[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fs1VOL1aQXg29WpitTV9Wlp-4QRLdDoSQ3HyQDpZAmCA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":33,"analysis":34,"fingerprints":162},"query-interface","Show WordPress Queries – Query Interface","1.3.1","queryinn","https:\u002F\u002Fprofiles.wordpress.org\u002Fqueryinn\u002F","\u003Ch3>Updates\u003C\u002Fh3>\n\u003Cp>Visit http:\u002F\u002Fwww.queryinn.com\u002F for any sort of request you want to made or any updates afterwards.\u003C\u002Fp>\n\u003Ch3>Feedback\u003C\u002Fh3>\n\u003Cp>Post bugs\u002Fwishlist at http:\u002F\u002Fwww.queryinn.com\u002Findex.php\u002Fcontact\u002F\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>Must read and agree LICENSE.txt before use\u003C\u002Fp>\n","An interface to show, run & execute wordpress queries, display queries on pages with loading time so you may optimize them etc.",10,2225,100,1,"2015-01-14T19:18:00.000Z","4.1.42","",[19,20,4,21],"display-queries","explain-queries","show-queries","http:\u002F\u002Fwww.queryinn.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquery-interface.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":24,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},30,84,"2026-04-04T07:11:39.109Z",[],{"attackSurface":35,"codeSignals":75,"taintFlows":121,"riskAssessment":145,"analyzedAt":161},{"hooks":36,"ajaxHandlers":58,"restRoutes":71,"shortcodes":72,"cronEvents":73,"entryPointCount":74,"unprotectedCount":74},[37,43,47,51,54],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","wp_head","show_buton","queryinterface.php",26,{"type":38,"name":44,"callback":45,"file":41,"line":46},"wp_footer","show_queries",27,{"type":38,"name":48,"callback":49,"file":41,"line":50},"wp_login","logout_session",28,{"type":38,"name":52,"callback":49,"file":41,"line":53},"wp_logout",29,{"type":38,"name":55,"callback":56,"file":41,"line":57},"admin_menu","queryinterface_admin_menu",32,[59,63,66,69],{"action":60,"nopriv":61,"callback":60,"hasNonce":61,"hasCapCheck":61,"file":41,"line":62},"view_fields",false,234,{"action":60,"nopriv":64,"callback":60,"hasNonce":61,"hasCapCheck":61,"file":41,"line":65},true,235,{"action":67,"nopriv":61,"callback":67,"hasNonce":61,"hasCapCheck":61,"file":41,"line":68},"set_queries",237,{"action":67,"nopriv":64,"callback":67,"hasNonce":61,"hasCapCheck":61,"file":41,"line":70},238,[],[],[],4,{"dangerousFunctions":76,"sqlUsage":77,"outputEscaping":79,"fileOperations":25,"externalRequests":25,"nonceChecks":25,"capabilityChecks":25,"bundledLibraries":120},[],{"prepared":25,"raw":25,"locations":78},[],{"escaped":80,"rawEcho":81,"locations":82},3,20,[83,87,89,90,91,93,95,97,99,101,103,104,105,107,109,111,113,115,117,118],{"file":84,"line":85,"context":86},"qi.php",83,"raw output",{"file":84,"line":88,"context":86},151,{"file":84,"line":88,"context":86},{"file":84,"line":88,"context":86},{"file":84,"line":92,"context":86},160,{"file":84,"line":94,"context":86},186,{"file":84,"line":96,"context":86},187,{"file":84,"line":98,"context":86},204,{"file":84,"line":100,"context":86},214,{"file":84,"line":102,"context":86},229,{"file":84,"line":68,"context":86},{"file":84,"line":68,"context":86},{"file":41,"line":106,"context":86},147,{"file":41,"line":108,"context":86},154,{"file":41,"line":110,"context":86},171,{"file":41,"line":112,"context":86},175,{"file":41,"line":114,"context":86},179,{"file":41,"line":116,"context":86},207,{"file":41,"line":116,"context":86},{"file":41,"line":119,"context":86},230,[],[122],{"entryPoint":123,"graph":124,"unsanitizedCount":80,"severity":144},"\u003Cqi> (qi.php:0)",{"nodes":125,"edges":141},[126,130,135,139],{"id":127,"type":128,"label":129,"file":84,"line":92},"n0","source","$_POST['query']",{"id":131,"type":132,"label":133,"file":84,"line":92,"wp_function":134},"n1","sink","echo() [XSS]","echo",{"id":136,"type":128,"label":137,"file":84,"line":138},"n2","$_POST (x2)",199,{"id":140,"type":132,"label":133,"file":84,"line":68,"wp_function":134},"n3",[142,143],{"from":127,"to":131,"sanitized":61},{"from":136,"to":140,"sanitized":61},"low",{"summary":146,"deductions":147},"The 'query-interface' plugin version 1.3.1 exhibits a concerning security posture primarily due to its significant attack surface exposed through AJAX handlers without adequate authentication or capability checks. While the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and avoids dangerous functions, file operations, and external HTTP requests, these strengths are overshadowed by the numerous unprotected entry points. The static analysis reveals 4 AJAX handlers, all of which lack authentication checks. Furthermore, the taint analysis, though limited, identified a flow with unsanitized paths, which in combination with the unprotected AJAX handlers, presents a potential risk for various injection attacks.\n\nThe vulnerability history for this plugin is clean, with no recorded CVEs. This absence of past vulnerabilities is a positive indicator, suggesting either a well-developed codebase or a lack of past scrutiny. However, this should not be interpreted as a guarantee of current security, especially given the identified weaknesses in the static analysis. The plugin's lack of nonces and capability checks on its AJAX endpoints is a critical oversight that could allow unauthorized users to trigger plugin functionalities, potentially leading to unintended data manipulation or disclosure if the unsanitized paths are exploited. In conclusion, while the plugin has strengths in its SQL handling and avoidance of other risky operations, the unprotected AJAX handlers and the presence of unsanitized paths create a substantial security risk that requires immediate attention.",[148,150,153,156,158],{"reason":149,"points":11},"4 AJAX handlers without auth checks",{"reason":151,"points":152},"Unsanitized path in taint flow",8,{"reason":154,"points":155},"0 Nonce checks on AJAX handlers",5,{"reason":157,"points":155},"0 Capability checks on AJAX handlers",{"reason":159,"points":160},"13% of output properly escaped",6,"2026-03-17T00:52:32.064Z",{"wat":163,"direct":168},{"assetPaths":164,"generatorPatterns":165,"scriptPaths":166,"versionParams":167},[],[],[],[],{"cssClasses":169,"htmlComments":175,"htmlAttributes":176,"restEndpoints":178,"jsGlobals":181,"shortcodeOutput":183},[170,171,172,173,174],"qi_top","qi_normal","qi_alt1","qi_head","td_head",[],[177],"id=\"qi_table\"",[179,180],"\u002Fwp-json\u002Fadmin-ajax.php?action=view_fields","\u002Fwp-json\u002Fadmin-ajax.php?action=set_queries",[182],"qi_scroll",[]]