[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fF2I6q0YYKae95HARHJKIZtiPcAtfbKAAKxkGPQxvjao":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":36,"analysis":133,"fingerprints":242},"shift8-security","Shift8 Security","1.01","shift8","https:\u002F\u002Fprofiles.wordpress.org\u002Fshift8\u002F","\u003Cp>Plugin that implements several measures to generally improve the security of your WordPress site. At this point security scan obfuscation of core WordPress versions as well as plugin version enumeration are implemented.\u003C\u002Fp>\n\u003Ch3>Want to see the plugin in action?\u003C\u002Fh3>\n\u003Cp>You can view three example sites where this plugin is live :\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Example Site 1 : \u003Ca href=\"https:\u002F\u002Fwww.stackstar.com\" title=\"Wordpress Hosting\" rel=\"nofollow ugc\">WordPress Hosting\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Example Site 2 : \u003Ca href=\"https:\u002F\u002Fwww.shift8web.ca\" title=\"Web Design in Toronto\" rel=\"nofollow ugc\">Web Design in Toronto\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Restricts or blocks the availability of plugin readme files for enumeration & version detection\u003C\u002Fli>\n\u003C\u002Ful>\n","Plugin that implements several measures to generally improve the security of your Wordpress site. At this point security scan obfuscation of core Word …",0,1120,"2019-07-17T20:45:00.000Z","5.2.24","3.0.1","",[18,19,20,21,22],"block-wpscan","probe","scan","security","wpscan","https:\u002F\u002Fgithub.com\u002Fstardothosting\u002Fshift8-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshift8-security.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":31,"avg_security_score":32,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},11,980,93,30,89,"2026-04-03T23:19:01.912Z",[37,61,82,101,115],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":52,"tags":53,"homepage":56,"download_link":57,"security_score":58,"vuln_count":59,"unpatched_count":11,"last_vuln_date":60,"fetched_at":27},"stop-user-enumeration","Stop User Enumeration","1.7.7","fullworks","https:\u002F\u002Fprofiles.wordpress.org\u002Ffullworks\u002F","\u003Cp>Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user login names.\u003C\u002Fp>\n\u003Cp>User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future.\u003C\u002Fp>\n\u003Cp>Tools like WPSCAN are designed for use by ethical hackers and make efforts to find user login names. Ethical hackers ask permission first, this plugin is designed to reduce the tools when used without permission and when used in conjunction with fail2ban can block those attempts at the firewall.\u003C\u002Fp>\n\u003Cp>If you are on a VPS or dedicated server, as the attack IP is logged, you can use (optional additional configuration) fail2ban to block the attack directly at your server’s firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.\u003C\u002Fp>\n\u003Cp>If you don’t have access to install fail2ban ( e.g. on a Shared Host ) you can still use this plugin.\u003C\u002Fp>\n\u003Cp>The plugin can stop the user id being leaked by the oEmbed API call.\u003C\u002Fp>\n\u003Cp>Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don’t need it to get user data, this\u003Cbr \u002F>\nplugin will restrict and log that too.\u003C\u002Fp>\n\u003Cp>Since WordPress 5.5  sitemaps are generated by core WP  ( wp-sitemap.xml ) which includes a user\u002Fauthor sitemap that exposes the user id.  You can enable \u002F disable this in the plugin settings.\u003C\u002Fp>\n\u003Ch4>PHP 8.4 compatible\u003C\u002Fh4>\n\u003Cp>Tested on PHP 8.4\u003C\u002Fp>\n\u003Ch4>Features Include\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Blocks user enumeration requests by GET or POST\u003C\u002Fli>\n\u003Cli>Syslogs a block so Fail2Ban can be used to block an IP\u003C\u002Fli>\n\u003Cli>Optionally blocks REST API user requests for non authorized users\u003C\u002Fli>\n\u003Cli>Optionally removes author sitemap\u003C\u002Fli>\n\u003Cli>Optionally removes author from OEMBED\u003C\u002Fli>\n\u003Cli>Optionally removes numbers from comment authors\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin includes an optional email feature for plugin news and updates. When enabled:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Your email address may be sent to https:\u002F\u002Ffullworksplugins.com for important plugin updates and security notices\u003C\u002Fli>\n\u003Cli>This is completely optional and requires your explicit consent via the opt-in form in the plugin settings\u003C\u002Fli>\n\u003Cli>No data is collected or transmitted without your permission\u003C\u002Fli>\n\u003Cli>You can opt-out at any time from the plugin settings\u003C\u002Fli>\n\u003Cli>No other personal data is collected or transmitted to external services\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin logs attempted user enumeration attacks locally using WordPress’s standard logging system:\u003Cbr \u002F>\n* IP addresses of potential attackers are logged locally for security monitoring\u003Cbr \u002F>\n* These logs remain on your server and are not transmitted to any external service\u003Cbr \u002F>\n* Logs can be used with fail2ban or similar tools for enhanced security\u003C\u002Fp>\n\u003Cp>For more information about data handling, please visit https:\u002F\u002Ffullworksplugins.com\u002Fprivacy-policy\u002F\u003C\u002Fp>\n","Helps secure your site against hacking attacks through detecting  User Enumeration",50000,1305856,98,128,"2025-12-15T10:48:00.000Z","6.9.4","6.3","7.4",[54,21,55,22],"fail2ban","user-enumeration","https:\u002F\u002Ffullworksplugins.com\u002Fproducts\u002Fstop-user-enumeration\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-user-enumeration.1.7.7.zip",91,6,"2025-06-26 00:00:00",{"slug":22,"name":62,"version":63,"author":64,"author_profile":65,"description":66,"short_description":67,"active_installs":68,"downloaded":69,"rating":70,"num_ratings":71,"last_updated":72,"tested_up_to":50,"requires_at_least":73,"requires_php":74,"tags":75,"homepage":79,"download_link":80,"security_score":81,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"WPScan – WordPress Security Scanner","1.16","ethicalhack3r","https:\u002F\u002Fprofiles.wordpress.org\u002Fethicalhack3r\u002F","\u003Cp>\u003Cstrong>Please note:\u003C\u002Fstrong> This plugin is no longer actively supported for non-enterprise customers. \u003Cstrong>We recommend using \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjetpack-protect\u002F\" rel=\"ugc\">Jetpack Protect\u003C\u002Fa>\u003C\u002Fstrong> – a free security plugin for WordPress that leverages the extensive database of WPScan. Jetpack Protect scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware.\u003C\u002Fp>\n\u003Cp>The WPScan WordPress security plugin is unique in that it uses its own manually curated \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002F\" rel=\"nofollow ugc\">WPScan WordPress Vulnerability Database\u003C\u002Fa>. The vulnerability database has been around since 2014 and is updated on a daily basis by dedicated WordPress security specialists and the community at large. The database includes more than 21,000 known security vulnerabilities. The plugin uses this database to scan for \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fwordpresses\" rel=\"nofollow ugc\">WordPress vulnerabilities\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fplugins\" rel=\"nofollow ugc\">plugin vulnerabilities\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fthemes\" rel=\"nofollow ugc\">theme vulnerabilities\u003C\u002Fa>, and has the options to schedule automated daily scans and to send email notifications.\u003C\u002Fp>\n\u003Cp>WPScan has a Free API plan that should be suitable for most WordPress websites, however, also has paid plans for users who may need more API calls. To use the WPScan WordPress Security Plugin you will need to use a free API token by \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002F\" rel=\"nofollow ugc\">registering here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>The Free plan allows 25 API requests per day. View the different available \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fapi\" rel=\"nofollow ugc\">API plans\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>How many API requests do you need?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.\u003C\u002Fli>\n\u003Cli>On average, a WordPress website has 22 installed plugins.\u003C\u002Fli>\n\u003Cli>The Free plan should cover around 50% of all WordPress websites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Checks\u003C\u002Fh4>\n\u003Cp>The WPScan WordPress Security Plugin will also check for other security issues, which do not require an API token, such as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Check for debug.log files\u003C\u002Fli>\n\u003Cli>Check for wp-config.php backup files\u003C\u002Fli>\n\u003Cli>Check if XML-RPC is enabled\u003C\u002Fli>\n\u003Cli>Check for code repository files\u003C\u002Fli>\n\u003Cli>Check if default secret keys are used\u003C\u002Fli>\n\u003Cli>Check for exported database files\u003C\u002Fli>\n\u003Cli>Weak passwords\u003C\u002Fli>\n\u003Cli>HTTPS enabled\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>What does the plugin do?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Scans for known WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities;\u003C\u002Fli>\n\u003Cli>Does additional security checks;\u003C\u002Fli>\n\u003Cli>Shows an icon on the Admin Toolbar with the total number of security vulnerabilities found;\u003C\u002Fli>\n\u003Cli>Notifies you by mail when new security vulnerabilities are found.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Further Reading\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpscan.com\u002F\" rel=\"nofollow ugc\">WPScan WordPress Vulnerability Database\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fwordpress-security-scanner\" rel=\"nofollow ugc\">WPScan WordPress Security Scanner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ftwitter.com\u002F_wpscan_\" rel=\"nofollow ugc\">WPScan Twitter\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","WPScan WordPress Security Scanner - Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.",9000,266474,76,28,"2026-01-12T13:09:00.000Z","3.4","5.5",[76,21,77,22,78],"hack","vulnerability","wpvulndb","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpscan\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpscan.1.16.zip",100,{"slug":83,"name":84,"version":85,"author":86,"author_profile":87,"description":88,"short_description":89,"active_installs":90,"downloaded":91,"rating":81,"num_ratings":92,"last_updated":93,"tested_up_to":94,"requires_at_least":95,"requires_php":52,"tags":96,"homepage":99,"download_link":100,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"wp-author-security","WP Author Security","1.5.0","mgm security partners GmbH","https:\u002F\u002Fprofiles.wordpress.org\u002Fmgmsp\u002F","\u003Cp>WP Author Security is a lightweight but powerful plugin to protect against user enumeration attacks on author pages and other places where valid user names can be obtained.\u003C\u002Fp>\n\u003Cp>By default, WordPress will display some sensitive information on author pages.\u003Cbr \u002F>\nThe author page is typically called by requesting the URI \u003Ccode>https:\u002F\u002Fyourdomain.tld\u002F?author=\u003Cid>\u003C\u002Fcode> or with permalinks \u003Ccode>https:\u002F\u002Fyourdomain.tld\u002Fauthor\u002F\u003Cusername>\u003C\u002Fcode>.\u003Cbr \u002F>\nThe page will include (depending on your theme) the full name (first and last name) as well as the username of the author which is used to log in to WordPress.\u003C\u002Fp>\n\u003Cp>In some cases, it is not wanted to expose this information to the public. An attacker is able to brute force valid IDs or valid usernames. This information might be used for further attacks like social engineering attacks or log in brute force attacks with gathered usernames.\u003Cbr \u002F>\n\u003Cem>However, when using the plugin and you disable author pages completely it must be noted that you need to take care that your active theme will not display the author name itself on posts like “Posted by admin” or something like that. This is something the plugin will not handle (at the moment).\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>By using the extension, you are able to disable the author pages either completely or display them only when the author has at least one published post. When the page is disabled the default 404 error page of the active theme is displayed.\u003C\u002Fp>\n\u003Cp>In addition, the plugin will also protect other locations which are commonly used by attackers to gather valid user names. These are:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The REST API for users which will list all users with published posts by default.\u003Cbr \u002F>\n  https:\u002F\u002Fyourdomain.tld\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fli>\n\u003Cli>The log in page where different error messages will indicate whether an entered user name or mail address exists or not. The plugin will display a neutral error message independently whether the user exists or not.\u003C\u002Fli>\n\u003Cli>The password forgotten function will also allow an attacker to check for the existence of a user. As for the log in page the plugin will display a neutral message even when the user does not exists.\u003C\u002Fli>\n\u003Cli>Requesting the feed endpoint \u002Ffeed of your blog will also allow others to see the username or display name of the author. The plugin will remove the name from the result list.\u003C\u002Fli>\n\u003Cli>WordPress supports so-called oEmbeds. This is a technique to embed a reference to a post into another post. However, this reference will also contain the author name and a direct link to the profile page. The plugin will also remove the name and link here.\u003C\u002Fli>\n\u003Cli>Since WordPress 5.5 a default sitemap can be reached via \u002Fwp-sitemap.xml. This sitemap will disclose the usernames of all authors. If this should not be disclosed you are able to disable this feature of WordPress.\u003C\u002Fli>\n\u003C\u002Ful>\n","Protect against user enumeration attacks on author pages and other places where valid user names can be obtained.",500,6531,2,"2023-04-12T07:32:00.000Z","6.2.9","4.7",[97,98,21,55,22],"author","privacy","https:\u002F\u002Fgithub.com\u002Fmgm-sp\u002Fwp-author-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-author-security.1.5.0.zip",{"slug":102,"name":103,"version":104,"author":105,"author_profile":106,"description":107,"short_description":108,"active_installs":109,"downloaded":110,"rating":11,"num_ratings":11,"last_updated":111,"tested_up_to":14,"requires_at_least":112,"requires_php":16,"tags":113,"homepage":16,"download_link":114,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"no-user-enumeration","No User Enumeration","1.3.2","Carlos","https:\u002F\u002Fprofiles.wordpress.org\u002Fcarlost800\u002F","\u003Cp>In many WordPress installations is possible enumerate usernames through the author archives, using urls like this:\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author=1\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author=1\u002F\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?bypass=1&author%00=1\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author%00=%001\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?%61uthor=1\u003C\u002Fp>\n\u003Cp>And recently wordpress since 4.7 comes with a rest api integrated that allow list users:\u003C\u002Fp>\n\u003Cp>curl -s http:\u002F\u002Fwpsite\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002F\u003Cbr \u002F>\ncurl -s http:\u002F\u002Fwpsite\u002F?rest_route=\u002Fwp\u002Fv2\u002Fusers\u003Cbr \u002F>\ncurl http:\u002F\u002Fwpsite\u002F?_method=GET -d rest_route=\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fp>\n\u003Cp>Know the username of a administrator is the half battle, now an attacker only need guest the password.\u003Cbr \u002F>\nThis plugin stop it.\u003C\u002Fp>\n\u003Cp>Also, is possible get usernames from the post entries.\u003Cbr \u002F>\nThis plugin, hide the name of the author in a post entry if he is not using a nickname.\u003Cbr \u002F>\nAlso, hide the url page link of an administrator author.\u003C\u002Fp>\n\u003Cp>The main goal is hide the administrators usernames.\u003Cbr \u002F>\nObviously, is better not choose “admin” as the username because is easiliy guessable.\u003C\u002Fp>\n","Stop user enumeration for security.",200,4695,"2019-10-23T03:11:00.000Z","2.9",[21,55,22],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fno-user-enumeration.1.3.2.zip",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":125,"num_ratings":92,"last_updated":126,"tested_up_to":16,"requires_at_least":127,"requires_php":16,"tags":128,"homepage":16,"download_link":132,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"n0wpscan","N0WPScan","5.6","GeekParadize","https:\u002F\u002Fprofiles.wordpress.org\u002Fwartraxx93\u002F","\u003Cp>We love security testing, we do it! We love WPSCAN, we use it! However we don’t love people abusing WPSCAN and other automated methods to try and gain access to WordPress sites through known and often easy vulnerabilities. N0WPScan is not a silver bullet, but it will stop unskilled attackers, bots and automated attacks which account for over 90% of all WordPress breaches. The other 10% can be offset with a good firewall, IDS and NSM services. Server load will also be lower and sites faster as this tool will prevent a lot of WordPress related automated testing.\u003C\u002Fp>\n\u003Cp>[!] You can prevent most of the common attacks simply by keeping plugins, themes and the core WordPress framework updated\u003C\u002Fp>\n\u003Cp>Benefits\u003Cbr \u002F>\n*   Disables access to admin for everyone except admins and editors\u003Cbr \u002F>\n*   Disables the use of WPScan, a tool commonly used by hackers to attack WordPress, also blocks other automated WP scanners\u003Cbr \u002F>\n*   Blocks hackers from scanning your website for admin users, vulnerable themes, vulnerable plugins and exposed files\u003Cbr \u002F>\n*   Reduces the load on your server\u003Cbr \u002F>\n*   Prevents access to sensitive files\u003C\u002Fp>\n","Secure your Wordpress of WPScan Prevent hackers using WPScan to find vulnerabilities in your site, disable this plugin when you are security testing o …",40,3536,80,"2020-01-15T19:40:00.000Z","5.2",[129,130,131,21,22],"firewall","hackers","scanning","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fn0wpscan.zip",{"attackSurface":134,"codeSignals":217,"taintFlows":233,"riskAssessment":234,"analyzedAt":241},{"hooks":135,"ajaxHandlers":208,"restRoutes":214,"shortcodes":215,"cronEvents":216,"entryPointCount":145,"unprotectedCount":11},[136,142,148,152,157,161,165,168,171,173,176,179,182,185,188,193,196,201,205],{"type":137,"name":138,"callback":139,"file":140,"line":141},"action","admin_enqueue_scripts","load_shift8_security_wp_admin_style","components\\enqueuing.php",15,{"type":137,"name":143,"callback":144,"priority":145,"file":146,"line":147},"init","shift8_security_init",1,"components\\functions.php",35,{"type":137,"name":149,"callback":150,"file":146,"line":151},"admin_init","shift8_security_loaded",36,{"type":153,"name":154,"callback":155,"priority":30,"file":146,"line":156},"filter","bloginfo_url","closure",67,{"type":153,"name":158,"callback":159,"file":146,"line":160},"xmlrpc_enabled","__return_false",70,{"type":137,"name":162,"callback":163,"priority":145,"file":146,"line":164},"do_feed","shift8_security_disable_feed",77,{"type":137,"name":166,"callback":163,"priority":145,"file":146,"line":167},"do_feed_rdf",78,{"type":137,"name":169,"callback":163,"priority":145,"file":146,"line":170},"do_feed_rss",79,{"type":137,"name":172,"callback":163,"priority":145,"file":146,"line":125},"do_feed_rss2",{"type":137,"name":174,"callback":163,"priority":145,"file":146,"line":175},"do_feed_atom",81,{"type":137,"name":177,"callback":163,"priority":145,"file":146,"line":178},"do_feed_rss2_comments",82,{"type":137,"name":180,"callback":163,"priority":145,"file":146,"line":181},"do_feed_atom_comments",83,{"type":153,"name":183,"callback":184,"file":146,"line":32},"tiny_mce_plugins","disable_emojis_tinymce",{"type":153,"name":186,"callback":187,"file":146,"line":47},"the_generator","shift8_security_remove_wp_version_rss",{"type":153,"name":189,"callback":190,"priority":191,"file":146,"line":192},"style_loader_src","shift8_security_remove_wp_ver_css_js",10,101,{"type":153,"name":194,"callback":190,"priority":191,"file":146,"line":195},"script_loader_src",102,{"type":137,"name":197,"callback":198,"file":199,"line":200},"admin_notices","anonymous","components\\S8Sec_Environment.php",319,{"type":137,"name":202,"callback":203,"file":204,"line":59},"admin_menu","shift8_security_create_menu","components\\settings.php",{"type":137,"name":149,"callback":206,"file":204,"line":207},"register_shift8_security_settings",14,[209],{"action":210,"nopriv":211,"callback":212,"hasNonce":213,"hasCapCheck":211,"file":146,"line":71},"shift8_security_response",false,"shift8_security_ajax_process_request",true,[],[],[],{"dangerousFunctions":218,"sqlUsage":219,"outputEscaping":221,"fileOperations":223,"externalRequests":145,"nonceChecks":145,"capabilityChecks":11,"bundledLibraries":232},[],{"prepared":11,"raw":11,"locations":220},[],{"escaped":222,"rawEcho":223,"locations":224},9,3,[225,228,230],{"file":146,"line":226,"context":227},18,"raw output",{"file":146,"line":229,"context":227},196,{"file":199,"line":231,"context":227},306,[],[],{"summary":235,"deductions":236},"The shift8-security plugin v1.01 exhibits a generally good security posture, particularly in its handling of SQL queries and its limited attack surface.  All identified entry points, including the single AJAX handler, appear to have authentication checks, and there are no known vulnerabilities in its history. The complete absence of taint analysis findings and raw SQL queries is also a positive indicator of secure coding practices.  However, there are areas for improvement.  A significant portion of output is not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is involved in these outputs.  The presence of file operations and external HTTP requests, while not inherently insecure, warrant careful review to ensure they are not introducing vulnerabilities.  The lack of capability checks is a notable concern, as it implies that access to certain plugin functionalities might not be properly restricted based on user roles.",[237,239],{"reason":238,"points":59},"Unescaped output detected",{"reason":240,"points":191},"Lack of capability checks","2026-03-17T06:31:50.937Z",{"wat":243,"direct":252},{"assetPaths":244,"generatorPatterns":247,"scriptPaths":248,"versionParams":249},[245,246],"\u002Fwp-content\u002Fplugins\u002Fshift8-security\u002Fcss\u002Fshift8_security_admin.css","\u002Fwp-content\u002Fplugins\u002Fshift8-security\u002Fjs\u002Fshift8_security_admin.js",[],[246],[250,251],"shift8_security_css?ver=","shift8_security_script?ver=",{"cssClasses":253,"htmlComments":254,"htmlAttributes":255,"restEndpoints":257,"jsGlobals":258,"shortcodeOutput":260},[],[],[256],"data-nonce",[],[259],"the_ajax_script",[]]