[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP-vVWtD5FHS_45essVzPSzQcM1p96TskQiwuFLbZMx8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":33,"analysis":34,"fingerprints":187},"school-holidays","My School Holidays","1.0","johnyma22","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohnyma22\u002F","\u003Cp>Embed a school holiday countdown or calendar widget showing school holiday and term dates in a blog post or in your sidebar.\u003C\u002Fp>\n\u003Cp>My School Holidays has most countries covered so all you will need to do is search for your school or district and drag the widget into your sidebar.\u003C\u002Fp>\n\u003Cp>Note: This plugin will make various HTTP requests to *.myschoolholidays.com as the widget is served from this location.  Searching for your school, area or district is served up from the My School Holidays search API endpoint.  With this in mind please ensure your users and you can access myschoolholidays.com.  We hope in future generations of the plugin to serve the widget from inside of WordPress.\u003C\u002Fp>\n\u003Ch3>Licence\u003C\u002Fh3>\n\u003Cp>Apache 2\u003C\u002Fp>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cp>en\u003C\u002Fp>\n","Include a school holiday countdown or calendar widget showing school holiday and term dates in a blog post or in your sidebar.",10,1601,0,"2012-07-11T14:42:00.000Z","3.2.1","3.0","",[19],"holiday-dates-holidays-schools-school-district-term-semester","http:\u002F\u002Fmyschoolholidays.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fschool-holidays.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":29,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},4,40,89,30,86,"2026-04-05T02:48:15.635Z",[],{"attackSurface":35,"codeSignals":60,"taintFlows":153,"riskAssessment":172,"analyzedAt":186},{"hooks":36,"ajaxHandlers":51,"restRoutes":52,"shortcodes":53,"cronEvents":58,"entryPointCount":59,"unprotectedCount":13},[37,43,47],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","admin_menu","School_Holidays_add_page","mySchoolHolidays.php",54,{"type":38,"name":44,"callback":45,"file":41,"line":46},"init","init_textdomain_School_Holidays",65,{"type":38,"name":48,"callback":49,"file":41,"line":50},"widgets_init","School_Holidays_load_widgets",224,[],[],[54],{"tag":55,"callback":56,"file":41,"line":57},"SchoolHolidays","School_Holidays_Shortcode",213,[],1,{"dangerousFunctions":61,"sqlUsage":62,"outputEscaping":64,"fileOperations":59,"externalRequests":13,"nonceChecks":13,"capabilityChecks":59,"bundledLibraries":152},[],{"prepared":13,"raw":13,"locations":63},[],{"escaped":13,"rawEcho":65,"locations":66},48,[67,71,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,107,109,111,113,115,117,118,119,121,123,124,125,127,128,129,131,132,133,135,136,138,140,141,143,145,146,148,150,151],{"file":68,"line":69,"context":70},"ajax.php",13,"raw output",{"file":41,"line":72,"context":70},91,{"file":41,"line":74,"context":70},92,{"file":41,"line":76,"context":70},99,{"file":41,"line":78,"context":70},104,{"file":41,"line":80,"context":70},109,{"file":41,"line":82,"context":70},110,{"file":41,"line":84,"context":70},119,{"file":41,"line":86,"context":70},120,{"file":41,"line":88,"context":70},128,{"file":41,"line":90,"context":70},129,{"file":41,"line":92,"context":70},136,{"file":41,"line":94,"context":70},137,{"file":41,"line":96,"context":70},144,{"file":41,"line":98,"context":70},145,{"file":41,"line":100,"context":70},152,{"file":41,"line":102,"context":70},153,{"file":41,"line":104,"context":70},268,{"file":41,"line":106,"context":70},272,{"file":41,"line":108,"context":70},303,{"file":41,"line":110,"context":70},341,{"file":41,"line":112,"context":70},342,{"file":41,"line":114,"context":70},346,{"file":41,"line":116,"context":70},347,{"file":41,"line":116,"context":70},{"file":41,"line":116,"context":70},{"file":41,"line":120,"context":70},352,{"file":41,"line":122,"context":70},354,{"file":41,"line":122,"context":70},{"file":41,"line":122,"context":70},{"file":41,"line":126,"context":70},355,{"file":41,"line":126,"context":70},{"file":41,"line":126,"context":70},{"file":41,"line":130,"context":70},357,{"file":41,"line":130,"context":70},{"file":41,"line":130,"context":70},{"file":41,"line":134,"context":70},366,{"file":41,"line":134,"context":70},{"file":41,"line":137,"context":70},367,{"file":41,"line":139,"context":70},370,{"file":41,"line":139,"context":70},{"file":41,"line":142,"context":70},371,{"file":41,"line":144,"context":70},373,{"file":41,"line":144,"context":70},{"file":41,"line":147,"context":70},374,{"file":41,"line":149,"context":70},381,{"file":41,"line":149,"context":70},{"file":41,"line":149,"context":70},[],[154],{"entryPoint":155,"graph":156,"unsanitizedCount":59,"severity":171},"\u003Cajax> (ajax.php:0)",{"nodes":157,"edges":168},[158,163],{"id":159,"type":160,"label":161,"file":68,"line":162},"n0","source","$_GET['text']",6,{"id":164,"type":165,"label":166,"file":68,"line":162,"wp_function":167},"n1","sink","file_get_contents() [SSRF\u002FLFI]","file_get_contents",[169],{"from":159,"to":164,"sanitized":170},false,"medium",{"summary":173,"deductions":174},"The \"school-holidays\" plugin v1.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by not making external HTTP requests, not using dangerous functions, and all SQL queries are properly prepared. The vulnerability history is also clean, with no recorded CVEs, suggesting a historically stable plugin.\n\nHowever, significant concerns arise from the static analysis. The plugin has a complete lack of output escaping for all 48 outputs, creating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis reveals a flow with an unsanitized path, which, while not classified as critical or high, still represents a potential security weakness. The absence of nonce checks and the presence of a capability check on only one entry point (the shortcode) means that while there's some authorization, the lack of output sanitization is a more immediate and widespread threat. The single file operation also warrants careful consideration in the context of the unsanitized path if it involves user-supplied data.\n\nIn conclusion, while the plugin avoids common pitfalls like unpatched vulnerabilities and direct SQL injection, the pervasive lack of output escaping is a critical flaw that leaves it highly susceptible to XSS attacks. The unsanitized path identified in taint analysis, combined with potential file operations, also presents a risk. Developers should prioritize addressing the output escaping and the unsanitized path.",[175,178,180,183],{"reason":176,"points":177},"No output escaping on any output",18,{"reason":179,"points":11},"Taint analysis shows unsanitized path",{"reason":181,"points":182},"No nonce checks on any entry point",7,{"reason":184,"points":185},"Capability check only on one entry point",3,"2026-03-17T00:40:44.939Z",{"wat":188,"direct":196},{"assetPaths":189,"generatorPatterns":192,"scriptPaths":193,"versionParams":195},[190,191],"\u002Fwp-content\u002Fplugins\u002Fschool-holidays\u002Fcss\u002Fmain.css","\u002Fwp-content\u002Fplugins\u002Fschool-holidays\u002Fjs\u002Fmain.js",[],[194],"..\u002Fschool-holidays\u002Fjs\u002Fmain.js",[],{"cssClasses":197,"htmlComments":203,"htmlAttributes":204,"restEndpoints":217,"jsGlobals":218,"shortcodeOutput":219},[198,199,200,201,202],"ds-container","ds-input","ds-results","ds-list","shortcode-for-style",[],[205,206,207,208,209,210,211,212,213,214,215,216],"id=\"ds-container-fb\"","id=\"fb\"","id=\"ds-results-fb\"","id=\"schools-frame-classic\"","id=\"schools-frame-small\"","id=\"schools-frame-large\"","id=\"schools-frame-fullsize\"","id=\"settings_style-5\"","id=\"settings_style-1\"","id=\"settings_style-2\"","id=\"settings_style-3\"","id=\"settings_style-4\"",[],[],[220,221,222,223,224],"[SchoolHolidays id=\"\u003Cspan>","\" type=\"classic\"]","\" type=\"small\"]","\" type=\"large\"]","\" type=\"fullsize\"]"]