[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fb3O3xTNspKE7MX0DdvpE84az37G5LGd2CIYuiXyvA0w":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":35,"analysis":142,"fingerprints":218},"rbam-media","Role Based Access Manager: Media Protector","1.1.3","muis IT","https:\u002F\u002Fprofiles.wordpress.org\u002Fmuisit\u002F","\u003Cp>Role Base Access Manager: Media Protector\u003C\u002Fp>\n\u003Cp>WordPress plugin to assign access roles to individual files.\u003C\u002Fp>\n\u003Cp>This simple plugin allows administrators (anyone with access to the edit-post form for attachments\u002Fmedia) to set access based on roles.\u003Cbr \u002F>\nThe plugin provides a ‘Security’ meta-box on the right hand side where you can type in role names and select them (much like you add tags\u003Cbr \u002F>\nto regular posts). Whenever a visitor wants to download or view a file or image from the uploads directory, his\u002Fher current roles are checked\u003Cbr \u002F>\nagainst the configured roles.\u003C\u002Fp>\n\u003Cp>This plugin tries to look for originals of resized and rescaled images by making a rough search in the meta data table. This allows you to\u003Cbr \u002F>\nmark the original image of a blog entry for specific access and have all thumbnails and other derived images be protected as well. Please note\u003Cbr \u002F>\nthat this plugin does not clean up after you. If for some reason left-over thumbnails remain in the upload directory, the plugin cannot find\u003Cbr \u002F>\nthem in the database and will allow access.\u003C\u002Fp>\n\u003Ch3>Roles\u003C\u002Fh3>\n\u003Cp>This plugin works based on role access management. That means it will try to match the specified roles on the media with the available roles of a user. However, the capabilities system of \u003Ccode>WordPress\u003C\u002Fcode> is cumulative: an \u003Ccode>Administrator\u003C\u002Fcode> has more privileges as an \u003Ccode>Editor\u003C\u002Fcode>, but at least the\u003Cbr \u002F>\nsame. Usually, people only have one Role in this system. As this plugin does not check on capabilities, but on roles, you will need to specify\u003Cbr \u002F>\n\u003Cem>all\u003C\u002Fem> the roles that should have access to this file (including the ‘administrator’ role).\u003C\u002Fp>\n\u003Cp>Alternatively, you can add secondary roles to a User, allowing \u003Ccode>Administrator\u003C\u002Fcode> to also be a \u003Ccode>Subscriber\u003C\u002Fcode>. In this way, you only need to add the\u003Cbr \u002F>\n    Subscriber role to media files to allow it to be downloaded by all registered members. However, adding secondary roles is a manual task. If you have many users and few files, it can be easier to specifiy all roles with the media. If you have many files and few users, you had better use secondary role assignments. If you have many files and many users, you should look into a way to automatically assign roles to people using some sort of on-boarding method. If you need a plugin for that, send me a message.\u003C\u002Fp>\n\u003Ch3>Redirections\u003C\u002Fh3>\n\u003Cp>The plugin works by inserting a redirection script in your \u003Ccode>.htaccess\u003C\u002Fcode> file on activation. This does not work properly for \u003Ccode>NGinX\u003C\u002Fcode>, in which\u003Cbr \u002F>\ncase you have to insert a redirection manually. Freely copied from the [https:\u002F\u002Fwordpress.org\u002Fplugins\u002Faam-protected-media-files\u002F](AAM Protected Media Files) description:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>location ~* ^\u002Fwp-content\u002Fuploads\u002F {\u003Cbr \u002F>\n   rewrite (?i)^(\u002Fwp-content\u002Fuploads\u002F.*)$ \u002Findex.php?rbam-media=1 last;\u003Cbr \u002F>\n   return 307;\u003Cbr \u002F>\n}\u003Cbr \u002F>\n    `\u003C\u002Fp>\n\u003Cp>The plugin will try to read the accessed file from the original request and apply role based access management on it.\u003C\u002Fp>\n","Role Based Access Management for Media files (attachments).",10,1231,0,"2021-06-17T13:34:00.000Z","5.7.15","5.4","7.2",[19,20,21,22],"attachments","media","roles","security","https:\u002F\u002Fgithub.com\u002Fmuisit\u002Frbam-media","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frbam-media.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"muisit",1,30,84,"2026-04-04T07:06:52.810Z",[36,57,74,99,122],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":46,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":55,"download_link":56,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"media-vault","Media Vault","0.8.12","Max GJ Panas","https:\u002F\u002Fprofiles.wordpress.org\u002Fmax-gjp\u002F","\u003Ch4>Protected Attachment Files\u003C\u002Fh4>\n\u003Cp>Media Vault cordons off a section of your WordPress uploads folder and secures it, protecting all files within by passing requests for them through a \u003Cem>powerful, flexible and completely customizable\u003C\u002Fem> set of permission checks.\u003C\u002Fp>\n\u003Cp>After activating the plugin, to protect attachment files with Media Vault you can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>use the \u003Cem>Media Uploader admin page\u003C\u002Fem> to upload new protected attachments,\u003C\u002Fli>\n\u003Cli>use the \u003Cem>Media Vault metabox\u003C\u002Fem> to toggle file protection on the ‘Edit Media’ admin page,\u003C\u002Fli>\n\u003Cli>use the the \u003Cem>Media Vault Protection Settings\u003C\u002Fem> fields in the new Media Modal, or, \u003C\u002Fli>\n\u003Cli>using \u003Cem>bulk actions\u003C\u002Fem> in your Media Library page, you can change file protection on multiple pre-existing attachments at once.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>By default the only permission check that the plugin does on media files is that the user requesting them be logged in. You can change this \u003Cem>default\u003C\u002Fem> behavior from the ‘Media Settings’ page in the ‘Settings’ menu of the WordPress Admin. You can also change the restrictions set on attachments on an individual basis by means of either the Media Vault metabox on the ‘Edit Media’ page or the Media Vault Protection Settings fields in the new Media Modal.\u003C\u002Fp>\n\u003Cp>You can also write your own custom restrictions using the \u003Ccode>mgjp_mv_add_permission()\u003C\u002Fcode> function. See \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Frestrict-only-for-subscribers?replies=5\" rel=\"ugc\">this support question\u003C\u002Fa> for more details.\u003C\u002Fp>\n\u003Ch4>Safe Download Links\u003C\u002Fh4>\n\u003Cp>Creating a cross-browser compatible download link for a file is a harder task than might be expected. Media Vault handles this for you, and it does so while preserving all the file security features discussed earlier like blocking downloads to people who should not have access to the file.\u003C\u002Fp>\n\u003Cp>The download links are available through a simple shortcode that you can use in your post\u002Fpage editor screen:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[mv_dl_links ids=\"1,2,3\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>where ‘ids’ are the comma separated list of attachment ids you would like to make available for download in the list.\u003C\u002Fp>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem> Plugin comes with styles ready for WordPress 3.8+!\u003C\u002Fp>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem>  \u003Cstrong>Now supports WordPress MultiSite!\u003C\u002Fstrong>\u003C\u002Fp>\n","Protect attachment files from direct access using powerful and flexible restrictions. Offer safe download links for any file in your uploads folder.",800,17132,88,27,"2014-02-18T16:48:00.000Z","3.7.41","3.5.0","",[19,53,20,54,22],"downloads","protection","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmedia-vault\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-vault.0.8.12.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":11,"downloaded":65,"rating":13,"num_ratings":13,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":51,"tags":69,"homepage":72,"download_link":73,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"personal-library","Personal Library","1.0.0","derekheld","https:\u002F\u002Fprofiles.wordpress.org\u002Fderekheld\u002F","\u003Cp>Personal Library allows you to restrict users to seeing their own media uploads. The plugin works by filtering all requests for attachments.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Administrators will always see all attachments\u003C\u002Fli>\n\u003Cli>Enable or disable access to all uploads for the following roles: contributor, author, editor.\u003C\u002Fli>\n\u003C\u002Ful>\n","Restricts users to managing\u002Fusing their own attachments only.",1414,"2015-12-12T17:45:00.000Z","4.4.34","2.8.0",[19,70,20,21,71],"filter","unique","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpersonal-library\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpersonal-library.1.0.0.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":84,"num_ratings":85,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":94,"download_link":95,"security_score":96,"vuln_count":97,"unpatched_count":13,"last_vuln_date":98,"fetched_at":27},"safe-svg","Safe SVG","2.4.0","10up","https:\u002F\u002Fprofiles.wordpress.org\u002F10up\u002F","\u003Cp>Safe SVG is the best way to Allow SVG Uploads in WordPress!\u003C\u002Fp>\n\u003Cp>It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG\u002FXML vulnerabilities affecting your site.  It also gives you the ability to preview your uploaded SVGs in the media library in all views.\u003C\u002Fp>\n\u003Ch4>Current Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sanitised SVGs\u003C\u002Fstrong> – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SVGO Optimisation\u003C\u002Fstrong> – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: \u003Ccode>add_filter( 'safe_svg_optimizer_enabled', '__return_true' );\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>View SVGs in the Media Library\u003C\u002Fstrong> – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose Who Can Upload\u003C\u002Fstrong> – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Initially a proof of concept for \u003Ca href=\"https:\u002F\u002Fcore.trac.wordpress.org\u002Fticket\u002F24251\" rel=\"nofollow ugc\">#24251\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>SVG Sanitization is done through the following library: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdarylldoyle\u002Fsvg-sanitizer\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fdarylldoyle\u002Fsvg-sanitizer\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>SVG Optimization is done through the following library: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsvg\u002Fsvgo\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fsvg\u002Fsvgo\u003C\u002Fa>.\u003C\u002Fp>\n","Enable SVG uploads and sanitize them to stop XML\u002FSVG vulnerabilities in your WordPress website.",1000000,12729263,98,77,"2026-01-04T21:05:00.000Z","6.9.4","6.6","7.4",[20,91,22,92,93],"mime","svg","vector","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsafe-svg\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsafe-svg.2.4.0.zip",94,6,"2024-10-17 00:00:00",{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":107,"downloaded":108,"rating":33,"num_ratings":109,"last_updated":110,"tested_up_to":87,"requires_at_least":111,"requires_php":112,"tags":113,"homepage":51,"download_link":118,"security_score":119,"vuln_count":120,"unpatched_count":13,"last_vuln_date":121,"fetched_at":27},"advanced-access-manager","Advanced Access Manager – Access Governance for WordPress","7.1.0","AAM Plugin","https:\u002F\u002Fprofiles.wordpress.org\u002Fvasyltech\u002F","\u003Cp>\u003Cstrong>Advanced Access Manager (AAM)\u003C\u002Fstrong> introduces \u003Cstrong>Access Governance for WordPress\u003C\u002Fstrong> – a systematic approach to securing your site by controlling who can access what, when, and why.\u003C\u002Fp>\n\u003Cp>Most WordPress security plugins focus on external threats like malware, firewalls, and brute-force attacks. AAM addresses the \u003Cstrong>root cause of the #1 WordPress security risk: broken access controls, excessive privileges, and misconfigured roles\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Instead of reacting to attacks, AAM helps you \u003Cstrong>design security into your WordPress site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>What Access Governance means in practice\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Mitigate Broken Access Controls\u003C\u002Fstrong>. Ensure roles, users, and permissions are correctly configured to prevent unauthorized actions and privilege escalation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Eliminate Excessive Privileges\u003C\u002Fstrong>. Identify overpowered users and reduce access to critical functionality, admin areas, and APIs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure Content by Design\u003C\u002Fstrong>. Control who can view, edit, publish, or delete posts, pages, media, taxonomies, and custom content types.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Govern Access with Policy\u003C\u002Fstrong>. Define access rules using JSON Access Policies — portable, auditable, and automation-friendly.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Build Custom Security Logic\u003C\u002Fstrong>. Use the AAM PHP Framework to create advanced, programmatic access controls tailored to your application.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security Audit\u003C\u002Fstrong>. Detect risky role assignments, misconfigurations, and compromised accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular Access Control\u003C\u002Fstrong>. Manage permissions for any user, role, or visitor with precision.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role & Capability Management\u003C\u002Fstrong>. Customize WordPress roles and capabilities beyond defaults.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin & Menu Control\u003C\u002Fstrong>. Restrict dashboard areas and tailor the admin experience per user or role.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>API & Endpoint Protection\u003C\u002Fstrong>. Secure REST and XML-RPC access with fine-grained controls.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Authentication Options\u003C\u002Fstrong>. Support passwordless and secure login flows.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer-Ready Framework\u003C\u002Fstrong>. Extend WordPress security using AAM’s powerful SDK.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ad-Free & Transparent\u003C\u002Fstrong>. – No ads, no tracking, no bloat.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Built for Security-Conscious WordPress Users\u003C\u002Fh4>\n\u003Cp>AAM is trusted by \u003Cstrong>150,000+ websites\u003C\u002Fstrong> to deliver enterprise-grade access control without unnecessary complexity. Whether you’re a site owner, agency, developer, or security professional, AAM gives you \u003Cstrong>full control over WordPress access — by design\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Most core features are free. Advanced capabilities are available via premium add-ons.\u003C\u002Fp>\n\u003Cp>No hidden tracking. No data collection. No unwanted changes.\u003Cbr \u002F>\nJust \u003Cstrong>security you can reason about, audit, and trust\u003C\u002Fstrong>.\u003C\u002Fp>\n","Access Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.",100000,7384389,420,"2026-03-08T15:53:00.000Z","5.8.0","5.6.0",[114,115,116,22,117],"access-governance","api-security","restricted-content","user-roles","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-access-manager.7.1.0.zip",95,11,"2024-03-20 00:00:00",{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":130,"downloaded":131,"rating":132,"num_ratings":133,"last_updated":134,"tested_up_to":87,"requires_at_least":135,"requires_php":51,"tags":136,"homepage":139,"download_link":140,"security_score":141,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"media-deduper","Media Deduper","1.5.9","cornershop","https:\u002F\u002Fprofiles.wordpress.org\u002Fcornershop\u002F","\u003Cp>Media Deduper will find and eliminate duplicate images and attachments from your WordPress media library. After installing, you’ll have a new “Manage Duplicates” option in your Media section.\u003C\u002Fp>\n\u003Cp>Before Media Deduper can identify duplicate assets, it will build an index of all the files in your media library, which can take some time. Once that’s done, however, Media Deduper automatically adds new uploads to its index, so you shouldn’t have to generate the index again.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need faster indexing? \u003Ca href=\"https:\u002F\u002Fwww.mediadeduper.com\u002F\" rel=\"nofollow ugc\">Check out Media Deduper Pro\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Once up and running, Media Deduper provides you with a “Manage Duplicates” page listing all of your duplicate media files. The list makes it easy to see and delete duplicate files: delete one and its twin will disappear from the list because it’s then no longer a duplicate. Easy! By default, the list is sorted by file size, so you can focus on deleting the files that will free up the most space.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Use this plugin at your own risk. The plugin developers are not responsible for any lost data or site issues as a result of using this plugin.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Media Deduper comes with a “Smart Delete” option that prevents a post’s Featured Image from being deleted, even if that image is found to be a duplicate elsewhere on the site.\u003C\u002Fp>\n\u003Cp>If a post has a featured image that’s a duplicate file, Smart Delete will re-assign that post’s image to an already-in-use copy of the image before deleting the duplicate so that the post’s appearance is unaffected. This feature only tracks Featured Images, and not images used in galleries, post bodies, shortcodes, meta fields, or anywhere else.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for more features? \u003Ca href=\"https:\u002F\u002Fwww.mediadeduper.com\u002F\" rel=\"nofollow ugc\">Media Deduper Pro\u003C\u002Fa> includes features for image fields from several popular plugins as well.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Note that duplicate identification is based on the data of the files themselves, not any titles, captions or other metadata you may have provided in the WordPress admin.\u003C\u002Fp>\n\u003Cp>Media Deduper can differentiate between 1.) media items that are duplicates because the media files they link to have the same data and 2.) those that actually point to the same data file, which can happen with a plugin like WP Job Manager or Duplicate Post.\u003C\u002Fp>\n\u003Cp>As with any plugin that can perform destructive operations on your database and\u002For files, using Media Deduper can result in permanent data loss if you’re not careful. \u003Cstrong>Back up your data before you try out Media Deduper! Please!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Use this plugin at your own risk. The plugin developers are not responsible for any lost data or site issues as a result of using this plugin.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more support? \u003Ca href=\"https:\u002F\u002Fwww.mediadeduper.com\u002F\" rel=\"nofollow ugc\">Media Deduper Pro\u003C\u002Fa> includes dedicated support from Cornershop Creative.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cp>Media Deduper requires PHP 7.0 or later.\u003C\u002Fp>\n","Save disk space and bring some order to the chaos of your media library by removing and preventing duplicate files.",9000,169474,76,43,"2025-12-03T19:24:00.000Z","4.3",[137,19,20,138],"admin","upload","https:\u002F\u002Fwww.mediadeduper.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-deduper.1.5.9.zip",100,{"attackSurface":143,"codeSignals":175,"taintFlows":205,"riskAssessment":206,"analyzedAt":217},{"hooks":144,"ajaxHandlers":167,"restRoutes":172,"shortcodes":173,"cronEvents":174,"entryPointCount":31,"unprotectedCount":31},[145,152,156,160,164],{"type":146,"name":147,"callback":148,"priority":149,"file":150,"line":151},"action","add_meta_boxes","rbammedia_metabox",9,"rbam-media.php",78,{"type":146,"name":153,"callback":154,"priority":11,"file":150,"line":155},"edit_attachment","rbammedia_save",79,{"type":146,"name":157,"callback":158,"file":150,"line":159},"init","rbammedia_init",87,{"type":146,"name":161,"callback":162,"file":150,"line":163},"load-post.php","rbammedia_loadpost",90,{"type":146,"name":165,"callback":162,"file":150,"line":166},"load-post-new.php",91,[168],{"action":169,"nopriv":170,"callback":171,"hasNonce":170,"hasCapCheck":170,"file":150,"line":96},"rbammedia",false,"rbammedia_ajaxsearch",[],[],[],{"dangerousFunctions":176,"sqlUsage":182,"outputEscaping":185,"fileOperations":203,"externalRequests":13,"nonceChecks":31,"capabilityChecks":31,"bundledLibraries":204},[177],{"fn":178,"file":179,"line":180,"context":181},"unserialize","security.php",140,"$value = unserialize($r->meta_value);",{"prepared":183,"raw":13,"locations":184},4,[],{"escaped":13,"rawEcho":149,"locations":186},[187,191,193,194,195,196,198,200,201],{"file":188,"line":189,"context":190},"editor.php",125,"raw output",{"file":188,"line":192,"context":190},126,{"file":188,"line":192,"context":190},{"file":188,"line":192,"context":190},{"file":188,"line":192,"context":190},{"file":188,"line":197,"context":190},130,{"file":188,"line":199,"context":190},131,{"file":188,"line":199,"context":190},{"file":188,"line":202,"context":190},172,7,[],[],{"summary":207,"deductions":208},"The \"rbam-media\" v1.1.3 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and includes a nonce check and a capability check, indicating some awareness of security fundamentals.  The absence of external HTTP requests and no recorded vulnerabilities in its history are also positive indicators.\n\nHowever, significant concerns arise from the static analysis. The plugin exposes a single AJAX handler that lacks authentication checks, creating a direct entry point for potential attackers. Furthermore, the code signals a dangerous function usage with `unserialize`, which is notoriously risky if not handled with extreme caution and proper sanitization.  The fact that 0% of its 9 output operations are properly escaped presents a serious risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site.\n\nWhile the plugin has no known CVEs, this does not guarantee its safety, especially given the identified coding weaknesses. The combination of an unprotected AJAX endpoint, the presence of `unserialize`, and widespread lack of output escaping creates a substantial risk profile for this plugin.  The absence of taint analysis results could mean that the analysis tool did not find any exploitable flows, or it could indicate limitations in the analysis itself.",[209,212,215],{"reason":210,"points":211},"AJAX handler without auth checks",8,{"reason":213,"points":214},"Dangerous function: unserialize",15,{"reason":216,"points":203},"No output escaping","2026-03-17T00:00:20.929Z",{"wat":219,"direct":226},{"assetPaths":220,"generatorPatterns":222,"scriptPaths":223,"versionParams":224},[221],"\u002Fwp-content\u002Fplugins\u002Frbam-media\u002Fmetabox.js",[],[221],[225],"rbammedia-scripts?ver=1.0.0",{"cssClasses":227,"htmlComments":236,"htmlAttributes":237,"restEndpoints":247,"jsGlobals":248,"shortcodeOutput":249},[228,229,230,231,232,233,234,235],"rbammediabox","rbammedia-security","select-role-or-user","tagsdiv","nojs-tags","hide-if-js","ajaxtag","hide-if-no-js",[],[238,239,240,241,242,243,244,245,246],"id=\"rbammediabox\"","id=\"rbammedia-security\"","id=\"select-role-or-user\"","class='tagsdiv'","class=\"nojs-tags hide-if-js\"","class=\"ajaxtag hide-if-no-js\"","name=\"rbammedia_roles\"","id=\"rbammedia_roles\"","name=\"rbammedia_class_nonce\"",[],[171],[]]