privileges or engineer futur &hellip;",10,1364,0,"2015-05-11T18:06:00.000Z","4.2.39","4.2.2","",[],"http:\u002F\u002Fgithub.com\u002Fstephenharris\u002Fpassword-confirm-action","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassword-confirm-action.0.2.0.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":27,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":30,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},"stephenharris",7,22750,83,30,82,"2026-05-20T02:56:57.578Z",[],{"attackSurface":36,"codeSignals":63,"taintFlows":77,"riskAssessment":78,"analyzedAt":88},{"hooks":37,"ajaxHandlers":59,"restRoutes":60,"shortcodes":61,"cronEvents":62,"entryPointCount":13,"unprotectedCount":13},[38,44,47,50,55],{"type":39,"name":40,"callback":41,"file":42,"line":43},"action","show_user_profile","print_password_fields","password-confirm-action.php",45,{"type":39,"name":45,"callback":41,"file":42,"line":46},"edit_user_profile",48,{"type":39,"name":48,"callback":41,"file":42,"line":49},"user_new_form",51,{"type":39,"name":51,"callback":52,"priority":53,"file":42,"line":54},"user_profile_update_errors","validate_user_update",1,54,{"type":39,"name":56,"callback":57,"file":42,"line":58},"init","register_scripts",57,[],[],[],[],{"dangerousFunctions":64,"sqlUsage":65,"outputEscaping":67,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":76},[],{"prepared":13,"raw":13,"locations":66},[],{"escaped":68,"rawEcho":69,"locations":70},8,2,[71,74],{"file":42,"line":72,"context":73},104,"raw output",{"file":42,"line":75,"context":73},120,[],[],{"summary":79,"deductions":80},"The 'password-confirm-action' plugin version 0.2.0 demonstrates a strong security posture based on the provided static analysis.  The complete absence of identified entry points like AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the potential attack surface.  Furthermore, the code shows good development practices with no dangerous functions identified, all SQL queries using prepared statements, and no file operations or external HTTP requests. The absence of any recorded vulnerabilities in its history is a positive indicator.",[81,83,85],{"reason":82,"points":11},"No nonce checks found",{"reason":84,"points":11},"No capability checks found",{"reason":86,"points":87},"Output escaping is not fully implemented (80%)",4,"2026-04-16T12:42:09.311Z",{"wat":90,"direct":98},{"assetPaths":91,"generatorPatterns":94,"scriptPaths":95,"versionParams":97},[92,93],"\u002Fwp-content\u002Fplugins\u002Fpassword-confirm-action\u002Fpassword-confirm-action.css","\u002Fwp-content\u002Fplugins\u002Fpassword-confirm-action\u002Fpassword-confirm-action.js",[],[96],"password-confirm-action.js",[],{"cssClasses":99,"htmlComments":104,"htmlAttributes":105,"restEndpoints":114,"jsGlobals":115,"shortcodeOutput":117},[100,101,102,103],"hide-if-js","hidden","hide-if-no-js","pca-auth-check-close",[],[106,107,108,109,110,111,112,113],"id=\"pca-fields\"","id=\"current-password\"","id=\"current_pass\"","id=\"pca-auth-check-wrap\"","id=\"pca-auth-check-bg\"","id=\"pca-auth-check\"","class=\"pca-auth-check-close\"","id=\"current-pass-modal\"",[],[116],"pca",[],{"error":119,"url":120,"statusCode":121,"statusMessage":122,"message":122},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fpassword-confirm-action\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":53,"versions":124},[125],{"version":6,"download_url":20,"svn_tag_url":126,"released_at":22,"has_diff":127,"diff_files_changed":128,"diff_lines":22,"trac_diff_url":22,"vulnerabilities":129,"is_current":119},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fpassword-confirm-action\u002Ftags\u002F0.2.0\u002F",false,[],[]]