[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-7kdJaGGjw25r71cbvRTuQT2Se1hibq2UI4s7siqMwo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":32,"analysis":33,"fingerprints":92},"seopilot","SeoPilot","1.1","radke447","https:\u002F\u002Fprofiles.wordpress.org\u002Fradke447\u002F","\u003Cp>Wtyczka umożliwia wyświetlanie reklam systemu seopilot.pl przy użyciu widgetów (w przyszłości również shortcode’u i kodu PHP w motywach)\u003C\u002Fp>\n\u003Cp>Funkcjonalność \u002F Major features in SeoPilot 1.1:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Możliwość umieszczania widgetów \u002F Possibility to display ads via widget\u003C\u002Fli>\n\u003Cli>Możliwość zamieszczenia reklam przy użyciu shortcode: [seopilot is_test=0|1 charset=”UTF-8″] (oraz w szablonach poprzez )\u003C\u002Fli>\n\u003Cli>Możliwość zmiany kodowania \u002F Possibility to change encoding\u003C\u002Fli>\n\u003Cli>Możliwość włączania i wyłączania trybu testowego \u002F Possibility to turn on\u002Foff test mode\u003C\u002Fli>\n\u003C\u002Ful>\n","Wtyczka umożliwia wyświetlanie reklam systemu seopilot.pl",10,1782,100,1,"2013-09-19T10:10:00.000Z","3.6.1","3.6","",[4,20],"seopilot-pl","http:\u002F\u002Fwww.starla.pl\u002Fwtyczka-seopilot-dla-wordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseopilot.1.1.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},30,84,"2026-04-04T11:04:00.636Z",[],{"attackSurface":34,"codeSignals":53,"taintFlows":75,"riskAssessment":76,"analyzedAt":91},{"hooks":35,"ajaxHandlers":46,"restRoutes":47,"shortcodes":48,"cronEvents":52,"entryPointCount":14,"unprotectedCount":24},[36,42],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","widgets_init","closure","seopilot.php",117,{"type":37,"name":43,"callback":44,"file":40,"line":45},"admin_menu","SeoPilot_Admin_Menu",125,[],[],[49],{"tag":4,"callback":50,"file":40,"line":51},"SeoPilot_Shortcode",122,[],{"dangerousFunctions":54,"sqlUsage":55,"outputEscaping":57,"fileOperations":73,"externalRequests":14,"nonceChecks":24,"capabilityChecks":14,"bundledLibraries":74},[],{"prepared":24,"raw":24,"locations":56},[],{"escaped":24,"rawEcho":58,"locations":59},5,[60,64,66,68,70],{"file":61,"line":62,"context":63},"inc\\widgets.php",25,"raw output",{"file":40,"line":65,"context":63},86,{"file":40,"line":67,"context":63},91,{"file":40,"line":69,"context":63},92,{"file":71,"line":72,"context":63},"SeoPilotClient.php",441,11,[],[],{"summary":77,"deductions":78},"The seopilot plugin v1.1 exhibits a mixed security posture. On the positive side, it has a very small attack surface with only one shortcode and no AJAX handlers or REST API routes that appear to be directly exposed. Furthermore, there are no known vulnerabilities (CVEs) associated with this plugin, and it utilizes prepared statements for all SQL queries, which is a strong security practice. The absence of critical or high severity taint flows is also reassuring.\n\nHowever, there are significant areas of concern. The plugin's output escaping is non-existent, with 0% of its outputs properly escaped. This is a critical vulnerability that could lead to cross-site scripting (XSS) attacks if any user-supplied data is ever displayed on the frontend without sanitization. Additionally, the plugin makes 11 file operations and performs 1 external HTTP request without apparent sanitization or validation, which could be leveraged for path traversal, unauthorized file modifications, or SSRF attacks. The complete lack of nonce checks across any entry points, combined with only one capability check, suggests a significant reliance on the logged-in user's existing permissions rather than robust, per-action authorization, which is a weakness.\n\nGiven the lack of historical vulnerabilities, it might suggest that these code weaknesses have either gone unnoticed or have not been successfully exploited. However, the identified code signals, particularly the unescaped output and the extensive file operations and external requests without proper checks, represent tangible risks that could be exploited by a motivated attacker. The plugin would benefit greatly from implementing output escaping, better sanitization around file operations and HTTP requests, and more granular authorization checks.",[79,82,84,86,88],{"reason":80,"points":81},"No output escaping",8,{"reason":83,"points":58},"File operations without explicit checks",{"reason":85,"points":58},"External HTTP request without explicit checks",{"reason":87,"points":58},"No nonce checks",{"reason":89,"points":90},"Limited capability checks",2,"2026-03-17T01:29:04.836Z",{"wat":93,"direct":98},{"assetPaths":94,"generatorPatterns":95,"scriptPaths":96,"versionParams":97},[],[],[],[],{"cssClasses":99,"htmlComments":100,"htmlAttributes":101,"restEndpoints":102,"jsGlobals":103,"shortcodeOutput":104},[],[],[],[],[],[105],"\u003Cp>\u003Cstrong>Twoj identyfikator SeoPilot:\u003C\u002Fstrong>\u003Cbr\u002F>\u003Cinput type=\"text\" name=\"SEOPILOT_USER\" value=\""]