[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuDa8EoU_YWAhC_At0fSTde5Df7NpIocMhQ_CDjb__0s":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":38,"analysis":138,"fingerprints":157},"samesite","SameSite Cookies","2.1","Ayesh Karunaratne","https:\u002F\u002Fprofiles.wordpress.org\u002Fayeshrajans\u002F","\u003Cp>This plugin adds the “SameSite” cookie flag to WordPress’s authentication cookies. On supported browsers (all current IE, Edge, Chrome, and Firefox), this can effectively prevent all Cross-Site Request Forgery attacks throughout your WordPress site.\u003C\u002Fp>\n\u003Cp>SameSite cookie flag support was added to PHP on version 7.3, but this plugin ships with a workaround to \u003Cstrong>support all PHP versions\u003C\u002Fstrong> WordPress supports.\u003C\u002Fp>\n\u003Cp>There is no administrative UI provided: Activate this plugin, and you are all set!\u003C\u002Fp>\n\u003Cp>You can configure the SameSite flag value from your WordPress configuration file. You cna pick a value from \u003Ccode>Lax\u003C\u002Fcode> (default), \u003Ccode>Strict\u003C\u002Fcode>, or \u003Ccode>None\u003C\u002Fcode>. You can read about \u003Ca href=\"https:\u002F\u002Fphp.watch\u002Farticles\u002FPHP-Samesite-cookies\" rel=\"nofollow ugc\">SameSite cookies here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>To configure the \u003Ccode>SameSite\u003C\u002Fcode> flag value, edit your WordPress configuration file (\u003Ccode>wp-config.php\u003C\u002Fcode>), and add the following lines right above \u003Ccode>\u002F** Sets up WordPress vars and included files. *\u002F\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WP_SAMESITE_COOKIE', 'Lax' ); \u002F\u002F Pick from 'Lax', 'Strict', or 'None'.\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Note that \u003Cstrong>only the authentication cookies are affected\u003C\u002Fstrong>. Regular cookies that your installed plugins set will \u003Cstrong>not\u003C\u002Fstrong> be affected, nor provide any meaningful value with \u003Ccode>SameSite\u003C\u002Fcode> flags.\u003C\u002Fp>\n","CSRF-protection for authentication cookies. When enabled, this plugin makes sure the \"SameSite\" flag is set in authentication cookies.",900,23180,50,11,"2023-07-23T12:18:00.000Z","6.3.8","6.2","7.0",[20,21,4,22],"cookies","csrf","security","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsamesite","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsamesite.2.1.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"ayeshrajans",7,7550,88,30,86,"2026-04-04T03:38:49.951Z",[39,64,81,99,118],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":53,"requires_php":54,"tags":55,"homepage":60,"download_link":61,"security_score":49,"vuln_count":62,"unpatched_count":26,"last_vuln_date":63,"fetched_at":28},"cookies-and-content-security-policy","Cookies and Content Security Policy","2.37","Johan Jonk Stenström","https:\u002F\u002Fprofiles.wordpress.org\u002Fjonkastonka\u002F","\u003Cp>\u003Cstrong>Be fully GDPR and CCPA compliant through Content Security Policy.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Block cookies and unwanted external content by setting Content Security Policy. A modal will be shown on the front end to let the visitor choose what kind of resources to accept. It also adds a layer of security for your site since iframes, scripts and images from unknown domains are blocked.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Multilingual\u003C\u002Fstrong> support through \u003Ca href=\"https:\u002F\u002Fwpml.org\u002F\" rel=\"nofollow ugc\">WPML\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fpolylang.pro\u002F\" rel=\"nofollow ugc\">Polylang\u003C\u002Fa> or probably any multilingual plugin out there since this plugin follows WordPress Coding Standards. See FAQ below on how to translate with WPML or Polylang.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Quickstart:\u003C\u002Fstrong> Choose common resources from a list that are automatically added to your Domains list. So, it’s even easier to set it up! Check, check, check and check!\u003Cbr \u002F>\nUpdated regularly.\u003C\u002Fp>\n\u003Ch3>Free stickers for translators!\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Since we want this plugin to be available in as many languages as possible, I will send you a handful of the new \u003Ca href=\"https:\u002F\u002Fplugins.followmedarling.se\u002F2022\u002F02\u002Fstickers-are-in-the-house\u002F\" rel=\"nofollow ugc\">super cool stickers\u003C\u002Fa> if you translate the plugin!\u003C\u002Fstrong>\u003Cbr \u002F>\nJust translate the plugin to your language, and when it is approved, \u003Ca href=\"https:\u002F\u002Fplugins.followmedarling.se\u002F2022\u002F02\u002Fstickers-are-in-the-house\u002F#respond\" rel=\"nofollow ugc\">comment this post\u003C\u002Fa> and I’ll send it to you, totally free!\u003Cbr \u002F>\nIf you have already translated the plugin and want stickers, of course that counts too! Just comment the post.\u003C\u002Fp>\n","Be fully GDPR and CCPA compliant through Content Security Policy. Blocks cookies and unwanted external content.",10000,469239,98,67,"2026-02-17T12:58:00.000Z","6.9.4","5.0","7.4",[56,57,58,20,59],"ccpa","content-security-policy","cookie-bar","gdpr","https:\u002F\u002Fplugins.followmedarling.se\u002Fcookies-and-content-security-policy\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookies-and-content-security-policy.2.37.zip",2,"2026-01-05 00:00:00",{"slug":65,"name":66,"version":67,"author":7,"author_profile":8,"description":68,"short_description":69,"active_installs":70,"downloaded":71,"rating":72,"num_ratings":62,"last_updated":73,"tested_up_to":16,"requires_at_least":74,"requires_php":75,"tags":76,"homepage":79,"download_link":80,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"comment-form-csrf-protection","Comment Form CSRF Protection","1.4","\u003Cp>WordPress has a 12-year-old unfixed security vulnerability that it does not properly validate incoming comments.\u003C\u002Fp>\n\u003Cp>An attacker can trick both anonymous and logged-in users to post comments on a victim site without them realizing, while using their own credentials.\u003C\u002Fp>\n\u003Cp>See this issue for more information: https:\u002F\u002Fcore.trac.wordpress.org\u002Fticket\u002F10931\u003C\u002Fp>\n\u003Cp>This is a tiny (fewer than 40 effect lines of code) module that adds a secure token to the comment form and validate it before accepting any comment, thus making your comment forms secure as they should\\’ve been for all these years!\u003C\u002Fp>\n\u003Cp>It provides no UI – just install it, and you are all set!\u003C\u002Fp>\n\u003Col>\n\u003Cli>This plugin adds a secret cryptographically-secure token to the comment form. This is a unique value and is computationally impractical to guess it.\u003C\u002Fli>\n\u003Cli>Upon comment submission, the comment is rejected if the secret tokens are not present or computationally invalid.\u003C\u002Fli>\n\u003C\u002Fol>\n","Prevent Cross-Site Request Forgery attacks on your comments form.",500,15435,100,"2023-07-23T12:59:00.000Z","4.2","7.1",[77,21,22,78],"comments","spam","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcomment-form-csrf-protection","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomment-form-csrf-protection.1.4.zip",{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":89,"downloaded":90,"rating":72,"num_ratings":62,"last_updated":91,"tested_up_to":92,"requires_at_least":53,"requires_php":54,"tags":93,"homepage":96,"download_link":97,"security_score":98,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"wpo365-samesite","WPO365 | SAMESITE","1.5","Marco van Wieren","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpo365\u002F","\u003Cp>Plugin for WordPress websites that require a user to sign in (e.g. with Microsoft using the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpo365-login\u002F\" rel=\"ugc\">WPO365\u003C\u002Fa> plugin) and that are loaded inside an iframe (e.g. inside a Microsoft Teams App \u002F Tab or similar). The plugin overrides the pluggable WordPress function \u003Cstrong>wp_set_auth_cookie\u003C\u002Fstrong> to \u003Cem>always\u003C\u002Fem> set \u003Cstrong>SameSite=None\u003C\u002Fstrong> to enable third-party usage of cookies.\u003C\u002Fp>\n\u003Ch4>Prerequisites\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>The \u003Cstrong>SameSite=None\u003C\u002Fstrong> flag is only respected by browsers such as Chrome when the cookie’s Secure flag is set. Therefore the website must use SSL for the plugin to effectively enable browser support for 3rd party cookies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Support\u003C\u002Fh4>\n\u003Cp>I will go to great length trying to support you if the plugin doesn’t work as expected. Go to our \u003Ca href=\"https:\u002F\u002Fwww.wpo365.com\u002Fhow-to-get-support\u002F\" rel=\"nofollow ugc\">Support Page\u003C\u002Fa> to get in touch. I haven’t been able to test our plugin in all endless possible WordPress configurations and versions so I am keen to hear from you and happy to learn!\u003C\u002Fp>\n\u003Ch4>Feedback\u003C\u002Fh4>\n\u003Cp>I am keen to hear from you so share your feedback with me on \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002FWPO365\" rel=\"nofollow ugc\">Twitter\u003C\u002Fa> and help me get better!\u003C\u002Fp>\n\u003Ch4>Open Source\u003C\u002Fh4>\n\u003Cp>When you’re a developer and interested in the code you should have a look at the corresponding gist at \u003Ca href=\"https:\u002F\u002Fgist.github.com\u002Fwpo365\u002Fb0a1c3c8c5612fd0012de2e2f65c09c4\" rel=\"nofollow ugc\">github\u003C\u002Fa>.\u003C\u002Fp>\n","Plugin for WordPress websites that require a user to sign in (e.g. with Microsoft using the WPO365 plugin) and that are loaded inside an iframe (e.g.",200,4710,"2025-01-20T09:27:00.000Z","6.7.5",[20,94,4,95],"microsoft-teams","teams","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpo365-samesite\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpo365-samesite.1.5.zip",92,{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":72,"downloaded":107,"rating":108,"num_ratings":62,"last_updated":109,"tested_up_to":110,"requires_at_least":111,"requires_php":112,"tags":113,"homepage":116,"download_link":117,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"secure-http-headers","Secure HTTP Headers","1.0","shasha310","https:\u002F\u002Fprofiles.wordpress.org\u002Fshasha310\u002F","\u003Cp>Harden your web applications.\u003C\u002Fp>\n\u003Cp>HTTP header fields are components of the header section of request and response messages. The headers define the operating parameters of an HTTP transaction.\u003C\u002Fp>\n\u003Cp>Securing HTTP headers will improve the resilience of your web application against many common attacks including those that are on the OWASP top 10 list.\u003C\u002Fp>\n\u003Cp>Securing headers can also improve your SEO rank and in addition to preventing websites from being marked as dangerous by browsers and antivirus applications.\u003C\u002Fp>\n\u003Cp>Protect sensitive user information and be compliant with privacy regulations. Defend users from stealing private data by protecting website cookies. Use the proper directive such as “secure”, “httponly” and “samesite”, all of those will be applied automatically by “Secure HTTP Headers” plugin.\u003C\u002Fp>\n\u003Cp>Secure HTTP Headers will automatically analyze any website and will build up secure headers directives, by the latest best practice.\u003C\u002Fp>\n\u003Cp>In addition, Secure HTTP Headers offers fully configurable options, apply or skip any header directive as needed.\u003C\u002Fp>\n\u003Cp>Install and activate Secure HTTP Headers with full confidence, the deactivation of this plugin will return your website header directives to their original state.\u003C\u002Fp>\n\u003Ch3>Main plugin functionality\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>HTTP Strict Transport Security – helps to protect websites against man-in-the-middle attacks and cookie hijacking\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Frame-Options – helps to protect users against ClickJacking attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Content-Type-Options  – helps to prevent the browser from MIME-sniffing\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Referrer-Policy – helps to control how much referrer information should be included with requests\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Clear-Site-Data – helps to ensure that data is deleted from the browser if the user logs out\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Download-Options – helps to control how IE 8 will handle downloaded HTML files\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Access-Control-Allow-Origin – helps to ensure whether the response can be shared with requesting code from the given origin\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Embedder-Policy – helps to prevent a document from loading any cross-origin resources that don’t explicitly grant the document permission\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Permissions-Policy – helps to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Opener-Policy – helps to protect websites against a set of cross-origin attacks dubbed XS-Leaks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Resource-Policy – helps to protect websites against speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Permitted-Cross-Domain-Policies – helps to control how cross-domain requests from Flash and PDF documents are handled\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Http-Only flag – helps to protect websites against Cross-Site Scripting, or XSS attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Secure flag – helps to ensure that cookie is sent over a secure connection\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Samesite Lax flag – helps to protect websites against CSRF and XSSI attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Expect-CT – helps to prevent the use of misissued certificates for a website. Note: The Expect-CT will likely become obsolete in June 2021\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>What are the optional extras?\u003C\u002Fh3>\n\u003Cp>Magnisec is offering “Secure HTTP Headers enhanced”\u003C\u002Fp>\n\u003Cp>A plugin that contains, in addition, an engine that watches and builds in any website changes a CSP – Content Security Policy that is best practice and recommended by all professional securities experts, that mitigate XSS -Cross site Scripting, one of the most common and destructive attacks.\u003C\u002Fp>\n\u003Cp>Price: 50$ \u002Fyear for a domain.\u003C\u002Fp>\n\u003Cp>More details and installation \u003Ca href=\"https:\u002F\u002Fmagnisec.com\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n","Secure HTTP headers - Essential, and easy.",2542,60,"2021-04-13T08:27:00.000Z","5.7.15","5.3","7.2",[20,114,115,22],"hardening","headers","https:\u002F\u002Fmagnisec.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-http-headers.1.0.zip",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":72,"num_ratings":128,"last_updated":129,"tested_up_to":130,"requires_at_least":131,"requires_php":132,"tags":133,"homepage":136,"download_link":137,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"ip-dependent-cookies","IP Dependent Cookies","1.2.1","Denis V (Artprima)","https:\u002F\u002Fprofiles.wordpress.org\u002Fv-media\u002F","\u003Cp>Each time you login to your blog WordPress creates a session cookie which is used to authenticate you.\u003Cbr \u002F>\nBy default if someone somehow gets your cookies he (or she) is able to use them to compromise your blog\u003Cbr \u002F>\n(even without having to know your password!). To prevent this you may want to make your auth cookies\u003Cbr \u002F>\nip-dependent so that they could be valid only for that ip which you used during login.\u003C\u002Fp>\n\u003Cp>Use this plugin only if you have a static IP or dynamic which doesn’t change too often. Otherwise, you’ll\u003Cbr \u002F>\nhave to enter your login and password each time your IP changes.\u003C\u002Fp>\n","Plugin IP Dependent Cookies makes your Wordpress installation more secure adding your IP to salt (which makes cookies IP-dependent).",20,3273,1,"2016-03-23T09:13:00.000Z","4.4.34","2.9","",[134,20,135,22],"auth","safety","http:\u002F\u002Fv-media.cz\u002Fip-dependent-cookies\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fip-dependent-cookies.zip",{"attackSurface":139,"codeSignals":145,"taintFlows":152,"riskAssessment":153,"analyzedAt":156},{"hooks":140,"ajaxHandlers":141,"restRoutes":142,"shortcodes":143,"cronEvents":144,"entryPointCount":26,"unprotectedCount":26},[],[],[],[],[],{"dangerousFunctions":146,"sqlUsage":147,"outputEscaping":149,"fileOperations":26,"externalRequests":26,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":151},[],{"prepared":26,"raw":26,"locations":148},[],{"escaped":26,"rawEcho":26,"locations":150},[],[],[],{"summary":154,"deductions":155},"The 'samesite' plugin v2.1 demonstrates a strong security posture based on the provided static analysis. The complete absence of identified dangerous functions, SQL queries without prepared statements, and properly escaped output indicates a diligent approach to secure coding practices.  Furthermore, the lack of file operations, external HTTP requests, and the absence of any listed vulnerabilities in its history are all positive indicators of a well-maintained and secure plugin. The plugin has a minimal attack surface with no identifiable entry points requiring further security scrutiny.\n\nWhile the static analysis reveals no immediate code-level vulnerabilities, the complete lack of nonce and capability checks across all identified entry points (even though there are none) is a notable observation. While not a current risk given the zero entry points, it suggests a potential area for future improvement if the plugin's functionality expands. The vulnerability history being entirely clean is an excellent sign, suggesting a history of secure development and prompt patching if any issues have ever arisen.\n\nIn conclusion, 'samesite' v2.1 appears to be a highly secure plugin. Its strengths lie in its clean code, absence of common vulnerabilities, and a completely transparent vulnerability history. The only minor point of consideration is the lack of implemented authentication checks, which is more of a prophylactic suggestion for future development rather than an immediate risk given its current limited attack surface.",[],"2026-03-16T19:14:40.217Z",{"wat":158,"direct":163},{"assetPaths":159,"generatorPatterns":160,"scriptPaths":161,"versionParams":162},[],[],[],[],{"cssClasses":164,"htmlComments":165,"htmlAttributes":166,"restEndpoints":167,"jsGlobals":168,"shortcodeOutput":170},[],[],[],[],[169],"WP_SAMESITE_COOKIE",[]]