[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhVGeGyrq73ss9-4CCOD2oT_DMz9d4eCs2gLQmIFsBbg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":48,"crawl_stats":37,"alternatives":54,"analysis":151,"fingerprints":196},"show-website-content-in-wordpress-page-or-post","Website Content in Page or Post – Embed website content in posts and pages","2025.12.03","Matteo Enna","https:\u002F\u002Fprofiles.wordpress.org\u002Fmatteoenna\u002F","\u003Cp>Fetches the content of another webpage or URL to display inside the current post or page.\u003C\u002Fp>\n\u003Cp>Please note that this plugin previously used \u003Ccode>file_get_contents()\u003C\u002Fcode>, but it’s no longer recommended.\u003C\u002Fp>\n\u003Cp>Starting now, this plugin utilizes the \u003Ccode>wp_remote_get()\u003C\u002Fcode> and \u003Ccode>wp_remote_retrieve_body()\u003C\u002Fcode> functions to retrieve content from URLs.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>This plugin contains code adapted from the original work by horshipsrectors\u003C\u002Fstrong>\u003C\u002Fp>\n","Fetches the content of another webpage or URL to display inside the current post or page.",100,12096,60,5,"2025-12-03T06:54:00.000Z","6.9.4","4.0.0","",[20,21,22,23,24],"block","content","page","post","shortcode","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshow-website-content-in-wordpress-page-or-post.2025.12.03.zip",99,1,0,"2024-06-21 00:00:00","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2024-2430","website-content-in-page-or-post-authenticated-contributor-stored-cross-site-scripting","Website Content in Page or Post \u003C= 2024.03.27 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Website Content in Page or Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 2024.03.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2024.03.27","2024.04.09","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-07-01 14:37:56",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F12772ebe-b146-4cff-bc95-3ec7045f15ab?source=api-prod",11,{"slug":49,"display_name":7,"profile_url":8,"plugin_count":50,"total_installs":51,"avg_security_score":11,"avg_patch_time_days":47,"trust_score":52,"computed_at":53},"matteoenna",14,850,94,"2026-04-04T14:46:38.493Z",[55,77,97,118,136],{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":63,"downloaded":64,"rating":65,"num_ratings":66,"last_updated":67,"tested_up_to":16,"requires_at_least":68,"requires_php":18,"tags":69,"homepage":73,"download_link":74,"security_score":75,"vuln_count":14,"unpatched_count":28,"last_vuln_date":76,"fetched_at":30},"custom-post-widget","Content Blocks (Custom Post Widget)","3.4.1","Johan van der Wijk","https:\u002F\u002Fprofiles.wordpress.org\u002Fvanderwijk\u002F","\u003Cp>The \u003Ca href=\"http:\u002F\u002Fwww.vanderwijk.com\u002Fwordpress\u002Fwordpress-custom-post-widget\u002F?utm_source=wordpress&utm_medium=website&utm_campaign=custom_post_widget\" rel=\"nofollow ugc\">Content Blocks\u003C\u002Fa> allows you to display the contents of a specific custom post in a widget on in the content area using a shortcode.\u003C\u002Fp>\n\u003Cp>Even though you could use the text widget that comes with the default WordPress install, this plugin has some major benefits:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The Content Blocks plugin enables users to \u003Cstrong>use the WYSIWYG editor\u003C\u002Fstrong> for editing the content and adding images.\u003C\u002Fli>\n\u003Cli>If you are using the standard WordPress text widgets to display content on various areas of your template, this content can only be edited by users with administrator access. If you would like \u003Cstrong>non-administrator accounts to modify the widget content\u003C\u002Fstrong>, you can use this plugin to provide them access to the custom posts that provide the content for the widget areas.\u003C\u002Fli>\n\u003Cli>You can even use the \u003Cstrong>featured image functionality\u003C\u002Fstrong> to display them in a widget.\u003C\u002Fli>\n\u003Cli>The Content Blocks plugin is \u003Cstrong>compatible with the WPML\u003C\u002Fstrong> Multi-Language plugin and automatically shows the correct language in the widget area.\u003C\u002Fli>\n\u003Cli>The Content Blocks can be included in posts and pages using the \u003Cstrong>built-in shortcode functionality\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin creates a ‘content_block’ custom post type. You can choose to either display the title on the page or use it to describe the contents and widget position of the content block. Note that these content blocks can only be displayed in the context of the page. I have added ‘public’ => false to the custom post type which means that it is not accessible outside the page context.\u003C\u002Fp>\n\u003Cp>To add content to a widget, drag it to the required position in the sidebar and select the title of the custom post in the widget configuration.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Includes the following translations:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Swedish (sv_SE) by \u003Ca href=\"http:\u002F\u002Fkrokedil.se\" rel=\"nofollow ugc\">Andreas Larsson\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Spanish (es_ES) by \u003Ca href=\"https:\u002F\u002Fwww.ibidemgroup.com\" rel=\"nofollow ugc\">IBIDEM GROUP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Portuguese (pt_BR) by Ronaldo Chevalier\u003C\u002Fli>\n\u003Cli>Polish (pl_PL) by Kuba Skublicki\u003C\u002Fli>\n\u003Cli>Dutch (nl_NL) by \u003Ca href=\"https:\u002F\u002Fvanderwijk.nl\" rel=\"nofollow ugc\">Johan van der Wijk\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Czech (cs_CZ) by \u003Ca href=\"http:\u002F\u002Fjsemweb.cz\u002F\" rel=\"nofollow ugc\">Martin Kucera\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fcustom-post-widget\" rel=\"nofollow ugc\">More translations are very welcome!\u003C\u002Fa>\u003C\u002Fp>\n","This plugin enables you to edit and display Content Blocks in a sidebar widget or using a shortcode.",10000,727658,98,80,"2026-01-27T13:29:00.000Z","4.6",[20,70,71,24,72],"content-block","custom-post","widget","https:\u002F\u002Fvanderwijk.com\u002Fwordpress\u002Fwordpress-custom-post-widget\u002F?utm_source=wordpress&utm_medium=plugin&utm_campaign=custom_post_widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-post-widget.3.4.1.zip",96,"2025-02-19 21:17:14",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":18,"tags":92,"homepage":94,"download_link":95,"security_score":96,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"hide-broken-shortcodes","Hide Broken Shortcodes","1.9.4","Scott Reilly","https:\u002F\u002Fprofiles.wordpress.org\u002Fcoffee2code\u002F","\u003Cp>By default in WordPress, if the plugin that provides the functionality to handle any given shortcode is disabled, or if a shortcode is improperly defined in the content (such as with a typo), then the shortcode in question will appear on the site in its entirety, unprocessed by WordPress. At best this reveals unsightly code-like text to visitors and at worst can potentially expose information not intended to be seen by visitors.\u003C\u002Fp>\n\u003Cp>This plugin prevents unhandled shortcodes from appearing in the content of a post or page. If the shortcode is of the self-closing variety, then the shortcode tag and its attributes are not displayed and nothing is shown in their place. If the shortcode is of the enclosing variety (an opening and closing tag bookend some text or markup), then the text that is being enclosed will be shown, but the shortcode tag and attributes that surround the text will not be displayed.\u003C\u002Fp>\n\u003Cp>See the Filters section for more customization tips.\u003C\u002Fp>\n\u003Cp>Links: \u003Ca href=\"https:\u002F\u002Fcoffee2code.com\u002Fwp-plugins\u002Fhide-broken-shortcodes\u002F\" rel=\"nofollow ugc\">Plugin Homepage\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhide-broken-shortcodes\u002F\" rel=\"ugc\">Plugin Directory Page\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcoffee2code\u002Fhide-broken-shortcodes\u002F\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fcoffee2code.com\" rel=\"nofollow ugc\">Author Homepage\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Developer Documentation\u003C\u002Fh3>\n\u003Cp>Developer documentation can be found in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcoffee2code\u002Fhide-broken-shortcodes\u002Fblob\u002Fmaster\u002FDEVELOPER-DOCS.md\" rel=\"nofollow ugc\">DEVELOPER-DOCS.md\u003C\u002Fa>. That documentation covers the hooks provided by the plugin.\u003C\u002Fp>\n\u003Cp>As an overview, these are the hooks provided by the plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>hide_broken_shortcode\u003C\u002Fcode>          : Customizes what, if anything, gets displayed when a broken shortcode is encountered.\u003C\u002Fli>\n\u003Cli>\u003Ccode>hide_broken_shortcodes_filters\u003C\u002Fcode> : Customizes what filters to hook to find text with potential broken shortcodes.\u003C\u002Fli>\n\u003C\u002Ful>\n","Prevent broken shortcodes from appearing in posts and pages.",400,26052,90,10,"2021-10-10T06:54:00.000Z","5.8.13","2.5",[21,22,23,24,93],"shortcodes","https:\u002F\u002Fcoffee2code.com\u002Fwp-plugins\u002Fhide-broken-shortcodes\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhide-broken-shortcodes.1.9.4.zip",85,{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":28,"num_ratings":28,"last_updated":107,"tested_up_to":108,"requires_at_least":109,"requires_php":110,"tags":111,"homepage":116,"download_link":117,"security_score":11,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"post-content-shortcode","Post Content Shortcode","1.0.1","Herron","https:\u002F\u002Fprofiles.wordpress.org\u002Fherronagency\u002F","\u003Cp>\u003Cstrong>Post Content Shortcode\u003C\u002Fstrong> allows you to display the content of any post using a shortcode like:\u003C\u002Fp>\n\u003Cp>[post_content id=”123″]\u003C\u002Fp>\n\u003Cp>This is useful for reusing content in multiple places, referencing another post inline, or including dynamically updated blocks of content.\u003C\u002Fp>\n\u003Cp>You can configure which post statuses are allowed to be embedded from the plugin’s settings page under \u003Cstrong>Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Post Content Shortcode\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Use the shortcode like this:\u003C\u002Fp>\n\u003Cp>[post_content id=”123″]\u003C\u002Fp>\n\u003Cp>Where \u003Ccode>123\u003C\u002Fcode> is the ID of the post you want to embed.\u003C\u002Fp>\n\u003Cp>To avoid infinite loops, the plugin prevents a post from including itself.\u003C\u002Fp>\n\u003Cp>Only posts with selected \u003Cstrong>statuses\u003C\u002Fstrong> (e.g. Published, Draft) will be rendered. You can control this from the plugin settings page.\u003C\u002Fp>\n\u003Ch3>Customizing the Shortcode Tag\u003C\u002Fh3>\n\u003Cp>By default, the shortcode tag is \u003Ccode>post_content\u003C\u002Fcode>. You can change it by adding this to your theme’s \u003Ccode>functions.php\u003C\u002Fcode> file:\u003C\u002Fp>\n\u003Cp>add_filter( ‘herron_pcs_shortcode_tag’, function( $tag ) {\u003Cbr \u002F>\n    return ‘my_custom_shortcode’;\u003Cbr \u002F>\n});\u003C\u002Fp>\n\u003Cp>After doing so, use the new tag:\u003C\u002Fp>\n\u003Cp>[my_custom_shortcode id=”123″]\u003C\u002Fp>\n\u003Cp>The settings page and all logic will automatically respect this change.\u003C\u002Fp>\n\u003Ch3>Learn More About Herron\u003C\u002Fh3>\n\u003Cp>This plugin is part of Herron’s ongoing effort to give back to the WordPress community. If you’re interested in how we build custom WordPress solutions for clients or want to collaborate, please visit \u003Ca href=\"https:\u002F\u002Fherron.agency\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fherron.agency\u002F\u003C\u002Fa>.\u003C\u002Fp>\n","Embed the content of another post using a simple shortcode. Useful for reusing content across pages or posts.",30,453,"2025-06-29T12:54:00.000Z","6.8.5","5.0","7.0",[112,113,114,115,24],"content-blocks","dynamic-content","post-content","reusable-content","https:\u002F\u002Fherron.agency\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-content-shortcode.1.0.1.zip",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":88,"downloaded":126,"rating":28,"num_ratings":28,"last_updated":127,"tested_up_to":128,"requires_at_least":129,"requires_php":18,"tags":130,"homepage":134,"download_link":135,"security_score":96,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"bns-inline-asides","BNS Inline Asides","1.3.2","Edward Caissie","https:\u002F\u002Fprofiles.wordpress.org\u002Fcais\u002F","\u003Cp>Have you ever wanted to add a personal comment into the body of a post or page and have it stand out from the rest of the content?\u003Cbr \u002F>\nHave you really wanted to throw a rant in a review because the subject just really got under your skin but you don’t want to dramatically disrupt the content?\u003Cbr \u002F>\nThis plugin will allow you to style sections of the post, or page, content with a shortcode that can add more emphasis by leveraging a style element from the active theme.\u003Cbr \u002F>\nThese asides can be left open as part of the content flow; or these asides can be closed to leave your readers the option of opening them if they choose to.\u003C\u002Fp>\n\u003Ch4>Copyright 2011-2018  Edward Caissie  (email : edward.caissie@gmail.com)\u003C\u002Fh4>\n\u003Cp>This program is free software; you can redistribute it and\u002For modify\u003Cbr \u002F>\n  it under the terms of the GNU General Public License version 2,\u003Cbr \u002F>\n  as published by the Free Software Foundation.\u003C\u002Fp>\n\u003Cp>You may NOT assume that you can use any other version of the GPL.\u003C\u002Fp>\n\u003Cp>This program is distributed in the hope that it will be useful,\u003Cbr \u002F>\n  but WITHOUT ANY WARRANTY; without even the implied warranty of\u003Cbr \u002F>\n  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\u003Cbr \u002F>\n  GNU General Public License for more details.\u003C\u002Fp>\n\u003Cp>You should have received a copy of the GNU General Public License\u003Cbr \u002F>\n  along with this program; if not, write to the Free Software\u003Cbr \u002F>\n  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA\u003C\u002Fp>\n\u003Cp>The license for this software can also likely be found here:\u003Cbr \u002F>\n  http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\u003C\u002Fp>\n\u003Ch4>Acknowledgements\u003C\u002Fh4>\n\u003Cp>Credits for jQuery assistance: Trevor Mills www.topquarkproductions.ca\u003C\u002Fp>\n\u003Ch4>Screenshots Source Content\u003C\u002Fh4>\n\u003Cp>Sample content taken from the “Readability” post of the Theme Unit Test data found here: https:\u002F\u002Fcodex.wordpress.org\u002FTheme_Unit_Test used with the default Twenty Ten Theme.\u003C\u002Fp>\n","This plugin will allow you to style sections of the post, or page, content with added emphasis by leveraging a style element from the active theme.",4886,"2018-07-24T18:36:00.000Z","4.9.29","3.6",[21,131,132,133,24],"pages","plugin-only","posts","http:\u002F\u002Fbuynowshop.com\u002Fplugins\u002Fbns-inline-asides\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbns-inline-asides.1.3.2.zip",{"slug":137,"name":138,"version":139,"author":140,"author_profile":141,"description":142,"short_description":143,"active_installs":88,"downloaded":144,"rating":28,"num_ratings":28,"last_updated":145,"tested_up_to":146,"requires_at_least":18,"requires_php":18,"tags":147,"homepage":149,"download_link":150,"security_score":96,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"dynamic-text","Dynamic Text","2.1.2","Stephen Mullen","https:\u002F\u002Fprofiles.wordpress.org\u002Fripjustice\u002F","\u003Cp>You can now nest shortcodes from other themes and plugins within Dynamic Text!\u003C\u002Fp>\n\u003Cp>This is effectively a localization plugin that allows you to have dynamic text, pictures and really any content on your WordPress pages and posts that changes depending on the content of your url (domain). To use this plugin, you can use this settings page to create an unlimited number of domains. Each domain is associated with the title for the domain, which is always DynamicDomain_”number associated with your domain or url content”. These titles are used as attribute values for the shortcode associated with this plugin and will be listed right next to the domain you enter on this page. The shortcode itself is [dynamic_text][\u002Fdynamic_text] and the attribute is “domain.” Your content goes in-between the shortcode. To add additional domains, click the “Add New Domain” button on this page. To save your domains or to change previously set domains, click the “Save Domain Names” button.\u003C\u002Fp>\n\u003Cp>Examples:\u003C\u002Fp>\n\u003Cp>*If you save the domain “test.com” as DynamicDomain_1 and want content to show up only when “test.com” is in the url for your page, then you would enter the following: [dynamic_text domain=”DynamicDomain_1″]Your content goes right here[\u002Fdynamic_text]\u003C\u002Fp>\n\u003Cp>*If you save the domain “mydomain.com” as DynamicDomain_2 and want content to show up only when “mydomain.com” is in the url for your page, then you would enter the following: [dynamic_text domain=”DynamicDomain_2″]Your content goes right here[\u002Fdynamic_text]\u003C\u002Fp>\n\u003Cp>*If you save the word “door” as DynamicDomain_3 and want content to show up only when “door” is in the url for your page, then you would enter the following: [dynamic_text domain=”DynamicDomain_3″]Your content goes right here[\u002Fdynamic_text]\u003C\u002Fp>\n\u003Cp>*If you have a shortcode from any other plugin or theme that you want to only have work for a particular domain you can simply nest the shortcode between the dynamic text shortcode with the appropriate domain set like so: [dynamic_text domain=”DynamicDomain_2″][Your other shortcode goes here][\u002Fdynamic_text]\u003C\u002Fp>\n\u003Cp>While this is plugin can be used strictly for localization, you can also use this plugin to swap content on your site based on any phrase contained in the url. In the case of localization, rather than having to set up separate wordpress sites for different countries you can instead use this plugin to have a central site and swap the content based upon the domain being used to access the site (so someone hitting the site from the UK and using .uk could see different content on the site than someone reaching it from the US using a .us extension). Alternately, if you just want page content to swap on a page depending on terms contained in the url, you can use this plugin for that as well. Additionally, you could combine this plugin with a custom theme then use the plugin to swap out content on templates in your theme depending on the domain used to reach the site. In that case, you could setup 1 website but have it appear to be an unlimited number of separate websites depending on the domain used to reach the site, with a completely different look and completely different content displayed per domain using the combination of this plugin and your custom theme.\u003C\u002Fp>\n","Dynamic Text is a localization plugin that allows you to have dynamic text and content on your Wordpress pages and posts. To use this plugin, set an  …",2688,"2017-02-13T07:14:00.000Z","4.7.32",[21,22,23,24,148],"text","http:\u002F\u002Fmullenwebsites.com\u002Fdynamic-text-wordpress-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdynamic-text.zip",{"attackSurface":152,"codeSignals":174,"taintFlows":182,"riskAssessment":183,"analyzedAt":195},{"hooks":153,"ajaxHandlers":160,"restRoutes":161,"shortcodes":162,"cronEvents":172,"entryPointCount":173,"unprotectedCount":28},[154],{"type":155,"name":156,"callback":157,"file":158,"line":159},"action","elementor\u002Fwidgets\u002Fwidgets_registered","show_website_content_in_wordpress_page_or_post_elementor_block","show-website-content-in-wordpress-page-or-post.php",26,[],[],[163,166,169],{"tag":164,"callback":164,"file":158,"line":165},"horshipsrectors_get_html",22,{"tag":167,"callback":164,"file":158,"line":168},"horshipsrectors_get_html_get",23,{"tag":170,"callback":170,"file":158,"line":171},"horshipsrectors_get_html_curl",24,[],3,{"dangerousFunctions":175,"sqlUsage":176,"outputEscaping":178,"fileOperations":28,"externalRequests":180,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":181},[],{"prepared":28,"raw":28,"locations":177},[],{"escaped":27,"rawEcho":28,"locations":179},[],2,[],[],{"summary":184,"deductions":185},"The \"show-website-content-in-wordpress-page-or-post\" plugin v2025.12.03 exhibits a generally good security posture with several positive indicators. The static analysis reveals no identified dangerous functions, all SQL queries are properly prepared, and output is consistently escaped. Furthermore, there are no identified taint flows, indicating a low risk of data being mishandled.  The plugin also has a relatively small attack surface, with all identified entry points (shortcodes) likely protected by WordPress's default authentication mechanisms.\n\nHowever, there are areas of concern that temper this positive outlook. The plugin makes two external HTTP requests, which could potentially be exploited if the target endpoints are compromised or if the plugin doesn't properly validate the responses. Crucially, the plugin lacks any explicit capability checks or nonce checks on its entry points. While the absence of direct AJAX handlers or REST API routes without permission callbacks is a positive, relying solely on default WordPress protections for shortcodes can be insufficient, especially if the content being displayed or processed is user-controlled or sensitive. The plugin's vulnerability history, which includes one medium-severity Cross-Site Scripting (XSS) vulnerability reported in June 2024, despite being patched, highlights a past weakness in input sanitization or output encoding. This history, combined with the current absence of explicit capability and nonce checks, suggests a potential for future vulnerabilities if not addressed proactively.\n\nIn conclusion, while the plugin demonstrates sound practices in areas like SQL handling and output escaping, the lack of explicit security checks on its shortcode entry points and the presence of external HTTP requests warrant caution. The past XSS vulnerability reinforces the need for robust security measures. The plugin's strengths lie in its clean code regarding dangerous functions and prepared statements, but its weaknesses are in the potential for XSS or other injection attacks if user-supplied data is involved and not sufficiently validated at the shortcode level, and the risks associated with external requests. A balanced approach would involve strengthening the security of the shortcode processing and thoroughly vetting the external HTTP request handling.",[186,189,191,193],{"reason":187,"points":188},"No capability checks on entry points",15,{"reason":190,"points":188},"No nonce checks on entry points",{"reason":192,"points":14},"Two external HTTP requests",{"reason":194,"points":88},"Past medium severity XSS vulnerability","2026-03-16T21:15:14.132Z",{"wat":197,"direct":202},{"assetPaths":198,"generatorPatterns":199,"scriptPaths":200,"versionParams":201},[],[],[],[],{"cssClasses":203,"htmlComments":204,"htmlAttributes":205,"restEndpoints":206,"jsGlobals":207,"shortcodeOutput":208},[],[],[164,167,170],[],[],[209,210,211],"[horshipsrectors_get_html]","[horshipsrectors_get_html_get]","[horshipsrectors_get_html_curl]"]