[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4x4V2kvRcWAO6STfocBYxEnVlYxoPNDezS2gW0OwdBI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":19,"download_link":20,"security_score":21,"vuln_count":11,"unpatched_count":11,"last_vuln_date":22,"fetched_at":23,"vulnerabilities":24,"developer":25,"crawl_stats":22,"alternatives":33,"analysis":34,"fingerprints":131},"ruigehond-embed","Ruigehond embed","1.4.2","Joeri van Veen","https:\u002F\u002Fprofiles.wordpress.org\u002Fruigehond\u002F","\u003Cp>Plugin to embed selected urls from your site elsewhere.\u003C\u002Fp>\n\u003Ch4>Security\u003C\u002Fh4>\n\u003Cp>Other embedding will be prohibited by default, with an \u003Ccode>X-Frame-Options\u003C\u002Fcode> header and, optionally, a \u003Ccode>Content Security Policy\u003C\u002Fcode> header.\u003Cbr \u002F>\nThis will secure your WordPress website from a number of fairly easy attacks.\u003C\u002Fp>\n\u003Cp>To make this plugin especially useful you can now allow (third party) websites to embed specific urls from your site.\u003Cbr \u002F>\nEasily reuse forms or other content from your main site on satellite sites you own, without opening up any of them to attack.\u003C\u002Fp>\n\u003Ch4>Quick setup\u003C\u002Fh4>\n\u003Cp>Activate the plugin and go to Settings -> Ruigehond embed.\u003Cbr \u002F>\nAdd a reference (e.g. \u003Ccode>general-contact-form\u003C\u002Fcode>) in the \u003Cem>title\u003C\u002Fem> field and save the settings.\u003Cbr \u002F>\nAdd a slug it should serve (e.g. \u003Ccode>\u002Fcontact-clean\u002F\u003C\u002Fcode>) in the \u003Cem>embed\u003C\u002Fem> field.\u003Cbr \u002F>\nAdd urls that may embed this, aka referrers, (e.g. \u003Ccode>https:\u002F\u002Fmy-satellite.site\u003C\u002Fcode>) in the textarea.\u003C\u002Fp>\n\u003Ch4>Embedding\u003C\u002Fh4>\n\u003Cp>Install the plugin on your satellite site. This has the added benefit of locking down that site as well.\u003C\u002Fp>\n\u003Cp>Use the simple shortcode on that site to generate an iframe with the embedded content:\u003Cbr \u002F>\n    \u003Ccode>[ruigehond-embed src=\"https:\u002F\u002Fmy-main.site\u002Fruigehond_embed\u002Fgeneral-contact-form\"]\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>Watch the form magically and safely be embedded. Other sites will continue to not be able to embed your content.\u003C\u002Fp>\n\u003Cp>You can also embed using a regular iframe in html, as long as the referrer is whitelisted.\u003Cbr \u002F>\nHowever, by using the plugin and shortcode, the height of the iframe will automatically be adjusted to fit the content.\u003C\u002Fp>\n\u003Ch4>Use htaccess\u003C\u002Fh4>\n\u003Cp>This plugin adds lines (clearly marked) at the beginning of your htaccess file.\u003Cbr \u002F>\nThey need not be at the beginning, but they need to be before the WordPress lines, or any other lines that corrupt the \u003Ccode>THE_REQUEST\u003C\u002Fcode> var.\u003C\u002Fp>\n\u003Cp>This plugin needs \u003Ccode>mod_headers\u003C\u002Fcode>, \u003Ccode>mod_rewrite\u003C\u002Fcode> and \u003Ccode>mod_setenvif\u003C\u002Fcode> to be activated, but they probably already are.\u003C\u002Fp>\n\u003Ch4>Without htaccess\u003C\u002Fh4>\n\u003Cp>When the htaccess is not processed, the plugin itself works directly with the request in the php processor.\u003Cbr \u002F>\nThe CSP header is not supported in that case.\u003Cbr \u002F>\nAlso, other plugins (especially caching plugins) may already have decided on a different route and this plugin might not work.\u003C\u002Fp>\n\u003Ch4>Content Security Policy\u003C\u002Fh4>\n\u003Cp>You can switch on the \u003Ccode>Content Security Policy\u003C\u002Fcode> (or \u003Ccode>CSP\u003C\u002Fcode>) header in this plugin, which is the most modern way to tackle these issues.\u003Cbr \u002F>\nHowever, other plugins may interfere, so be sure to check whether the CSP header is to your liking in practice.\u003C\u002Fp>\n\u003Cp>This plugin will add a \u003Ccode>CSP\u003C\u002Fcode> header if none is present yet.\u003Cbr \u002F>\nBut if one is present, the \u003Ccode>frame-ancestors\u003C\u002Fcode> directive must be present in it for this plugin to work.\u003Cbr \u002F>\nIt will only set the \u003Ccode>frame-ancestors\u003C\u002Fcode> directive, none of the others (to not break your site).\u003C\u002Fp>\n","Prevent your site from being embedded. Select specific urls that may be embedded from specific origins.",0,1015,"","6.9.4","6.0","7.4",[18],"x-frame-options-embed-embedding-iframe-sameorigin","https:\u002F\u002Fgithub.com\u002Fjoerivanveen\u002Fruigehond-embed","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fruigehond-embed.1.4.2.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":29,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},"ruigehond",6,3120,98,30,93,"2026-04-04T21:16:47.043Z",[],{"attackSurface":35,"codeSignals":66,"taintFlows":103,"riskAssessment":122,"analyzedAt":130},{"hooks":36,"ajaxHandlers":58,"restRoutes":59,"shortcodes":60,"cronEvents":64,"entryPointCount":65,"unprotectedCount":11},[37,43,47,51,56],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","init","ruigehond015_run","ruigehond-embed.php",24,{"type":38,"name":44,"callback":45,"file":41,"line":46},"admin_init","ruigehond015_settings",47,{"type":38,"name":48,"callback":49,"file":41,"line":50},"admin_menu","ruigehond015_menuitem",48,{"type":38,"name":52,"callback":53,"priority":54,"file":41,"line":55},"send_headers","closure",99,108,{"type":38,"name":44,"callback":53,"priority":54,"file":41,"line":57},112,[],[],[61],{"tag":4,"callback":62,"file":41,"line":63},"ruigehond015_shortcode",28,[],1,{"dangerousFunctions":67,"sqlUsage":68,"outputEscaping":70,"fileOperations":101,"externalRequests":11,"nonceChecks":11,"capabilityChecks":65,"bundledLibraries":102},[],{"prepared":11,"raw":11,"locations":69},[],{"escaped":63,"rawEcho":71,"locations":72},14,[73,76,78,80,82,84,86,88,90,92,94,95,97,99],{"file":41,"line":74,"context":75},141,"raw output",{"file":41,"line":77,"context":75},143,{"file":41,"line":79,"context":75},148,{"file":41,"line":81,"context":75},175,{"file":41,"line":83,"context":75},177,{"file":41,"line":85,"context":75},181,{"file":41,"line":87,"context":75},411,{"file":41,"line":89,"context":75},414,{"file":41,"line":91,"context":75},425,{"file":41,"line":93,"context":75},434,{"file":41,"line":93,"context":75},{"file":41,"line":96,"context":75},447,{"file":41,"line":98,"context":75},449,{"file":41,"line":100,"context":75},466,2,[],[104],{"entryPoint":105,"graph":106,"unsanitizedCount":11,"severity":121},"\u003Cruigehond-embed> (ruigehond-embed.php:0)",{"nodes":107,"edges":118},[108,113],{"id":109,"type":110,"label":111,"file":41,"line":112},"n0","source","$_SERVER (x2)",96,{"id":114,"type":115,"label":116,"file":41,"line":96,"wp_function":117},"n1","sink","echo() [XSS]","echo",[119],{"from":109,"to":114,"sanitized":120},true,"low",{"summary":123,"deductions":124},"The 'ruigehond-embed' plugin version 1.4.2 exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The absence of known CVEs and a clean vulnerability history are significant positive indicators. The code analysis reveals no dangerous functions, SQL injection risks due to 100% prepared statement usage, and no critical or high-severity taint flows. This suggests a low likelihood of common web vulnerabilities like SQL injection or command execution.\n\nHowever, there are areas that warrant attention. The plugin has a relatively low number of total entry points, with only one shortcode identified. While this shortcode does have a capability check, the lack of explicit nonce checks on this entry point, and the fact that 33% of its outputs are not properly escaped, present potential risks. Unescaped output could lead to cross-site scripting (XSS) vulnerabilities if the shortcode handles user-provided data that is then rendered in the browser without proper sanitization. Furthermore, the presence of file operations without explicit security context in the analysis could be a minor concern if these operations involve user-controlled paths or sensitive file manipulation.\n\nIn conclusion, 'ruigehond-embed' v1.4.2 is a relatively secure plugin with no severe or critical vulnerabilities detected. Its strengths lie in its clean vulnerability history and robust handling of SQL queries. The primary weaknesses are the potential for XSS due to unescaped output and the general absence of nonce checks on its sole entry point. Mitigation of these specific issues would further solidify its security.",[125,128],{"reason":126,"points":127},"Unescaped output detected",5,{"reason":129,"points":127},"Missing nonce checks on entry points","2026-03-17T06:02:46.114Z",{"wat":132,"direct":148},{"assetPaths":133,"generatorPatterns":138,"scriptPaths":139,"versionParams":143},[134,135,136,137],"\u002Fwp-content\u002Fplugins\u002Fruigehond-embed\u002Fsnuggle.js","\u002Fwp-content\u002Fplugins\u002Fruigehond-embed\u002Funframe.js","\u002Fwp-content\u002Fplugins\u002Fruigehond-embed\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fruigehond-embed\u002Fadmin.js",[],[140,141,142],"snuggle.js","unframe.js","admin.js",[144,145,146,147],"ruigehond-embed\u002Fsnuggle.js?ver=","ruigehond-embed\u002Funframe.js?ver=","ruigehond-embed\u002Fadmin.css?ver=","ruigehond-embed\u002Fadmin.js?ver=",{"cssClasses":149,"htmlComments":151,"htmlAttributes":153,"restEndpoints":155,"jsGlobals":156,"shortcodeOutput":157},[150],"ruigehond015",[152],"\u003C!-- RUIGEHOND015",[154],"data-slug",[],[],[158],"\u003Ciframe style='width:100%;border:0;frame-border:0;height:100vh;overflow:auto;' loading='eager' src="]