[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQTxch9ZCE0m51_SQ5aVO9yrKmBBGj-bxHIq1bwxswUA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":46,"crawl_stats":37,"alternatives":54,"analysis":164,"fingerprints":365},"quote-master","Quote Master","7.1.1","Frank Corso","https:\u002F\u002Fprofiles.wordpress.org\u002Ffpcorso\u002F","\u003Cp>This plugin gives you the ability to add, edit, and delete quotes and their authors. You can show a random quote from your list by using the [quotes] shortcode on any page or post. You can also use the included Quote Master widget!\u003C\u002Fp>\n\u003Cp>Features include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add, edit, delete quotes\u003C\u002Fli>\n\u003Cli>Add, edit, delete categories\u003C\u002Fli>\n\u003Cli>Show random quote\u003C\u002Fli>\n\u003Cli>Show random quote only from selected category\u003C\u002Fli>\n\u003Cli>Show entire quotes list\u003C\u002Fli>\n\u003Cli>Show all quotes in selected category\u003C\u002Fli>\n\u003Cli>Include quote’s author\u003C\u002Fli>\n\u003Cli>Use shortcode on any post or page\u003C\u002Fli>\n\u003Cli>Built-in widget\u003C\u002Fli>\n\u003Cli>Add Tweet link to quote to allow visitors to tweet the quote\u003C\u002Fli>\n\u003Cli>Edit the style for the quotes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Make Suggestions Or Contribute\u003C\u002Fh4>\n\u003Cp>Quote Master is on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Famg262\u002Fquote_master\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>!\u003C\u002Fp>\n","This plugin gives you the ability to add, edit, and delete quotes and display them randomly.",200,20516,94,11,"2018-05-17T01:11:00.000Z","4.2.39","3.8.1","",[20,21,22,23,24],"post","quote","shortcode","text","widget","http:\u002F\u002Fmylocalwebstop.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquote-master.7.1.1.zip",63,1,"2026-01-16 00:00:00","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":29,"updated_date":43,"references":44,"days_to_patch":37},"CVE-2025-68849","quote-master-reflected-cross-site-scripting","Quote Master \u003C= 7.1.1 - Reflected Cross-Site Scripting","The Quote Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 7.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=7.1.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-19 15:53:24",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F441a97ff-cf87-44bd-a84a-d6b889c37104?source=api-prod",{"slug":47,"display_name":7,"profile_url":8,"plugin_count":48,"total_installs":49,"avg_security_score":50,"avg_patch_time_days":51,"trust_score":52,"computed_at":53},"fpcorso",4,220,83,30,82,"2026-04-04T16:24:36.962Z",[55,81,105,124,143],{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":63,"downloaded":64,"rating":65,"num_ratings":28,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":75,"download_link":76,"security_score":77,"vuln_count":78,"unpatched_count":79,"last_vuln_date":80,"fetched_at":30},"apollo13-framework-extensions","Apollo13 Framework Extensions","1.9.9","apollo13themes","https:\u002F\u002Fprofiles.wordpress.org\u002Fapollo13themes\u002F","\u003Cp>\u003Cstrong>Apollo13 Framework Extensions\u003C\u002Fstrong> adds few features to themes build on Apollo13 Framework. These are:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Designs Importer,\u003C\u002Fli>\n\u003Cli>shortcodes based on Apollo13 Framework features: writtng effect, count down, socials, scroller, slider, galleries, post grid,\u003C\u002Fli>\n\u003Cli>support for WPBakery Page Builder elements added by Apollo13 Framework,\u003C\u002Fli>\n\u003Cli>custom post types: albums, works & people,\u003C\u002Fli>\n\u003Cli>Export\u002FImport of theme options,\u003C\u002Fli>\n\u003Cli>Custom Sidebar,\u003C\u002Fli>\n\u003Cli>Custom CSS,\u003C\u002Fli>\n\u003Cli>Meta options that are creating content for posts, pages, albums and works,\u003C\u002Fli>\n\u003Cli>Responsive Image resizing ,\u003C\u002Fli>\n\u003Cli>Maintenance mode.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin requires one of themes build on \u003Cstrong>Apollo13 Framework\u003C\u002Fstrong> theme to be installed.\u003C\u002Fp>\n\u003Cp>It is mostly used for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapollo13themes.com\u002Frife\u002Ffree\u002F\" rel=\"nofollow ugc\">Rife Free\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapollo13themes.com\u002Frife\u002F\" rel=\"nofollow ugc\">Rife Pro\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Credits & Copyright\u003C\u002Fh3>\n\u003Ch4>Anime.js, Copyright 2019 Julian Garnier\u003C\u002Fh4>\n\u003Cp>Licenses: MIT\u003Cbr \u002F>\nSource: https:\u002F\u002Fanimejs.com\u002F\u003C\u002Fp>\n","Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.",20000,534616,100,"2025-12-04T08:12:00.000Z","6.5.8","4.7","5.4.0",[71,72,73,74],"custom-post-types","elementor-widgets","shortcodes","wpbakery-page-builder-support","https:\u002F\u002Fapollo13themes.com\u002Frife\u002Ffree","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapollo13-framework-extensions.zip",95,6,0,"2026-02-18 15:32:44",{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":89,"downloaded":90,"rating":91,"num_ratings":92,"last_updated":93,"tested_up_to":94,"requires_at_least":95,"requires_php":18,"tags":96,"homepage":100,"download_link":101,"security_score":102,"vuln_count":103,"unpatched_count":79,"last_vuln_date":104,"fetched_at":30},"custom-post-widget","Content Blocks (Custom Post Widget)","3.4.1","Johan van der Wijk","https:\u002F\u002Fprofiles.wordpress.org\u002Fvanderwijk\u002F","\u003Cp>The \u003Ca href=\"http:\u002F\u002Fwww.vanderwijk.com\u002Fwordpress\u002Fwordpress-custom-post-widget\u002F?utm_source=wordpress&utm_medium=website&utm_campaign=custom_post_widget\" rel=\"nofollow ugc\">Content Blocks\u003C\u002Fa> allows you to display the contents of a specific custom post in a widget on in the content area using a shortcode.\u003C\u002Fp>\n\u003Cp>Even though you could use the text widget that comes with the default WordPress install, this plugin has some major benefits:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The Content Blocks plugin enables users to \u003Cstrong>use the WYSIWYG editor\u003C\u002Fstrong> for editing the content and adding images.\u003C\u002Fli>\n\u003Cli>If you are using the standard WordPress text widgets to display content on various areas of your template, this content can only be edited by users with administrator access. If you would like \u003Cstrong>non-administrator accounts to modify the widget content\u003C\u002Fstrong>, you can use this plugin to provide them access to the custom posts that provide the content for the widget areas.\u003C\u002Fli>\n\u003Cli>You can even use the \u003Cstrong>featured image functionality\u003C\u002Fstrong> to display them in a widget.\u003C\u002Fli>\n\u003Cli>The Content Blocks plugin is \u003Cstrong>compatible with the WPML\u003C\u002Fstrong> Multi-Language plugin and automatically shows the correct language in the widget area.\u003C\u002Fli>\n\u003Cli>The Content Blocks can be included in posts and pages using the \u003Cstrong>built-in shortcode functionality\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin creates a ‘content_block’ custom post type. You can choose to either display the title on the page or use it to describe the contents and widget position of the content block. Note that these content blocks can only be displayed in the context of the page. I have added ‘public’ => false to the custom post type which means that it is not accessible outside the page context.\u003C\u002Fp>\n\u003Cp>To add content to a widget, drag it to the required position in the sidebar and select the title of the custom post in the widget configuration.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Includes the following translations:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Swedish (sv_SE) by \u003Ca href=\"http:\u002F\u002Fkrokedil.se\" rel=\"nofollow ugc\">Andreas Larsson\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Spanish (es_ES) by \u003Ca href=\"https:\u002F\u002Fwww.ibidemgroup.com\" rel=\"nofollow ugc\">IBIDEM GROUP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Portuguese (pt_BR) by Ronaldo Chevalier\u003C\u002Fli>\n\u003Cli>Polish (pl_PL) by Kuba Skublicki\u003C\u002Fli>\n\u003Cli>Dutch (nl_NL) by \u003Ca href=\"https:\u002F\u002Fvanderwijk.nl\" rel=\"nofollow ugc\">Johan van der Wijk\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Czech (cs_CZ) by \u003Ca href=\"http:\u002F\u002Fjsemweb.cz\u002F\" rel=\"nofollow ugc\">Martin Kucera\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fcustom-post-widget\" rel=\"nofollow ugc\">More translations are very welcome!\u003C\u002Fa>\u003C\u002Fp>\n","This plugin enables you to edit and display Content Blocks in a sidebar widget or using a shortcode.",10000,727658,98,80,"2026-01-27T13:29:00.000Z","6.9.4","4.6",[97,98,99,22,24],"block","content-block","custom-post","https:\u002F\u002Fvanderwijk.com\u002Fwordpress\u002Fwordpress-custom-post-widget\u002F?utm_source=wordpress&utm_medium=plugin&utm_campaign=custom_post_widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-post-widget.3.4.1.zip",96,5,"2025-02-19 21:17:14",{"slug":106,"name":107,"version":108,"author":109,"author_profile":110,"description":111,"short_description":112,"active_installs":113,"downloaded":114,"rating":65,"num_ratings":28,"last_updated":115,"tested_up_to":116,"requires_at_least":117,"requires_php":18,"tags":118,"homepage":121,"download_link":122,"security_score":123,"vuln_count":79,"unpatched_count":79,"last_vuln_date":37,"fetched_at":30},"custom-shortcodes","Custom Shortcodes","1.0","marapper","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarapper\u002F","\u003Cp>Manage \u003Cstrong>custom fields\u003C\u002Fstrong> using the insert \u003Cstrong>shortcodes\u003C\u002Fstrong> [custom name=”\u003Cem>field-name\u003C\u002Fem>” value=”\u003Cem>field-value\u003C\u002Fem>“] or HTML \u003Cstrong>conditional comments\u003C\u002Fstrong> \u003C!–custom name=”\u003Cem>field-name\u003C\u002Fem>” value=”\u003Cem>field-value\u003C\u002Fem>“–> in text of post. It’s a hook for desktop blog clients, which don’t support customfields natively.\u003C\u002Fp>\n\u003Cp>Простой хак Вордпресса, позволяющий управлять \u003Cstrong>произвольными полями\u003C\u002Fstrong> из любого внешнего клиента или при отправке через почту с помощью \u003Cstrong>шорткодов\u003C\u002Fstrong> [custom name=”\u003Cem>имя-произвольного-поля\u003C\u002Fem>” value=”\u003Cem>значение\u003C\u002Fem>“] или \u003Cstrong>условных комментариев\u003C\u002Fstrong> \u003C!–custom name=”\u003Cem>имя-произвольного-поля\u003C\u002Fem>” value=”\u003Cem>значение\u003C\u002Fem>“–> прямо в тексте поста.\u003C\u002Fp>\n","Manage custom fields using the insert shortcodes or HTML comment in text of post.",6000,5599,"2009-04-04T11:51:00.000Z","2.7","2.0.2",[119,120,20,73,23],"custom","custom-fields","http:\u002F\u002Fiskariot.ru\u002Fwordpress\u002Fremix\u002F#custom-short","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-shortcodes.1.0.zip",85,{"slug":125,"name":126,"version":127,"author":128,"author_profile":129,"description":130,"short_description":131,"active_installs":113,"downloaded":132,"rating":91,"num_ratings":133,"last_updated":134,"tested_up_to":135,"requires_at_least":136,"requires_php":18,"tags":137,"homepage":141,"download_link":142,"security_score":123,"vuln_count":79,"unpatched_count":79,"last_vuln_date":37,"fetched_at":30},"disable-author-pages","Disable Author Pages","0.11","Frank Neumann-Staude","https:\u002F\u002Fprofiles.wordpress.org\u002Ffstaude\u002F","\u003Cp>Disable the author pages ( \u002Fauthor=? ) in wordpress and redirect the user to another page.\u003C\u002Fp>\n","Disable the author pages",50618,17,"2017-11-28T17:13:00.000Z","4.7.32","3.0",[138,20,22,139,140],"page","sidebar","widgets","https:\u002F\u002Fstaude.net\u002Fwordpress\u002Fplugins\u002Fdisable-author-pages\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-author-pages.0.11.zip",{"slug":144,"name":145,"version":146,"author":147,"author_profile":148,"description":149,"short_description":150,"active_installs":151,"downloaded":152,"rating":102,"num_ratings":153,"last_updated":154,"tested_up_to":155,"requires_at_least":156,"requires_php":18,"tags":157,"homepage":162,"download_link":163,"security_score":123,"vuln_count":79,"unpatched_count":79,"last_vuln_date":37,"fetched_at":30},"nested-shortcodes","Nested Shortcodes by Outerbridge","1.4","Outerbridge","https:\u002F\u002Fprofiles.wordpress.org\u002Fouterbridge\u002F","\u003Cp>A small plugin which allows you to use nested shortcodes (i.e. a shortcode within an enclosing shortcode) by implementing a simple “do_shortcode” filter as per the WordPress Codex to content and widgets – see \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FShortcode_API#Nested_Shortcodes\" rel=\"nofollow ugc\">Shortcode_API\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Freference\u002Ffunctions\u002Fdo_shortcode\u002F\" rel=\"nofollow ugc\">do_shortcode\u003C\u002Fa>\u003C\u002Fp>\n","A small plugin which allows you to use nest shortcodes (i.e. a shortcode within an enclosing shortcode) by implementing a simple do_shortcode filter",1000,21632,14,"2022-09-01T16:25:00.000Z","6.0.11","4.0",[158,159,73,160,161],"do_shortcode","nested","text_widget","the_content","https:\u002F\u002Fouterbridge.co.uk\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnested-shortcodes.zip",{"attackSurface":165,"codeSignals":225,"taintFlows":302,"riskAssessment":347,"analyzedAt":364},{"hooks":166,"ajaxHandlers":213,"restRoutes":214,"shortcodes":215,"cronEvents":223,"entryPointCount":224,"unprotectedCount":79},[167,173,178,180,184,186,190,194,198,202,205,208],{"type":168,"name":169,"callback":170,"file":171,"line":172},"action","add_meta_boxes","quote_meta_boxes","php\\qm-post-meta-boxes.php",47,{"type":168,"name":174,"callback":175,"priority":176,"file":171,"line":177},"save_post","qm_post_quote_save",10,48,{"type":168,"name":174,"callback":175,"priority":176,"file":171,"line":179},119,{"type":168,"name":181,"callback":182,"file":183,"line":177},"admin_init","init","php\\qm-settings.php",{"type":168,"name":174,"callback":175,"priority":176,"file":185,"line":92},"php\\qm-update.php",{"type":168,"name":181,"callback":187,"file":188,"line":189},"qm_update","quote-master.php",87,{"type":168,"name":191,"callback":192,"file":188,"line":193},"widgets_init","anonymous",88,{"type":168,"name":195,"callback":196,"file":188,"line":197},"admin_menu","setup_admin_menu",89,{"type":168,"name":199,"callback":199,"priority":200,"file":188,"line":201},"admin_head",900,90,{"type":168,"name":182,"callback":203,"priority":79,"file":188,"line":204},"register_quote_taxonomy",91,{"type":168,"name":182,"callback":206,"priority":28,"file":188,"line":207},"register_quote_post_types",92,{"type":209,"name":210,"callback":211,"priority":176,"file":188,"line":212},"filter","post_row_actions","remove_views",93,[],[],[216,220],{"tag":217,"callback":218,"file":219,"line":172},"quotes","display_quotes","php\\qm-shortcodes.php",{"tag":221,"callback":218,"file":219,"line":222},"mlw_quotes",50,[],2,{"dangerousFunctions":226,"sqlUsage":230,"outputEscaping":251,"fileOperations":79,"externalRequests":28,"nonceChecks":79,"capabilityChecks":224,"bundledLibraries":301},[227],{"fn":228,"file":188,"line":193,"context":229},"create_function","add_action('widgets_init', create_function('', 'return register_widget(\"QM_Widget\");'));",{"prepared":79,"raw":231,"locations":232},8,[233,236,239,242,244,246,248,250],{"file":185,"line":234,"context":235},24,"$wpdb->get_var() with variable interpolation",{"file":185,"line":237,"context":238},26,"$wpdb->get_results() with variable interpolation",{"file":185,"line":240,"context":241},41,"$wpdb->query() with variable interpolation",{"file":185,"line":243,"context":235},45,{"file":185,"line":245,"context":238},49,{"file":185,"line":247,"context":241},76,{"file":249,"line":14,"context":241},"uninstall.php",{"file":249,"line":153,"context":241},{"escaped":252,"rawEcho":253,"locations":254},16,27,[255,258,260,261,263,264,266,268,269,271,272,274,276,278,281,282,283,284,286,288,289,291,292,293,295,297,299],{"file":256,"line":201,"context":257},"php\\qm-about-page.php","raw output",{"file":259,"line":27,"context":257},"php\\qm-help-page.php",{"file":259,"line":92,"context":257},{"file":259,"line":262,"context":257},81,{"file":259,"line":49,"context":257},{"file":259,"line":265,"context":257},227,{"file":259,"line":267,"context":257},300,{"file":259,"line":267,"context":257},{"file":259,"line":270,"context":257},301,{"file":259,"line":270,"context":257},{"file":259,"line":273,"context":257},303,{"file":183,"line":275,"context":257},127,{"file":219,"line":277,"context":257},74,{"file":279,"line":280,"context":257},"php\\qm-widgets.php",29,{"file":279,"line":51,"context":257},{"file":279,"line":51,"context":257},{"file":279,"line":51,"context":257},{"file":279,"line":285,"context":257},33,{"file":279,"line":287,"context":257},34,{"file":279,"line":287,"context":257},{"file":279,"line":290,"context":257},39,{"file":279,"line":290,"context":257},{"file":279,"line":27,"context":257},{"file":279,"line":294,"context":257},68,{"file":279,"line":296,"context":257},79,{"file":279,"line":298,"context":257},145,{"file":279,"line":300,"context":257},147,[],[303,319,329,339],{"entryPoint":304,"graph":305,"unsanitizedCount":28,"severity":39},"email_box (php\\qm-help-page.php:188)",{"nodes":306,"edges":316},[307,311],{"id":308,"type":309,"label":310,"file":259,"line":49},"n0","source","$_SERVER['PHP_SELF']",{"id":312,"type":313,"label":314,"file":259,"line":49,"wp_function":315},"n1","sink","echo() [XSS]","echo",[317],{"from":308,"to":312,"sanitized":318},false,{"entryPoint":320,"graph":321,"unsanitizedCount":28,"severity":39},"widget (php\\qm-widgets.php:58)",{"nodes":322,"edges":327},[323,326],{"id":308,"type":309,"label":324,"file":279,"line":325},"$_SERVER",135,{"id":312,"type":313,"label":314,"file":279,"line":298,"wp_function":315},[328],{"from":308,"to":312,"sanitized":318},{"entryPoint":330,"graph":331,"unsanitizedCount":79,"severity":338},"\u003Cqm-help-page> (php\\qm-help-page.php:0)",{"nodes":332,"edges":335},[333,334],{"id":308,"type":309,"label":310,"file":259,"line":49},{"id":312,"type":313,"label":314,"file":259,"line":49,"wp_function":315},[336],{"from":308,"to":312,"sanitized":337},true,"low",{"entryPoint":340,"graph":341,"unsanitizedCount":28,"severity":338},"\u003Cqm-widgets> (php\\qm-widgets.php:0)",{"nodes":342,"edges":345},[343,344],{"id":308,"type":309,"label":324,"file":279,"line":325},{"id":312,"type":313,"label":314,"file":279,"line":298,"wp_function":315},[346],{"from":308,"to":312,"sanitized":318},{"summary":348,"deductions":349},"The quote-master plugin version 7.1.1 presents a mixed security posture. While it boasts a relatively small attack surface with no unprotected entry points, several code signals raise significant concerns. The presence of the dangerous `create_function` function, coupled with 100% of SQL queries not utilizing prepared statements, indicates a high susceptibility to code injection and SQL injection vulnerabilities.  Furthermore, the low percentage of properly escaped output (37%) suggests a substantial risk of Cross-Site Scripting (XSS) attacks. The taint analysis revealing flows with unsanitized paths, although not classified as critical or high severity, further exacerbates these concerns, indicating potential for data leakage or manipulation.\n\nThe plugin's vulnerability history, specifically a medium severity Cross-Site Scripting (XSS) vulnerability that remains unpatched (dated 2026-01-16), is a critical red flag. This indicates a pattern of security issues and a lack of timely patching, leaving existing vulnerabilities exposed.  The lack of nonce checks and the presence of capability checks only on two entry points mean that even though the entry points themselves are not directly unprotected, the processing of data within them might lack sufficient integrity and authorization checks. In conclusion, while the plugin's attack surface is contained, the significant code quality issues, particularly around SQL sanitization and output escaping, combined with a history of unpatched vulnerabilities, make this version a considerable security risk that requires immediate attention and remediation.",[350,353,355,357,359,362],{"reason":351,"points":352},"Unpatched medium CVE",18,{"reason":354,"points":176},"SQL queries without prepared statements",{"reason":356,"points":231},"Low percentage of output escaping",{"reason":358,"points":231},"Dangerous function: create_function",{"reason":360,"points":361},"Taint flows with unsanitized paths",7,{"reason":363,"points":103},"No nonce checks","2026-03-16T20:21:48.913Z",{"wat":366,"direct":377},{"assetPaths":367,"generatorPatterns":371,"scriptPaths":372,"versionParams":373},[368,369,370],"\u002Fwp-content\u002Fplugins\u002Fquote-master\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fquote-master\u002Fjs\u002Fquote-master-admin.js","\u002Fwp-content\u002Fplugins\u002Fquote-master\u002Fjs\u002Fquote-master-front.js",[],[369,370],[374,375,376],"quote-master\u002Fcss\u002Fstyle.css?ver=","quote-master\u002Fjs\u002Fquote-master-admin.js?ver=","quote-master\u002Fjs\u002Fquote-master-front.js?ver=",{"cssClasses":378,"htmlComments":381,"htmlAttributes":386,"restEndpoints":393,"jsGlobals":394,"shortcodeOutput":396},[379,380],"qm_custom_quote_wrapper","qm-quote-display",[382,383,384,385],"\u003C!-- Shortcode [quote] -->","\u003C!-- \u002FShortcode [quote] -->","\u003C!-- About Page -->","\u003C!-- \u002FAbout Page -->",[387,388,389,390,391,392],"data-quote-id","data-quote-theme","data-quote-layout","data-quote-limit","data-quote-style","data-quote-speed",[],[395],"var quoteMasterAdmin",[397,398],"\u003Cdiv class=\"qm_custom_quote_wrapper\">","\u003Cdiv class=\"qm-quote-display\">"]