[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhxf7X5dzWOEV1V714MhNIDWGaGPRQD8LlfI1-bfUxVs":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":46,"crawl_stats":37,"alternatives":54,"analysis":136,"fingerprints":253},"query-posts","Query Posts","0.3.2","Justin Tadlock","https:\u002F\u002Fprofiles.wordpress.org\u002Fgreenshady\u002F","\u003Cp>The \u003Cem>Query Posts\u003C\u002Fem> widget was written to allow users that don’t know their way around PHP to easily show posts in any way they’d like.  It’s like having a cool WordPress developer as a friend ready to do your bidding.  Seriously.\u003C\u002Fp>\n\u003Cp>The widget has over 40 options to choose from.  You can list posts by category, tag, custom taxonomies, author, date, time, name, or anything you can imagine.  You can choose to show the full content, excerpts, or even a simple list.  You can order the posts in all sorts of ways.  Oh, and you can even show pages.\u003C\u002Fp>\n\u003Cp>This is the widget that keeps users out of the code and gives them the ability to display items on their site how they want.\u003C\u002Fp>\n","A WordPress widget that gives you unlimited control over showing posts and pages.",900,78613,74,3,"2017-11-28T21:28:00.000Z","3.0.5","3.0","",[20,21,22,23,24],"page","pages","posts","sidebar","widget","http:\u002F\u002Fjustintadlock.com\u002Farchives\u002F2009\u002F03\u002F15\u002Fquery-posts-widget-wordpress-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquery-posts.0.3.2.zip",63,1,"2025-09-28 00:00:00","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":29,"updated_date":43,"references":44,"days_to_patch":37},"CVE-2025-62905","query-posts-authenticated-contributor-stored-cross-site-scripting","Query Posts \u003C= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Query Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=0.3.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-10-29 15:04:50",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F129343bc-c049-4ced-9451-e6083558c814?source=api-prod",{"slug":47,"display_name":7,"profile_url":8,"plugin_count":48,"total_installs":49,"avg_security_score":50,"avg_patch_time_days":51,"trust_score":52,"computed_at":53},"greenshady",33,33530,87,30,85,"2026-04-04T04:57:05.023Z",[55,75,92,106,121],{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":18,"short_description":61,"active_installs":62,"downloaded":63,"rating":64,"num_ratings":65,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":18,"tags":69,"homepage":72,"download_link":73,"security_score":52,"vuln_count":74,"unpatched_count":74,"last_vuln_date":37,"fetched_at":30},"per-page-sidebars","Per Page Sidebars","2.0.3","Brian Layman","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrianlayman\u002F","The Per Page Sidebars (PPS) plugin allows blog administrators to create a unique sidebar for each Page. No template editing is required.",1000,67740,84,10,"2018-03-14T19:32:00.000Z","4.9.29","3.1",[21,22,70,71],"sidebars","widgets","http:\u002F\u002FTheCodeCave.com\u002Fplugins\u002Fper-page-sidebars","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fper-page-sidebars.zip",0,{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":64,"num_ratings":85,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":18,"tags":89,"homepage":90,"download_link":91,"security_score":52,"vuln_count":74,"unpatched_count":74,"last_vuln_date":37,"fetched_at":30},"per-page-widgets","Per Page Widgets","0.0.7","Internet123","https:\u002F\u002Fprofiles.wordpress.org\u002Finternet123\u002F","\u003Cp>Control widget areas on a per-page \u002F per-post basis.\u003C\u002Fp>\n\u003Cp>Gives you the ability to show or hide individual widget areas on each page \u002F post as well as completely substituting the widgets shown in a specific widget area on a specific page or post.\u003C\u002Fp>\n\u003Ch3>Compatibility\u003C\u002Fh3>\n\u003Cp>The plugin has not been tested below version 3.3.\u003C\u002Fp>\n","Control widget areas on a per-page \u002F per-post basis.",300,16944,5,"2012-07-02T14:07:00.000Z","3.4.2","3.3",[21,22,70,71],"http:\u002F\u002Fwww.i123.dk\u002Fwordpress-plugin-per-page-widgets","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fper-page-widgets.0.0.7.zip",{"slug":93,"name":94,"version":95,"author":96,"author_profile":97,"description":98,"short_description":99,"active_installs":51,"downloaded":100,"rating":101,"num_ratings":28,"last_updated":102,"tested_up_to":103,"requires_at_least":17,"requires_php":18,"tags":104,"homepage":18,"download_link":105,"security_score":52,"vuln_count":74,"unpatched_count":74,"last_vuln_date":37,"fetched_at":30},"post-to-sidebar","Post To Sidebar","1.1.4","dmallon","https:\u002F\u002Fprofiles.wordpress.org\u002Fdmallon\u002F","\u003Cp>The Post To Sidebar plugin makes it easy to display post content in the sidebar areas of your site. Once the widget is activated, a multi-select dropdown of all your published pages appears on post editing screens. Select the pages upon which you want the post to be displayed and the post will appear on those pages.\u003C\u002Fp>\n\u003Cp>There are options to hide the post title in the output and to show the content as an excerpt.\u003C\u002Fp>\n","A WordPress plugin\u002Fwidget that gives you the ability to put content (posts and custom post types) in your sidebar.",14027,100,"2011-11-02T13:08:00.000Z","3.2.1",[21,22,23,24],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-to-sidebar.1.1.5.zip",{"slug":107,"name":108,"version":109,"author":110,"author_profile":111,"description":112,"short_description":113,"active_installs":65,"downloaded":114,"rating":101,"num_ratings":28,"last_updated":115,"tested_up_to":116,"requires_at_least":103,"requires_php":18,"tags":117,"homepage":119,"download_link":120,"security_score":52,"vuln_count":74,"unpatched_count":74,"last_vuln_date":37,"fetched_at":30},"express-posts","Express Posts","1.3.0","Grant Mangham","https:\u002F\u002Fprofiles.wordpress.org\u002Fvancoder\u002F","\u003Cp>Express posts provides a widget to display either a subset of posts, the children of a page or its siblings.\u003C\u002Fp>\n\u003Cp>The widget provides three modes.\u003C\u002Fp>\n\u003Cp>\u003Cem>Subset\u003C\u002Fem> will list a given number of posts from your selected categories. Date, date format, and excerpt are all optional.\u003C\u002Fp>\n\u003Cp>\u003Cem>Children\u003C\u002Fem> and \u003Cem>siblings\u003C\u002Fem> modes will list the immediate children or siblings of a page, respectively. You can include a placeholder in the widget title as a substitute for the parent page title. You can also choose to show or hide the widget on specific generations of pages, allowing extra flexibility on shared sidebars.\u003C\u002Fp>\n\u003Cp>In common with all of my plugins, Express Posts strives to follow best practice in WordPress coding. If you spy a bug or see room for improvement, please \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fexpress-posts\" rel=\"ugc\">let me know\u003C\u002Fa>.\u003C\u002Fp>\n","Express posts provides a widget to display either a subset of posts, the children of a page or its siblings.",2929,"2016-04-13T16:40:00.000Z","4.5.33",[118,21,22,23,24],"children","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fexpress-posts\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fexpress-posts.1.3.zip",{"slug":122,"name":123,"version":124,"author":125,"author_profile":126,"description":127,"short_description":128,"active_installs":65,"downloaded":129,"rating":74,"num_ratings":74,"last_updated":18,"tested_up_to":130,"requires_at_least":131,"requires_php":18,"tags":132,"homepage":18,"download_link":134,"security_score":101,"vuln_count":74,"unpatched_count":74,"last_vuln_date":37,"fetched_at":135},"galaxius-custom-sidebars","Galaxius Custom Sidebars","1.1","galaxiusmons","https:\u002F\u002Fprofiles.wordpress.org\u002Fgalaxiusmons\u002F","\u003Cp>This allows you to quickly create a unique sidebar for any post, page, category page or for all posts belonging to a category. You simply enter a name for the sidebar when you create or edit a post, page or category. Browse to Appearance -> Widgets, find your new sidebar and add some widgets to it.\u003C\u002Fp>\n","Allows quick creation of unique sidebars for posts, pages and categories.",1806,"3.6.1","3.5.1",[133,21,22,70,71],"custom","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgalaxius-custom-sidebars.1.1.zip","2026-03-15T10:48:56.248Z",{"attackSurface":137,"codeSignals":177,"taintFlows":238,"riskAssessment":239,"analyzedAt":252},{"hooks":138,"ajaxHandlers":154,"restRoutes":155,"shortcodes":156,"cronEvents":176,"entryPointCount":85,"unprotectedCount":74},[139,145,149],{"type":140,"name":141,"callback":142,"file":143,"line":144},"action","plugins_loaded","query_posts_setup","query-posts-plugin.php",31,{"type":140,"name":146,"callback":147,"file":143,"line":148},"widgets_init","query_posts_load_widgets",48,{"type":140,"name":150,"callback":151,"priority":152,"file":143,"line":153},"init","query_posts_shortcodes",11,51,[],[],[157,161,165,169,172],{"tag":158,"callback":159,"file":143,"line":160},"entry-author","query_posts_entry_author_shortcode",76,{"tag":162,"callback":163,"file":143,"line":164},"entry-terms","query_posts_entry_terms_shortcode",79,{"tag":166,"callback":167,"file":143,"line":168},"entry-comments-link","query_posts_entry_comments_link_shortcode",82,{"tag":170,"callback":171,"file":143,"line":52},"entry-published","query_posts_entry_published_shortcode",{"tag":173,"callback":174,"file":143,"line":175},"entry-edit-link","query_posts_entry_edit_link_shortcode",88,[],{"dangerousFunctions":178,"sqlUsage":179,"outputEscaping":181,"fileOperations":74,"externalRequests":74,"nonceChecks":74,"capabilityChecks":28,"bundledLibraries":237},[],{"prepared":74,"raw":74,"locations":180},[],{"escaped":182,"rawEcho":183,"locations":184},36,25,[185,188,190,192,194,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235],{"file":143,"line":186,"context":187},220,"raw output",{"file":143,"line":189,"context":187},235,{"file":143,"line":191,"context":187},236,{"file":143,"line":193,"context":187},340,{"file":195,"line":196,"context":187},"widget-query-posts.php",149,{"file":195,"line":198,"context":187},152,{"file":195,"line":200,"context":187},166,{"file":195,"line":202,"context":187},178,{"file":195,"line":204,"context":187},180,{"file":195,"line":206,"context":187},183,{"file":195,"line":208,"context":187},186,{"file":195,"line":210,"context":187},194,{"file":195,"line":212,"context":187},208,{"file":195,"line":214,"context":187},229,{"file":195,"line":216,"context":187},233,{"file":195,"line":218,"context":187},237,{"file":195,"line":220,"context":187},242,{"file":195,"line":222,"context":187},251,{"file":195,"line":224,"context":187},254,{"file":195,"line":226,"context":187},256,{"file":195,"line":228,"context":187},259,{"file":195,"line":230,"context":187},263,{"file":195,"line":232,"context":187},265,{"file":195,"line":234,"context":187},267,{"file":195,"line":236,"context":187},276,[],[],{"summary":240,"deductions":241},"The \"query-posts\" v0.3.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and having a relatively contained attack surface with no unprotected entry points.  There are no identified dangerous functions, file operations, or external HTTP requests, which are positive indicators of secure coding.\n\nHowever, a significant concern is the vulnerability history. The presence of one known medium-severity CVE, classified as Cross-Site Scripting, and crucially, an unpatched vulnerability is a major red flag. The static analysis also reveals a notable weakness in output escaping, with 41% of outputs not being properly escaped. This, combined with the historical XSS vulnerability, strongly suggests a risk of persistent or reflected XSS attacks if user-supplied data is not handled with extreme care in the unescaped outputs.\n\nWhile the plugin avoids common pitfalls like raw SQL and unprotected AJAX\u002FREST API endpoints, the combination of an unpatched XSS vulnerability and a high percentage of unescaped output presents a considerable risk. The lack of nonce checks and capability checks on the entry points (though none are explicitly unprotected) could also be an area for future improvement to enhance robustness against certain attack vectors.",[242,245,248,250],{"reason":243,"points":244},"Unpatched CVE (Medium severity)",18,{"reason":246,"points":247},"Significant portion of outputs not properly escaped",6,{"reason":249,"points":85},"No nonce checks on entry points",{"reason":251,"points":85},"No capability checks on entry points","2026-03-16T19:14:20.713Z",{"wat":254,"direct":263},{"assetPaths":255,"generatorPatterns":258,"scriptPaths":259,"versionParams":260},[256,257],"\u002Fwp-content\u002Fplugins\u002Fquery-posts\u002Fcss\u002Fwidget-query-posts.css","\u002Fwp-content\u002Fplugins\u002Fquery-posts\u002Fjs\u002Fwidget-query-posts.js",[],[257],[261,262],"query-posts\u002Fcss\u002Fwidget-query-posts.css?ver=","query-posts\u002Fjs\u002Fwidget-query-posts.js?ver=",{"cssClasses":264,"htmlComments":266,"htmlAttributes":267,"restEndpoints":270,"jsGlobals":271,"shortcodeOutput":272},[265],"query-posts-widget-title",[],[268,269],"data-post-id","data-widget-id",[],[],[273,274,275,276,277,278,279,280,281],"\u003Cspan class=\"edit\">\u003Ca class=\"post-edit-link\" href=\"","comments-link","\u003Cspan class=\"","\">","\u003C\u002Fspan>","author vcard","url fn n","published","abbr class=\"published\""]