[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-6-gQNB0709IOLxLN3Aiw4TAFJkTAfz2J8iv1MZkKjg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":18,"download_link":19,"security_score":20,"vuln_count":11,"unpatched_count":11,"last_vuln_date":21,"fetched_at":22,"vulnerabilities":23,"developer":24,"crawl_stats":21,"alternatives":29,"analysis":30,"fingerprints":89},"rest-api-shield-xml-rpc-blocker","REST API Shield & XML-RPC Blocker","1.0","teamredfox","https:\u002F\u002Fprofiles.wordpress.org\u002Fteamredfox\u002F","\u003Cp>This plugin is designed to fundamentally strengthen the security of your WordPress site.\u003C\u002Fp>\n\u003Cp>By default, WordPress exposes REST API endpoints like the user list (\u002Fwp\u002Fv2\u002Fusers) even to unauthenticated users (anonymous users). This poses a risk of information leakage and can serve as a stepping stone for brute-force attacks by enabling username enumeration.\u003C\u002Fp>\n\u003Cp>Using this plugin, you can finely adjust the following security settings from the “Settings” -> “General” page in the administration area.\u003C\u002Fp>\n\u003Cp>Key Security Features\u003C\u002Fp>\n\u003Ch3>REST API Anonymous Access Restriction:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>Core endpoints (such as users, comments, media) and broad routes added by plugins can be specified as a blacklist.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Routes necessary for blog display (such as wp\u002Fv2\u002Fposts) can be specified as a whitelist to exempt them from restrictions.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Configure the HTTP status code (e.g., 403 Forbidden) and a custom error message to return upon access denial, preventing attackers from gaining insight into your site structure.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Complete XML-RPC Blocking:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>Completely disable the XML-RPC functionality (xmlrpc.php) at the core WordPress level.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>When an attacker attempts access, the plugin responds with a specified HTTP status code and a custom error message, deceptively denying access.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is highly recommended for all WordPress sites that require enhanced security.\u003C\u002Fp>\n","A security plugin that controls XML-RPC access and specific WordPress REST API endpoints from anonymous users.",0,179,"","6.8.5","6.8","7.4",[],"https:\u002F\u002Fp-fox.jp\u002Fblog\u002Farchive\u002F367\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-shield-xml-rpc-blocker.1.0.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":25,"total_installs":11,"avg_security_score":20,"avg_patch_time_days":26,"trust_score":27,"computed_at":28},2,30,94,"2026-04-05T06:28:14.758Z",[],{"attackSurface":31,"codeSignals":57,"taintFlows":81,"riskAssessment":82,"analyzedAt":88},{"hooks":32,"ajaxHandlers":53,"restRoutes":54,"shortcodes":55,"cronEvents":56,"entryPointCount":11,"unprotectedCount":11},[33,39,45,49],{"type":34,"name":35,"callback":36,"file":37,"line":38},"filter","xmlrpc_enabled","wpashield_control_xmlrpc_status","rest-api-shield-xml-rpc-blocker.php",43,{"type":40,"name":41,"callback":42,"priority":43,"file":37,"line":44},"action","init","wpashield_block_xmlrpc_prank",1,70,{"type":34,"name":46,"callback":47,"priority":43,"file":37,"line":48},"rest_pre_dispatch","closure",81,{"type":40,"name":50,"callback":51,"file":37,"line":52},"admin_init","wpashield_settings_init",324,[],[],[],[],{"dangerousFunctions":58,"sqlUsage":59,"outputEscaping":61,"fileOperations":11,"externalRequests":11,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":80},[],{"prepared":11,"raw":11,"locations":60},[],{"escaped":62,"rawEcho":63,"locations":64},17,7,[65,68,70,72,74,76,78],{"file":37,"line":66,"context":67},331,"raw output",{"file":37,"line":69,"context":67},344,{"file":37,"line":71,"context":67},360,{"file":37,"line":73,"context":67},409,{"file":37,"line":75,"context":67},421,{"file":37,"line":77,"context":67},433,{"file":37,"line":79,"context":67},445,[],[],{"summary":83,"deductions":84},"The \"rest-api-shield-xml-rpc-blocker\" plugin version 1.0 presents a strong security posture based on the provided static analysis. The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events, especially those lacking authentication or permission checks, significantly minimizes its attack surface.  Furthermore, the code shows good practices with no dangerous functions, all SQL queries utilizing prepared statements, and a notable lack of file operations or external HTTP requests. Taint analysis also shows no concerning flows. The plugin's vulnerability history is clean, with no recorded CVEs, which suggests a consistent effort towards maintaining security. However, a minor concern arises from the output escaping, where 71% of outputs are properly escaped, leaving a portion that could be susceptible to cross-site scripting (XSS) vulnerabilities if untrusted data is involved.  While the plugin demonstrates a solid foundation and proactive security measures, the imperfect output escaping is the sole area requiring attention.",[85],{"reason":86,"points":87},"Outputs with improper escaping detected",5,"2026-03-17T06:06:48.352Z",{"wat":90,"direct":95},{"assetPaths":91,"generatorPatterns":92,"scriptPaths":93,"versionParams":94},[],[],[],[],{"cssClasses":96,"htmlComments":97,"htmlAttributes":98,"restEndpoints":99,"jsGlobals":102,"shortcodeOutput":103},[],[],[],[100,101],"\u002Fwp\u002Fv2\u002F(users|comments|media)(?:\u002F.*)?","\u002F(users|comments|media)(?:\u002F.*)?",[],[]]