[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRk69iPsWs9VpbL81bBMnFFOKqimhT4yMaFW5WtfjjHg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":9,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":51,"analysis":160,"fingerprints":336},"shortcode-generator","Shortcode Generator","1.1","kylegetson","https:\u002F\u002Fprofiles.wordpress.org\u002Fkylegetson\u002F","","Generate as many shortcodes. Keep pages synchronized for split testing, or reuse a specific peice of code on multiple pages.",100,13052,60,2,"2009-11-17T01:22:00.000Z","2.8.6","2.8.0",[19,20,21,22,23],"cms","shortcodes","split-testing","unlimited","widgets","http:\u002F\u002Fwww.getson.info\u002Fshortcode-generator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcode-generator.1.1.zip",63,1,"2025-07-08 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-49945","shortcode-generator-reflected-cross-site-scripting","Shortcode Generator \u003C= 1.1 - Reflected Cross-Site Scripting","The Shortcode Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-11-17 18:13:40",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fec51f8e4-dba6-44e7-876b-2be58df19b8d?source=api-prod",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":46,"avg_security_score":47,"avg_patch_time_days":48,"trust_score":49,"computed_at":50},140,74,30,76,"2026-04-04T07:11:19.566Z",[52,76,97,118,140],{"slug":53,"name":54,"version":55,"author":56,"author_profile":57,"description":58,"short_description":59,"active_installs":60,"downloaded":61,"rating":11,"num_ratings":27,"last_updated":62,"tested_up_to":63,"requires_at_least":64,"requires_php":65,"tags":66,"homepage":70,"download_link":71,"security_score":72,"vuln_count":73,"unpatched_count":74,"last_vuln_date":75,"fetched_at":29},"apollo13-framework-extensions","Apollo13 Framework Extensions","1.9.9","apollo13themes","https:\u002F\u002Fprofiles.wordpress.org\u002Fapollo13themes\u002F","\u003Cp>\u003Cstrong>Apollo13 Framework Extensions\u003C\u002Fstrong> adds few features to themes build on Apollo13 Framework. These are:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Designs Importer,\u003C\u002Fli>\n\u003Cli>shortcodes based on Apollo13 Framework features: writtng effect, count down, socials, scroller, slider, galleries, post grid,\u003C\u002Fli>\n\u003Cli>support for WPBakery Page Builder elements added by Apollo13 Framework,\u003C\u002Fli>\n\u003Cli>custom post types: albums, works & people,\u003C\u002Fli>\n\u003Cli>Export\u002FImport of theme options,\u003C\u002Fli>\n\u003Cli>Custom Sidebar,\u003C\u002Fli>\n\u003Cli>Custom CSS,\u003C\u002Fli>\n\u003Cli>Meta options that are creating content for posts, pages, albums and works,\u003C\u002Fli>\n\u003Cli>Responsive Image resizing ,\u003C\u002Fli>\n\u003Cli>Maintenance mode.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin requires one of themes build on \u003Cstrong>Apollo13 Framework\u003C\u002Fstrong> theme to be installed.\u003C\u002Fp>\n\u003Cp>It is mostly used for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapollo13themes.com\u002Frife\u002Ffree\u002F\" rel=\"nofollow ugc\">Rife Free\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapollo13themes.com\u002Frife\u002F\" rel=\"nofollow ugc\">Rife Pro\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Credits & Copyright\u003C\u002Fh3>\n\u003Ch4>Anime.js, Copyright 2019 Julian Garnier\u003C\u002Fh4>\n\u003Cp>Licenses: MIT\u003Cbr \u002F>\nSource: https:\u002F\u002Fanimejs.com\u002F\u003C\u002Fp>\n","Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.",20000,534616,"2025-12-04T08:12:00.000Z","6.5.8","4.7","5.4.0",[67,68,20,69],"custom-post-types","elementor-widgets","wpbakery-page-builder-support","https:\u002F\u002Fapollo13themes.com\u002Frife\u002Ffree","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapollo13-framework-extensions.zip",95,6,0,"2026-02-18 15:32:44",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":11,"num_ratings":86,"last_updated":87,"tested_up_to":63,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":92,"download_link":93,"security_score":94,"vuln_count":95,"unpatched_count":74,"last_vuln_date":96,"fetched_at":29},"weaverx-theme-support","Weaver Xtreme Theme Support","6.5.1","wpweaver","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpweaver\u002F","\u003Cp>This is the theme support for the Weaver Xtreme Theme. This plugin provides a collection of useful shortcodes and widgets designed to complement the Weaver Xtreme theme. These shortcodes have been selected and developed based on requests and feedback from thousands of users of the Weaver Xtreme and previous versions of Weaver.\u003C\u002Fp>\n\u003Cp>This plugin also provides the Legacy Weaver Xtreme Admin Dashboard interface. The Legacy Admin is an old style interface alternative to the Customizer interface. The Legacy Interface has been updated for compatibility with Weaver Xtreme Version 5, and will automatically update and convert .wxt settings files from Weaver Xtreme 4.\u003C\u002Fp>\n\u003Cp>Includes complete documentation help file. Instructions for using the shortcodes and widgets are in the help file.\u003C\u002Fp>\n\u003Ch4>Shortcodes included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>[tab_group]\u003C\u002Fstrong> – Display content in a tabbed box.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003C!--YouTube Error: bad URL entered-->\u003C\u002Fstrong> – Show your YouTube videos responsively, and with the capability to use any of the YouTube custom display options.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003C!-- vimeo error: not a vimeo video -->\u003C\u002Fstrong> –  Show your Vimeo videos responsively, and with the capability to use any of the Vimeo custom display options.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[iframe]\u003C\u002Fstrong> – Quick and easy display of content in an iframe.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[div]\u003C\u002Fstrong>, \u003Cstrong>[span]\u003C\u002Fstrong>, \u003Cstrong>[html]\u003C\u002Fstrong> – Add div, span, and other html to pages\u002Fposts without the need to switch to Text view.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[hide\u002Fshow_if]\u003C\u002Fstrong> – Show or hide content depending upon options: device, page ID, user capability, logged in status.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[bloginfo]\u003C\u002Fstrong> – Display any information available from WordPress bloginfo function.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[user_can]\u003C\u002Fstrong> – Display content base on logged-in user role.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[site_title]\u003C\u002Fstrong> – Display Site title.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>[site_tagline]\u003C\u002Fstrong> – Display Site tag line.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Widgets Included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Weaver 2 Column Text Widget\u003C\u002Fstrong> – Add text into two columns in a widget\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Weaver Per Page Text Widget\u003C\u002Fstrong> – Add a text widget on a per-page basis\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Weaver Login\u003C\u002Fstrong> – Simplified login widget\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Licenses\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>The Weaver Xtreme Theme Support plugin is licensed under the terms of the GNU GENERAL PUBLIC LICENSE, Version 2,\u003Cbr \u002F>\nJune 1991. (GPL) The full text of the license is in the license.txt file.\u003C\u002Fli>\n\u003Cli>All images included with this plugin are either original works of the author which\u003Cbr \u002F>\nhave been placed into the public domain, or have been derived from other public domain sources,\u003Cbr \u002F>\nand thus need no license. (This does not include the images provided with any of the\u003Cbr \u002F>\nbelow listed scripts and libraries. Those images are covered by their respective licenses.)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin also includes several scripts and libraries that are covered under the terms\u003Cbr \u002F>\nof their own licenses in the listed files in the plugin distribution:\u003C\u002Fp>\n","A useful shortcode and widget collection for Weaver Xtreme",9000,382934,4,"2024-05-31T18:31:00.000Z","6.0","7.2",[20,91,23],"weaver-xtreme-theme","http:\u002F\u002Fweavertheme.com\u002Fplugins","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fweaverx-theme-support.6.5.1.zip",89,3,"2024-06-04 19:18:53",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":11,"num_ratings":27,"last_updated":107,"tested_up_to":108,"requires_at_least":109,"requires_php":110,"tags":111,"homepage":115,"download_link":116,"security_score":47,"vuln_count":95,"unpatched_count":27,"last_vuln_date":117,"fetched_at":29},"popularis-extra","Popularis Extra","1.2.10","Themes4WP","https:\u002F\u002Fprofiles.wordpress.org\u002Fthemes4wp\u002F","\u003Cp>Popularis Extra gives you access to demo import for free PopularisWP themes, extra features like widgets, shortcodes or additional Elementor widgets.\u003C\u002Fp>\n\u003Cp>This plugin requires PopularisWP theme to be installed.\u003C\u002Fp>\n\u003Ch3>Supported Themes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis\u002F\" rel=\"ugc\">Popularis\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpopulariswp.com\u002Fpopularis-ecommerce\u002F\" rel=\"nofollow ugc\">Popularis eCommerce\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis-verse\u002F\" rel=\"ugc\">Popularis Verse\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis-hub\u002F\" rel=\"ugc\">Popularis Hub\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis-star\u002F\" rel=\"ugc\">Popularis Star\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis-writer\u002F\" rel=\"ugc\">Popularis Writer\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fpopularis-press\u002F\" rel=\"ugc\">Popularis Press\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpopulariswp.com\u002Fpopularis-fashion\u002F\" rel=\"nofollow ugc\">Popularis Fashion\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpopulariswp.com\u002Fpopularis-business\u002F\" rel=\"nofollow ugc\">Popularis Business\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.",8000,225336,"2025-12-03T07:12:00.000Z","6.9.4","4.4","5.6",[112,113,114,20,23],"demo","elementor","import","https:\u002F\u002Fpopulariswp.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpopularis-extra.1.2.10.zip","2026-01-28 00:00:00",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":128,"num_ratings":129,"last_updated":130,"tested_up_to":131,"requires_at_least":132,"requires_php":9,"tags":133,"homepage":137,"download_link":138,"security_score":139,"vuln_count":74,"unpatched_count":74,"last_vuln_date":36,"fetched_at":29},"restrict-widgets","Restrict Widgets","1.3.1","dFactory","https:\u002F\u002Fprofiles.wordpress.org\u002Fdfactory\u002F","\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.dfactory.eu\u002Fplugins\u002Frestrict-widgets\u002F\" rel=\"nofollow ugc\">Restrict Widgets\u003C\u002Fa> is all in one solution for widget management in WordPress. It lets you easily control the pages that each widget will appear on and avoid creating multiple sidebars and duplicating widgets. You can also set who can manage widgets, which sidebars and widgets will be available to selected users, which widget options will be available and how it will be displayed.\u003C\u002Fp>\n\u003Cp>By default, Hide widget on selected is enabled with no options selected, so all current widgets will continue to display on all pages.\u003C\u002Fp>\n\u003Cp>For more information, check out plugin page at \u003Ca href=\"http:\u002F\u002Fwww.dfactory.eu\u002F\" rel=\"nofollow ugc\">dFactory\u003C\u002Fa> or plugin \u003Ca href=\"http:\u002F\u002Fwww.dfactory.eu\u002Fsupport\u002Fforum\u002Frestrict-widgets\u002F\" rel=\"nofollow ugc\">support forum\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Features include:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Hide or display each widget on selected pages, posts, categories, custom taxonomies, custom post types, single posts, archives, special pages, for logged in or logged out users, current language, mobile device and so on\u003C\u002Fli>\n\u003Cli>Select which user roles are restricted to manage widgets\u003C\u002Fli>\n\u003Cli>Select which sidebars will be restricted to admins only\u003C\u002Fli>\n\u003Cli>Select which widgets will be restricted to admins only\u003C\u002Fli>\n\u003Cli>Select which widget options will be restricted to admins only\u003C\u002Fli>\n\u003Cli>Choose to display or not widget options as groups\u003C\u002Fli>\n\u003Cli>Option to modify the is_active_sidebar() function to use Restrict Widgets display settings\u003C\u002Fli>\n\u003Cli>Multisite compatible\u003C\u002Fli>\n\u003Cli>WPML compatible\u003C\u002Fli>\n\u003Cli>Polylang compatible\u003C\u002Fli>\n\u003Cli>.pot file for translations included\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Translations:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Chinese – by Changmeng Hu\u003C\u002Fli>\n\u003Cli>Czech – by Martin Kucera\u003C\u002Fli>\n\u003Cli>German – by \u003Ca href=\"http:\u002F\u002Fapart-webdesign.de\u002F\" rel=\"nofollow ugc\">Angelika Reisiger\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Hebrew – by \u003Ca href=\"http:\u002F\u002Fatar4u.com\u002F\" rel=\"nofollow ugc\">Ahrale Shrem\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Italian – by \u003Ca href=\"http:\u002F\u002Fsododesign.it\u002F\" rel=\"nofollow ugc\">Davide Pante\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Polish – by Bartosz Arendt\u003C\u002Fli>\n\u003C\u002Ful>\n","All in one widgets and sidebars management in WordPress. Allows you to hide or display widgets on specified pages and restrict access for users.",4000,132717,96,36,"2017-11-28T12:16:00.000Z","4.7.32","4.0",[19,134,135,136,23],"conditional-tags","widget","widget-only","http:\u002F\u002Fwww.dfactory.eu\u002Fplugins\u002Frestrict-widgets\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestrict-widgets.1.3.1.zip",85,{"slug":141,"name":142,"version":143,"author":144,"author_profile":145,"description":146,"short_description":147,"active_installs":148,"downloaded":149,"rating":150,"num_ratings":151,"last_updated":152,"tested_up_to":153,"requires_at_least":154,"requires_php":155,"tags":156,"homepage":157,"download_link":158,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":159,"fetched_at":29},"series","Series","2.0.1","Justin Tadlock","https:\u002F\u002Fprofiles.wordpress.org\u002Fgreenshady\u002F","\u003Cp>Series is a plugin created to allow users to easily link posts together by using a WordPress taxonomy (like tags or categories) called “series”.  It can be particularly useful if you write several posts spanning the same topic and want them tied together in some way that tags or categories doesn’t cover.\u003C\u002Fp>\n\u003Ch3>Professional Support\u003C\u002Fh3>\n\u003Cp>If you need professional plugin support from me, the plugin author, you can access the support forums at \u003Ca href=\"https:\u002F\u002Fthemehybrid.com\u002Fsupport\" rel=\"nofollow ugc\">Theme Hybrid\u003C\u002Fa>, which is a professional WordPress help\u002Fsupport site where I handle support for all my plugins and themes for a community of 75,000+ users (and growing).\u003C\u002Fp>\n\u003Ch3>Plugin Development\u003C\u002Fh3>\n\u003Cp>If you’re a theme author, plugin author, or just a code hobbyist, you can follow the development of this plugin on it’s \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjustintadlock\u002Fseries\" rel=\"nofollow ugc\">GitHub repository\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Donations\u003C\u002Fh3>\n\u003Cp>Yes, I do accept donations.  If you want to donate, you can do so from my \u003Ca href=\"https:\u002F\u002Fthemehybrid.com\u002Fdonate\" rel=\"nofollow ugc\">donations page\u003C\u002Fa> or grab me something from my \u003Ca href=\"http:\u002F\u002Fa.co\u002FflUb0ns\" rel=\"nofollow ugc\">Amazon Wish List\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>I appreciate all donations, no matter the size.  Further development of this plugin is not contingent on donations, but they are always a nice incentive.\u003C\u002Fp>\n","Plugin that allows you to collect posts in a series.",2000,46271,84,5,"2018-12-17T20:52:00.000Z","5.0.25","4.8","5.3",[141,20,23],"https:\u002F\u002Fthemehybrid.com\u002Fplugins\u002Fseries","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fseries.2.0.1.zip","2025-12-31 00:00:00",{"attackSurface":161,"codeSignals":176,"taintFlows":267,"riskAssessment":314,"analyzedAt":335},{"hooks":162,"ajaxHandlers":172,"restRoutes":173,"shortcodes":174,"cronEvents":175,"entryPointCount":74,"unprotectedCount":74},[163,168],{"type":164,"name":165,"callback":165,"file":166,"line":167},"action","admin_menu","shortcode-generator.php",24,{"type":164,"name":169,"callback":170,"file":166,"line":171},"widgets_init","scg_widget_register",25,[],[],[],[],{"dangerousFunctions":177,"sqlUsage":181,"outputEscaping":195,"fileOperations":74,"externalRequests":74,"nonceChecks":74,"capabilityChecks":74,"bundledLibraries":266},[178],{"fn":179,"file":166,"line":48,"context":180},"create_function","add_shortcode($code,create_function('$atts,$content=null','$value = \"'.$sc->value.'\"; return do_shor",{"prepared":74,"raw":86,"locations":182},[183,186,189,192],{"file":166,"line":184,"context":185},82,"$wpdb->get_results() with variable interpolation",{"file":166,"line":187,"context":188},87,"$wpdb->get_row() with variable interpolation",{"file":166,"line":190,"context":191},108,"$wpdb->get_var() with variable interpolation",{"file":166,"line":193,"context":194},125,"$wpdb->query() with variable interpolation",{"escaped":95,"rawEcho":196,"locations":197},38,[198,202,204,206,208,210,212,214,216,217,218,221,222,223,224,226,228,229,231,233,235,237,239,240,241,243,244,245,247,249,250,252,254,256,258,260,262,264],{"file":199,"line":200,"context":201},"admin\\edit.php",49,"raw output",{"file":199,"line":203,"context":201},55,{"file":199,"line":205,"context":201},64,{"file":199,"line":207,"context":201},65,{"file":199,"line":209,"context":201},66,{"file":199,"line":211,"context":201},75,{"file":199,"line":213,"context":201},77,{"file":199,"line":215,"context":201},78,{"file":199,"line":150,"context":201},{"file":199,"line":187,"context":201},{"file":219,"line":220,"context":201},"admin\\index.php",52,{"file":219,"line":49,"context":201},{"file":219,"line":215,"context":201},{"file":219,"line":215,"context":201},{"file":219,"line":225,"context":201},105,{"file":219,"line":227,"context":201},106,{"file":219,"line":190,"context":201},{"file":219,"line":230,"context":201},110,{"file":219,"line":232,"context":201},112,{"file":219,"line":234,"context":201},113,{"file":166,"line":236,"context":201},98,{"file":166,"line":238,"context":201},234,{"file":166,"line":238,"context":201},{"file":166,"line":238,"context":201},{"file":166,"line":242,"context":201},235,{"file":166,"line":242,"context":201},{"file":166,"line":242,"context":201},{"file":166,"line":246,"context":201},238,{"file":166,"line":248,"context":201},253,{"file":166,"line":248,"context":201},{"file":166,"line":251,"context":201},282,{"file":166,"line":253,"context":201},284,{"file":166,"line":255,"context":201},285,{"file":166,"line":257,"context":201},286,{"file":166,"line":259,"context":201},288,{"file":166,"line":261,"context":201},289,{"file":166,"line":263,"context":201},290,{"file":166,"line":265,"context":201},295,[],[268,303],{"entryPoint":269,"graph":270,"unsanitizedCount":284,"severity":38},"\u003Cedit> (admin\\edit.php:0)",{"nodes":271,"edges":297},[272,276,281,285,287,291,295],{"id":273,"type":274,"label":275,"file":199,"line":196},"n0","source","$_GET (x7)",{"id":277,"type":278,"label":279,"file":199,"line":203,"wp_function":280},"n1","sink","echo() [XSS]","echo",{"id":282,"type":274,"label":283,"file":199,"line":284},"n2","$_POST",11,{"id":286,"type":278,"label":279,"file":199,"line":209,"wp_function":280},"n3",{"id":288,"type":274,"label":289,"file":199,"line":290},"n4","$_POST (x3)",17,{"id":292,"type":293,"label":294,"file":199,"line":290},"n5","transform","→ fade_msg()",{"id":296,"type":278,"label":279,"file":166,"line":236,"wp_function":280},"n6",[298,300,301,302],{"from":273,"to":277,"sanitized":299},false,{"from":282,"to":286,"sanitized":299},{"from":288,"to":292,"sanitized":299},{"from":292,"to":296,"sanitized":299},{"entryPoint":304,"graph":305,"unsanitizedCount":27,"severity":313},"\u003Cindex> (admin\\index.php:0)",{"nodes":306,"edges":311},[307,310],{"id":273,"type":274,"label":308,"file":219,"line":309},"$_GET",67,{"id":277,"type":278,"label":279,"file":219,"line":49,"wp_function":280},[312],{"from":273,"to":277,"sanitized":299},"low",{"summary":315,"deductions":316},"The \"shortcode-generator\" v1.1 plugin presents a mixed security posture. While the static analysis indicates a minimal attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, significant concerns arise from the code signals. The presence of the `create_function` dangerous function is a red flag, as it can be a vector for code injection if not handled with extreme care. Furthermore, the complete lack of prepared statements for SQL queries and the very low percentage of properly escaped output (7%) are critical weaknesses, suggesting a high susceptibility to SQL injection and Cross-Site Scripting (XSS) vulnerabilities.\n\nTaint analysis reveals two flows with unsanitized paths, which, while not classified as critical or high, still indicate potential for data leakage or unintended behavior. The vulnerability history, including a medium severity XSS vulnerability from July 2025 that remains unpatched, reinforces these concerns. This pattern of past vulnerabilities and the current unpatched state suggests a recurring issue with input validation and output sanitization within the plugin.\n\nIn conclusion, the plugin's apparent low attack surface is overshadowed by fundamental security flaws in its coding practices. The reliance on raw SQL queries, poor output escaping, and the use of dangerous functions, combined with a recent unpatched medium severity vulnerability, paint a picture of a plugin that requires significant attention to its security. While it doesn't exhibit critical or high severity issues in the current static analysis, the underlying technical debt poses a considerable risk.",[317,320,323,326,329,331,333],{"reason":318,"points":319},"Unpatched medium severity CVE",15,{"reason":321,"points":322},"Raw SQL queries without prepared statements",10,{"reason":324,"points":325},"Low percentage of properly escaped output",8,{"reason":327,"points":328},"Use of dangerous function 'create_function'",7,{"reason":330,"points":151},"Flows with unsanitized paths found",{"reason":332,"points":151},"Missing nonce checks",{"reason":334,"points":151},"Missing capability checks","2026-03-16T20:58:43.315Z",{"wat":337,"direct":346},{"assetPaths":338,"generatorPatterns":341,"scriptPaths":342,"versionParams":343},[339,340],"\u002Fwp-content\u002Fplugins\u002Fshortcode-generator\u002Fcss\u002Fshortcode-generator.css","\u002Fwp-content\u002Fplugins\u002Fshortcode-generator\u002Fjs\u002Fshortcode-generator.js",[],[340],[344,345],"shortcode-generator\u002Fcss\u002Fshortcode-generator.css?ver=","shortcode-generator\u002Fjs\u002Fshortcode-generator.js?ver=",{"cssClasses":347,"htmlComments":349,"htmlAttributes":350,"restEndpoints":352,"jsGlobals":353,"shortcodeOutput":355},[348],"widget_many",[],[351],"data-widget-id",[],[354],"scg_widget_many",[356],"\u003Cdiv class=\"updated fade\">\u003Cp>\u003Cstrong>"]