[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnWqBd9368hpMhEFmMkPPwooVMwFHCRPY9yne2HWCFcI":3,"$fOCVBVXhXQhdfsDARv1r6Cwl3uMspFgV7cgPUsbVMlyw":352,"$fWx4B7UEk-0SK6DlMID9qKwTATllbC3tMjEnFGeNzsO4":356},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"discovery_status":32,"vulnerabilities":33,"developer":106,"crawl_stats":39,"alternatives":114,"analysis":214,"fingerprints":336},"simple-embed-code","Code Embed","2.5.2","David Artiss","https:\u002F\u002Fprofiles.wordpress.org\u002Fdartiss\u002F","\u003Cp>Code Embed allows you to embed code (JavaScript, CSS and HTML – it can’t be used for server-side code, such as PHP) in a post, without the content being changed by the editor. This is incredibly useful for embedding third-party scripts, etc. The plugin is used by many large sites, including Mozilla.\u003C\u002Fp>\n\u003Cp>Key features include…\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add HTML or JavaScript to posts or pages – particularly useful for embedding videos!\u003C\u002Fli>\n\u003Cli>Embed in widgets using the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwidget-logic\u002F\" title=\"Widget Logic\" rel=\"ugc\">Widget Logic\u003C\u002Fa> plugin\u003C\u002Fli>\n\u003Cli>Global embedding allows you set up some code in one post or page and then access it from another\u003C\u002Fli>\n\u003Cli>Modify the keywords or identifiers used for embedding the code to your own choice\u003C\u002Fli>\n\u003Cli>Search for embedding code via a simple search option\u003C\u002Fli>\n\u003Cli>Add a simple suffix to the embed code to convert videos to responsive output\u003C\u002Fli>\n\u003Cli>Embed an external script directly using just the URL\u003C\u002Fli>\n\u003Cli>And much, much more!\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Iconography is courtesy of the very talented \u003Ca href=\"https:\u002F\u002Fwww.fiverr.com\u002Fjankirathore\" rel=\"nofollow ugc\">Janki Rathod\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Please visit the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdartiss\u002Fcode-embed\" title=\"Github\" rel=\"nofollow ugc\">Github page\u003C\u002Fa> for the latest code development, planned enhancements and known issues\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Getting Started\u003C\u002Fh3>\n\u003Cp>To use this plugin, you need to have custom fields enabled on your site. If you’re using the block editor, you may need to switch this on first – please scroll down to the next section to learn how to do this. If you’re using the classic editor then you’ll find the custom fields at the bottom of the editor screen.\u003C\u002Fp>\n\u003Cp>Although this plugin works for both posts and pages for simplicity I will simply refer to posts – bear in mind that pages work in the same way.\u003C\u002Fp>\n\u003Cp>Once you have custom fields switched on, here’s how easy it is to use…\u003C\u002Fp>\n\u003Col>\n\u003Cli>Once you have the plugin installed start a new post.\u003C\u002Fli>\n\u003Cli>Scroll down to the bottom of the screen and look for the “Custom Fields” section.\u003C\u002Fli>\n\u003Cli>Under “Add New Custom Field” enter a name of \u003Ccode>CODE1\u003C\u002Fcode> and your embed code as the value\u003C\u002Fli>\n\u003Cli>In your post content add \u003Ccode>{{CODE1}}\u003C\u002Fcode> where you wish the embed code to appear.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>And that’s it – when the post viewed or previewed \u003Ccode>{{CODE1}}\u003C\u002Fcode> will be replaced with the code that you asked to be embedded.\u003C\u002Fp>\n\u003Cp>This should get you started – for more information and advanced options please see below.. Alternatively, there’s a fantastic guide at \u003Ca href=\"http:\u002F\u002Fwww.elftronix.com\u002Ffree-easy-plugin-add-javascript-to-wordpress-posts-pages\u002F\" title=\"Free Easy Plugin! Add Javascript to WordPress Posts & Pages\" rel=\"nofollow ugc\">Elftronix\u003C\u002Fa> which I would recommend.\u003C\u002Fp>\n\u003Ch3>Using this plugin with the block editor (aka Gutenberg)\u003C\u002Fh3>\n\u003Cp>By default, custom fields are hidden inside the block editor but can be revealed.\u003C\u002Fp>\n\u003Col>\n\u003Cli>Edit or create a post\u003C\u002Fli>\n\u003Cli>Click the settings button (three dots) in the top, right-hand corner\u003C\u002Fli>\n\u003Cli>Go to Preferences\u003C\u002Fli>\n\u003Cli>Click the Panels tab\u003C\u002Fli>\n\u003Cli>You will find a button to toggle the ‘Custom Fields’ meta box – make sure this is toggled to “on”\u003C\u002Fli>\n\u003Cli>A button should appear titled “Enable & Reload” – you’ll need to click on that and wait for the page to reload before the custom fields will appear\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Check out the screenshots for how the custom fields should look.\u003C\u002Fp>\n\u003Ch3>I can’t find the custom fields\u003C\u002Fh3>\n\u003Cp>For block editor users, I’m assuming you’ve done the above. For classic editor users, the custom fields should be present by default. In all cases they should appear at the bottom of the editor screen.\u003C\u002Fp>\n\u003Cp>From version 2.4, anyone without the “unfiltered HTML” capability won’t be able to see custom fields, for added security. Please see the section “Custom Field Security”, below, for more details.\u003C\u002Fp>\n\u003Cp>If none of the above applies then you may have a theme or plugin that removes this or may have a problem with your WordPress installation – you will need to try the usual diagnostics to try and resolve this, including requesting help on \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fforum\u002Fhow-to-and-troubleshooting\u002F\" title=\"Fixing WordPress Forum\" rel=\"ugc\">the WordPress support forum\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please bear in mind that the custom fields functionality is part of WordPress so it would be greatly appreciated if you don’t give me poor reviews in this situation as, I say, this component is not part of this plugin but, by using it, keeps this plugin simple to use and bloat-free 🙂\u003C\u002Fp>\n\u003Ch3>The Code Embed Options Screen\u003C\u002Fh3>\n\u003Cp>Whilst in WP Admin, if you go to Settings -> Code Embed, you’ll be able to access the options that are available for this plugin.\u003C\u002Fp>\n\u003Cp>Code embedding is performed via a special keyword that you must use to uniquely identify where you wish the code to appear. This consist of an opening identifier (some that that goes at the beginning), a keyword and then a closing identifier. You may also add a suffix to the end of the keyword if you wish to embed multiple pieces of code within the same post.\u003C\u002Fp>\n\u003Cp>From this options screen you can specify the above identifier that you wish to use. By default the opening and closing identifiers are percentage signs and the keyword is \u003Ccode>CODE\u003C\u002Fcode>. During these instructions these will be used in all examples.\u003C\u002Fp>\n\u003Cp>The options screen is only available to those that with a capability of able to manage options or greater. All the other Code Embed menu options are available to users with a capability to edit posts or greater.\u003C\u002Fp>\n\u003Ch3>How to Embed Code\u003C\u002Fh3>\n\u003Cp>To embed in a post you need to find the meta box under the post named “Custom Fields”. If this is missing you may need to add it by clicking on the “Screen Options” tab at the top of the new post screen.\u003C\u002Fp>\n\u003Cp>Now create a new custom field with the name of your keyword – e.g. \u003Ccode>CODE\u003C\u002Fcode>. The value of this field will be the code that you wish to embed. Save this custom field.\u003C\u002Fp>\n\u003Cp>Now, wherever you wish the code to appear in your post, simply put the full identifier (opening, keyword and closing characters). For example, \u003Ccode>{{CODE}}\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>If you wish to embed multiple pieces of code within a post you can add a suffix to the keyword. So we may set up 2 custom fields named \u003Ccode>CODE1\u003C\u002Fcode> and \u003Ccode>CODE2\u003C\u002Fcode>. Then in our post we would specify either \u003Ccode>{{CODE1}}\u003C\u002Fcode> or \u003Ccode>{{CODE2}}\u003C\u002Fcode> depending on which you wish to display.\u003C\u002Fp>\n\u003Cp>Don’t forget – via the options screen you can change any part of this identifier to your own taste.\u003C\u002Fp>\n\u003Ch3>How to Embed Code from an External URL\u003C\u002Fh3>\n\u003Cp>If you specify a URL within your post, surrounded by your choice of identifiers, then the contents of the URL will be embedded within your post.\u003C\u002Fp>\n\u003Cp>Obviously, be careful when embedding a URL that you have no control over, as this may be used to hijack your post by injecting, for example, dangerous JavaScript.\u003C\u002Fp>\n\u003Cp>For example, using the default options you could embed the contents of a URL using the following method…\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{{http:\u002F\u002Fwww.example.com\u002Fcode.php}}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>or\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{{https:\u002F\u002Fwww.example.com\u002Fcode.html}}\u003Ch3>How to Use Global Embedding\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can also create global embeds – that is creating one piece of embed code and using it in multiple posts or pages.\u003C\u002Fp>\n\u003Cp>To do this simply make reference to an already defined (but unique) piece of embed code from another post or page.\u003C\u002Fp>\n\u003Cp>So, let’s say in one post you define a custom field named \u003Ccode>CODE1\u003C\u002Fcode>. You can, if you wish, place \u003Ccode>{{CODE1}}\u003C\u002Fcode> not just in that post but also in another and it will work.\u003C\u002Fp>\n\u003Cp>However, bear in mind that the embed code name must be unique – you can’t have defined it in multiple posts otherwise the plugin won’t know which one you’re referring to (although it will report this and list the posts that it has been used in).\u003C\u002Fp>\n\u003Cp>In the administration menu there is a sidebar menu named “Tools”. Under this is a sub-menu named “Code Search”. Use this to search for specific embed names and it will list all the posts\u002Fpages that they’re used on, along with the code for each.\u003C\u002Fp>\n\u003Ch3>Embedding in Widgets\u003C\u002Fh3>\n\u003Cp>Natively you cannot use the embed facilities within sidebar widgets. However, if you install the plugin \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwidget-logic\u002F\" title=\"Widget Logic\" rel=\"ugc\">Widget Logic\u003C\u002Fa> then Code Embed has been set up to make use of this and add the ability.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Install \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwidget-logic\u002F\" title=\"Widget Logic\" rel=\"ugc\">Widget Logic\u003C\u002Fa> and activate.\u003C\u002Fli>\n\u003Cli>In Administration, select the Widgets page from the Appearance menu. At the bottom there will be a set of Widget Logic options.\u003C\u002Fli>\n\u003Cli>Ensure Use ‘widget_content’ filter is ticked and press Save.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Although you cannot set up embed code within a widget you can make reference to it, for example by writing \u003Ccode>{{CODE1}}\u003C\u002Fcode> in the widget.\u003C\u002Fp>\n\u003Ch3>Responsive Output Conversion\u003C\u002Fh3>\n\u003Cp>Responsive output is where an element on a web page dynamically resizes depending upon the current available size. Most video embeds, for instance, will be a fixed size. This is fine if your website is also of a fixed size, however if you have a responsive site then this is not suitable.\u003C\u002Fp>\n\u003Cp>Code Embed provides a simple suffix that can be added to an embed code and will convert the output to being responsive. This works best with videos.\u003C\u002Fp>\n\u003Cp>To use, when adding the embed code onto the page, simply add \u003Ccode>_RES\u003C\u002Fcode> to the end, before the final identifier. For example, \u003Ccode>{{CODE1_RES}}\u003C\u002Fcode>. The \u003Ccode>_RES\u003C\u002Fcode> should not be added to the custom fields definition.\u003C\u002Fp>\n\u003Cp>This will now output the embedded code full width, but a width that is dynamic and will resize when required.\u003C\u002Fp>\n\u003Cp>If you don’t wish the output to be full width you can specify a maximum width by adding an additional \u003Ccode>_x\u003C\u002Fcode> on the end, where \u003Ccode>x\u003C\u002Fcode> is the required width in pixels. For example, \u003Ccode>{{CODE1_RES_500}}\u003C\u002Fcode> this will output \u003Ccode>CODE1\u003C\u002Fcode> as responsive but with a maximum width of 500 pixels.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>It should be noted that this is an experimental addition and will not work in all circumstances.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Embedding in excerpts\u003C\u002Fh3>\n\u003Cp>By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied – for example, excerpts are just text, a specific length, etc.\u003C\u002Fp>\n\u003Ch3>Filtering of code\u003C\u002Fh3>\n\u003Cp>By default, WordPress allows unfiltered HTML to be used by users in post custom fields, even if their role it set up otherwise. This opens up the possibility of leaving a site vulnerable, if any plugins that uses this data doesn’t check it appropriately.\u003C\u002Fp>\n\u003Cp>“Out of the box”, neither the contributor and author roles have unfiltered HTML capabilities but can access custom post fields.\u003C\u002Fp>\n\u003Cp>As this plugin requires the use unfiltered HTML, we need to ensure that the only users who use it, should be using it. From version 2.5, any users without this permission that update a post containing embeds from this plugin will cause the code to be filtered.\u003C\u002Fp>\n\u003Ch3>Reviews & Mentions\u003C\u002Fh3>\n\u003Cp>“Works like a dream. Fantastic!” – Anita.\u003C\u002Fp>\n\u003Cp>“Thank you for this plugin. I tried numerous other iframe plugins and none of them would work for me! This plugin worked like a charm the FIRST time.” – KerryAnn May.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwsdblog.westbrook.k12.me.us\u002Fblog\u002F2009\u002F12\u002F24\u002Fembedding-content\u002F\" title=\"Embedding content\" rel=\"nofollow ugc\">Embedding content\u003C\u002Fa> – WSD Blogging Server.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fcomohago.conectandonos.gov.ar\u002F2009\u002F08\u002F05\u002Fanimando-imagenes-con-photopeach\u002F\" title=\"Animando imágenes con PhotoPeach\" rel=\"nofollow ugc\">Animating images with PhotoPeach\u003C\u002Fa> – Cómo hago.\u003C\u002Fp>\n","Code Embed provides a very easy and efficient way to embed code (JavaScript, CSS and HTML) in your posts and pages.",10000,516191,88,45,"2026-03-15T10:00:00.000Z","6.9.4","4.6","7.4",[20,21,22,23,24],"code","css","embed","html","javascript","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsimple-embed-code\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.5.2.zip",95,4,0,"2026-03-17 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[34,64,78,90],{"id":35,"url_slug":36,"title":37,"description":38,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":6,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48,"patch_diff_files":49,"patch_trac_url":39,"research_status":53,"research_verified":54,"research_rounds_completed":55,"research_plan":56,"research_summary":57,"research_vulnerable_code":58,"research_fix_diff":59,"research_exploit_outline":60,"research_model_used":61,"research_started_at":62,"research_completed_at":63,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":54,"poc_model_used":39,"poc_verification_depth":39},"CVE-2026-2512","code-embed-authenticated-contributor-stored-cross-site-scripting-via-custom-fields","Code Embed \u003C= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields","The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2.5.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-18 15:28:28",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F375ed04b-a3cb-4e60-83c8-18bff583aaf4?source=api-prod",2,[50,51,52],"includes\u002Fsecure.php","readme.txt","simple-code-embed.php","researched",false,3,"# Research Plan: CVE-2026-2512 - Code Embed Stored XSS\n\n## 1. Vulnerability Summary\nThe **Code Embed** plugin (versions \u003C= 2.5.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin uses WordPress Custom Fields (post meta) to store and embed code snippets (JavaScript, HTML, CSS) into posts and pages. \n\nThe security flaw exists in `includes\u002Fsecure.php`. While the plugin attempts to sanitize custom fields using `wp_kses_post()` within the `sec_check_post_fields()` function, this function is only hooked to `save_post`. However, WordPress core provides an AJAX endpoint (`wp_ajax_add_meta`) that allows users with `edit_posts` capabilities (like **Contributors**) to add or update custom fields without triggering the `save_post` hook. Consequently, the sanitization logic is bypassed. When the post is rendered, the plugin's output filter fetches these unsanitized values and injects them directly into the page content.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `add-meta`\n*   **Required Parameter**: `metakeyinput` (must match the plugin's keyword prefix, default: `CODE`)\n*   **Payload Parameter**: `metavalue` (the XSS payload)\n*   **Authentication Level**: Authenticated (Contributor or higher). Contributors can edit their own posts and thus access the `add-meta` AJAX action for those posts.\n*   **Preconditions**: \n    1.  The attacker must have a post they are permitted to edit.\n    2.  The post must contain a \"placeholder\" identifier (e.g., `{{CODE1}}`) that the plugin will replace with the malicious meta value.\n\n## 3. Code Flow\n1.  **Injection**:\n    *   The attacker sends a POST request to `admin-ajax.php` with `action=add-meta`.\n    *   WordPress core executes `wp_ajax_add_meta()`, which calls `add_post_meta()` or `update_post_meta()`.\n    *   The `save_post` hook is **not** triggered by this AJAX action.\n    *   `sec_check_post_fields()` in `includes\u002Fsecure.php` is never called, so `wp_kses_post()` is bypassed.\n2.  **Storage**: The raw payload (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`) is stored in the `wp_postmeta` table.\n3.  **Execution**:\n    *   A victim (e.g., Administrator) views the post.\n    *   The plugin (likely via `includes\u002Fadd-embeds.php`, referred to as `ce_filter` in descriptions) parses the content for identifiers like `{{CODE1}}`.\n    *   It retrieves the meta value for the key `CODE1`.\n    *   The plugin outputs the raw value into the HTML without further escaping, triggering the XSS.\n\n## 4. Nonce Acquisition Strategy\nThe `add-meta` action requires a core WordPress nonce. This nonce is specific to the post being edited.\n\n1.  **Identify Post**: Create a post as a Contributor.\n2.  **Navigate to Editor**: Use `browser_navigate` to go to the edit page for that post: `wp-admin\u002Fpost.php?post=POST_ID&action=edit`.\n3.  **Extract Nonce**: The nonce for adding meta is stored in a hidden input field with the ID `_ajax_nonce-add-meta`.\n4.  **JavaScript Execution**:\n    ```javascript\n    browser_eval(\"document.getElementById('_ajax_nonce-add-meta').value\")\n    ```\n5.  **Alternative (Global)**: If the hidden input is missing (due to Gutenberg), the nonce is often found in the `wp-lists` initialization or the `_wpnonce` parameter of other meta-related requests. However, for most WordPress versions, `_ajax_nonce-add-meta` remains the standard.\n\n## 5. Exploitation Strategy\n1.  **Setup User**: Create a Contributor user (`contributor` \u002F `password`).\n2.  **Setup Content**: \n    *   As the Contributor, create a post with the title \"XSS Test\" and content `{{CODE1}}`.\n    *   Capture the `POST_ID`.\n3.  **Acquire Nonce**:\n    *   Log in as the Contributor.\n    *   Navigate to the edit screen for `POST_ID`.\n    *   Extract the `add-meta` nonce using the strategy in Section 4.\n4.  **Inject Payload**:\n    *   Use `http_request` to call `admin-ajax.php`.\n    *   **Method**: `POST`\n    *   **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters**:\n        *   `action`: `add-meta`\n        *   `post_id`: `POST_ID`\n        *   `metakeyselect`: `#NONE#`\n        *   `metakeyinput`: `CODE1`\n        *   `metavalue`: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n        *   `_ajax_nonce-add-meta`: `[EXTRACTED_NONCE]`\n5.  **Trigger**: Navigate to the public URL of the post (as any user).\n\n## 6. Test Data Setup\n*   **Plugin Configuration**: Default settings (Keyword: `CODE`, Identifiers: `{{` and `}}`).\n*   **User Role**: `contributor`\n*   **Target Post**:\n    *   Title: `Vulnerable Post`\n    *   Content: `This is a test. {{CODE1}}`\n    *   Status: `publish`\n\n## 7. Expected Results\n*   The AJAX request should return a successful response (usually a partial HTML block for the custom fields table).\n*   When viewing the post, the HTML source should contain: `\u003Cdiv>...\u003Cscript>alert(document.domain)\u003C\u002Fscript>...\u003C\u002Fdiv>`.\n*   A browser alert box should appear showing the domain.\n\n## 8. Verification Steps\n1.  **Database Check**: \n    ```bash\n    wp post meta get [POST_ID] CODE1\n    ```\n    Confirm the output is the raw payload `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` and has **not** been stripped to empty or sanitized.\n2.  **Frontend Check**:\n    ```bash\n    http_request GET http:\u002F\u002Fvulnerable-wp.local\u002F?p=[POST_ID]\n    ```\n    Check the response body for the presence of the unescaped script tag.\n\n## 9. Alternative Approaches\n*   **Identifier Variation**: The `readme.txt` mentions identifiers could be `%` (e.g., `%CODE1%`). If `{{CODE1}}` fails, try `%CODE1%`.\n*   **Keyword Variation**: If the site has changed the keyword identifier in settings, use `wp option get artiss_code_embed` to find the `keyword_ident` value.\n*   **Global Embeds**: The plugin supports global embeds. An attacker might try to set meta on a \"global\" post if configured, potentially affecting all pages on the site.\n*   **XSS to RCE**: In a real-world scenario, the payload would be a script to create a new Administrator user via the `\u002Fwp-admin\u002Fuser-new.php` CSRF.","The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values because it only performs sanitization during the 'save_post' hook. Authenticated attackers with Contributor-level access can bypass this by using the WordPress AJAX 'add-meta' endpoint to inject malicious scripts into custom fields, which the plugin then renders without escaping.","\u002F* includes\u002Fsecure.php lines 32-62 *\u002F\nfunction sec_check_post_fields( $post_id, $post, $update ) {\n\n\t$options = get_option( 'artiss_code_embed' );\n\n\t\u002F\u002F Check if it's an autosave or if the current user has the 'unfiltered_html' capability.\n\tif ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || ( current_user_can( 'unfiltered_html' ) ) ) {\n\t\treturn;\n\t}\n\n\t\u002F\u002F Fetch all post meta (custom fields) associated with the post.\n\t$custom_fields = get_post_meta( $post_id );\n\n\t\u002F\u002F If there are custom fields, read through them.\n\tif ( ! empty( $custom_fields ) ) {\n\n\t\tforeach ( $custom_fields as $key => $value ) {\n\n\t\t\t\u002F\u002F Check to see if any begining with this plugin's prefix.\n\t\t\tif ( substr( $key, 0, strlen( $options['keyword_ident'] ) ) === $options['keyword_ident'] ) {\n\n\t\t\t\t\u002F\u002F Filter the meta value.\n\t\t\t\t$new_value = wp_kses_post( $value[0] );\n\n\t\t\t\t\u002F\u002F Now write out the new value.\n\t\t\t\tupdate_post_meta( $post_id, $key, $new_value );\n\t\t\t}\n\t\t}\n\t}\n}\n\nadd_action( 'save_post', 'sec_check_post_fields', 10, 3 );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-embed-code\u002F2.5.1\u002Fincludes\u002Fsecure.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-embed-code\u002F2.5.2\u002Fincludes\u002Fsecure.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-embed-code\u002F2.5.1\u002Fincludes\u002Fsecure.php\t2024-11-05 18:57:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-embed-code\u002F2.5.2\u002Fincludes\u002Fsecure.php\t2026-03-15 10:00:20.000000000 +0000\n@@ -1,8 +1,8 @@\n \u003C?php\n \u002F**\n- * Meta boxes\n+ * Security\n  *\n- * Functions related to meta-box management.\n+ * Functions related to sanitizing Code Embed meta values.\n  *\n  * @package simple-embed-code\n  *\u002F\n@@ -14,42 +14,58 @@\n }\n \n \u002F**\n- * Remove Custom Fields\n+ * Sanitize Code Embed meta on every write\n  *\n- * Remove the custom field meta boxes if the user doesn't have the unfiltered HTML permissions.\n+ * Filter that fires on every call to update_metadata \u002F add_metadata — including the\n+ * wp_ajax_add_meta AJAX handler and the REST API, not just save_post.\n  *\n- * @param    string  $post_id   Post ID.\n- * @param    string  $post      Post object.\n- * @param    boolean $update    Whether this is an existing post being updated.\n+ * @param mixed  $check      Null to allow the operation, non-null to short-circuit.\n+ * @param int    $object_id  Post ID.\n+ * @param string $meta_key   Meta key being written.\n+ * @param mixed  $meta_value Meta value being written.\n+ * @return mixed             Null (to proceed with the write).\n  *\u002F\n-function sec_check_post_fields( $post_id, $post, $update ) {\n+function sec_sanitize_meta_on_write( $check, $object_id, $meta_key, $meta_value ) {\n+\n+\t\u002F\u002F Allow admins \u002F editors with unfiltered_html to write without restriction.\n+\tif ( current_user_can( 'unfiltered_html' ) ) {\n+\t\treturn $check;\n+\t}\n \n \t$options = get_option( 'artiss_code_embed' );\n \n-\t\u002F\u002F Check if it's an autosave or if the current user has the 'unfiltered_html' capability.\n-\tif ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || ( current_user_can( 'unfiltered_html' ) ) ) {\n-\t\treturn;\n+\tif ( ! is_array( $options ) || empty( $options['keyword_ident'] ) ) {\n+\t\treturn $check;\n \t}\n \n-\t\u002F\u002F Fetch all post meta (custom fields) associated with the post.\n-\t$custom_fields = get_post_meta( $post_id );\n+\t$prefix = $options['keyword_ident'];\n \n-\t\u002F\u002F If there are custom fields, read through them.\n-\tif ( ! empty( $custom_fields ) ) {\n+\t\u002F\u002F Only act on meta keys that belong to this plugin.\n+\tif ( substr( $meta_key, 0, strlen( $prefix ) ) !== $prefix ) {\n+\t\treturn $check;\n+\t}\n \n-\t\tforeach ( $custom_fields as $key => $value ) {\n+\t\u002F\u002F Strip dangerous markup while preserving safe HTML.\n+\t$clean = wp_kses_post( $meta_value );\n \n-\t\t\t\u002F\u002F Check to see if any begining with this plugin's prefix.\n-\t\t\tif ( substr( $key, 0, strlen( $options['keyword_ident'] ) ) === $options['keyword_ident'] ) {\n+\tif ( $clean === $meta_value ) {\n+\t\t\u002F\u002F Value is already clean — let the normal write proceed.\n+\t\treturn $check;\n+\t}\n \n-\t\t\t\t\u002F\u002F Filter the meta value.\n-\t\t\t\t$new_value = wp_kses_post( $value[0] );\n+\t\u002F\u002F The value was dirty. Remove this filter temporarily to avoid infinite recursion, write the sanitized value ourselves, then\n+\t\u002F\u002F re-add the filter and short-circuit the original write.\n+\tremove_filter( 'update_post_metadata', 'sec_sanitize_meta_on_write', 10 );\n+\tremove_filter( 'add_post_metadata', 'sec_sanitize_meta_on_write', 10 );\n \n-\t\t\t\t\u002F\u002F Now write out the new value.\n-\t\t\t\tupdate_post_meta( $post_id, $key, $new_value );\n-\t\t\t}\n-\t\t}\n-\t}\n+\tupdate_post_meta( $object_id, $meta_key, $clean );\n+\n+\tadd_filter( 'update_post_metadata', 'sec_sanitize_meta_on_write', 10, 4 );\n+\tadd_filter( 'add_post_metadata', 'sec_sanitize_meta_on_write', 10, 4 );\n+\n+\t\u002F\u002F Return a non-null value to short-circuit the original (unsanitized) write.\n+\treturn true;\n }\n \n-add_action( 'save_post', 'sec_check_post_fields', 10, 3 );\n+add_filter( 'update_post_metadata', 'sec_sanitize_meta_on_write', 10, 4 );\n+add_filter( 'add_post_metadata', 'sec_sanitize_meta_on_write', 10, 4 );","1. Authenticate as a user with Contributor level permissions or higher.\n2. Create a post and include a placeholder for a custom field in the content (e.g., {{CODE1}}), then publish it.\n3. Navigate to the post editor page to obtain a valid WordPress AJAX nonce for the 'add-meta' action (typically found in the '_ajax_nonce-add-meta' hidden input field).\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters: action=add-meta, metakeyinput=CODE1, metavalue=\u003Cscript>alert(1)\u003C\u002Fscript>, and the extracted nonce.\n5. Because the WordPress AJAX 'add-meta' action bypasses the 'save_post' hook, the payload is stored in the database without being sanitized by the plugin's wp_kses_post filter.\n6. View the published post; the plugin will replace {{CODE1}} with the unsanitized script payload, resulting in execution in the victim's browser.","gemini-3-flash-preview","2026-04-18 03:01:31","2026-04-18 03:01:56",{"id":65,"url_slug":66,"title":67,"description":68,"plugin_slug":4,"theme_slug":39,"affected_versions":69,"patched_in_version":70,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":71,"published_date":72,"updated_date":73,"references":74,"days_to_patch":76,"patch_diff_files":77,"patch_trac_url":39,"research_status":39,"research_verified":54,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":54,"poc_model_used":39,"poc_verification_depth":39},"CVE-2024-10814","code-embed-authenticated-contributor-server-side-request-forgery","Code Embed \u003C= 2.5 - Authenticated (Contributor+) Server-Side Request Forgery","The Code Embed plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5 via the ce_get_file() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","\u003C=2.5","2.5.1","Server-Side Request Forgery (SSRF)","2024-11-08 16:18:27","2024-11-09 04:32:26",[75],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e1e17c9-b9ee-495a-be49-9aa88f8023a2?source=api-prod",1,[],{"id":79,"url_slug":80,"title":81,"description":82,"plugin_slug":4,"theme_slug":39,"affected_versions":83,"patched_in_version":84,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":85,"updated_date":86,"references":87,"days_to_patch":76,"patch_diff_files":89,"patch_trac_url":39,"research_status":39,"research_verified":54,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":54,"poc_model_used":39,"poc_verification_depth":39},"CVE-2024-8804","code-embed-authenticated-contributor-stored-cross-site-scripting","Code Embed \u003C= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's script embed functionality in all versions up to, and including, 2.4 due to insufficient restrictions on who can utilize the functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2.4","2.5","2024-10-03 00:00:00","2024-10-04 05:30:18",[88],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fab4149e1-8378-4007-bbf2-1ac3c479e7ea?source=api-prod",[],{"id":91,"url_slug":92,"title":93,"description":94,"plugin_slug":4,"theme_slug":39,"affected_versions":95,"patched_in_version":96,"severity":41,"cvss_score":97,"cvss_vector":98,"vuln_type":99,"published_date":100,"updated_date":101,"references":102,"days_to_patch":104,"patch_diff_files":105,"patch_trac_url":39,"research_status":39,"research_verified":54,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":54,"poc_model_used":39,"poc_verification_depth":39},"CVE-2023-49837","code-embed-authenticatedcontributor-denial-of-service","Code Embed \u003C= 2.3.6 - Authenticated(Contributor+) Denial of Service","The Code Embed plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 2.3.6. This makes it possible for authenticated attackers, with contributor access and above, to disrupt access to the site.","\u003C=2.3.6","2.3.7",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:N\u002FA:H","Uncontrolled Resource Consumption","2023-12-05 00:00:00","2024-01-22 19:56:02",[103],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2ef2ded1-dd56-4c33-98dc-d4c69e66568f?source=api-prod",49,[],{"slug":107,"display_name":7,"profile_url":8,"plugin_count":108,"total_installs":109,"avg_security_score":110,"avg_patch_time_days":111,"trust_score":112,"computed_at":113},"dartiss",10,11180,99,8,93,"2026-05-19T21:14:28.046Z",[115,134,153,172,192],{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":125,"num_ratings":108,"last_updated":126,"tested_up_to":127,"requires_at_least":128,"requires_php":18,"tags":129,"homepage":131,"download_link":132,"security_score":110,"vuln_count":76,"unpatched_count":29,"last_vuln_date":133,"fetched_at":31},"add-to-all","WebberZone Snippetz – Header, Body and Footer manager","2.3.1","Ajay","https:\u002F\u002Fprofiles.wordpress.org\u002Fajay\u002F","\u003Cp>Do you want to customize your site with code but don’t want to edit your theme files or worry about losing your changes when you switch themes? Do you want to add analytics, site verification, custom CSS, or any other code to your site without using multiple plugins? Do you want complete control over where and when you display your code snippets on your site?\u003C\u002Fp>\n\u003Cp>If you answered yes to any of the above questions, WebberZone Snippetz is the perfect plugin!\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwebberzone.com\u002Fplugins\u002Fadd-to-all\u002F\" rel=\"nofollow ugc\">WebberZone Snippetz\u003C\u002Fa> (formerly Add to All) is a simple yet powerful plugin that allows you to create and manage custom snippets of HTML, CSS, or JS code and add them to your header, footer, content, or feed. You can also choose where and when to display your snippets based on criteria such as post IDs, post types, categories, tags, and more.\u003C\u002Fp>\n\u003Cp>WebberZone Snippetz comes with out-of-the-box support for Google Analytics and Statcounter. It lets you easily add meta tags to verify your site with Google, Bing, and Pinterest.\u003C\u002Fp>\n\u003Cp>WebberZone Snippetz also enhances your site’s feed with a copyright notice and a link to the post. It also comes with many actions and filters to extend its functionality.\u003C\u002Fp>\n\u003Cp>Here are some of the key features of WebberZone Snippetz:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Create custom snippets with HTML, CSS or JS code\u003C\u002Fli>\n\u003Cli>Add snippets to your header, footer, content or feed\u003C\u002Fli>\n\u003Cli>Choose where and when to display your snippets based on post IDs, post types, categories, tags, and more\u003C\u002Fli>\n\u003Cli>Support for Google Analytics and Statcounter\u003C\u002Fli>\n\u003Cli>Site verification for Google, Bing and Pinterest\u003C\u002Fli>\n\u003Cli>No need to edit theme files or lose changes when switching themes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>WebberZone Snippetz is the ultimate snippet manager for WordPress users who want to customize their site with code. Download it today and see the difference!\u003Cbr \u002F>\nWebberZone Snippetz is one of the many plugins developed by WebberZone. Check out our other plugins:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontextual-related-posts\u002F\" rel=\"ugc\">Contextual Related Posts\u003C\u002Fa> – Display related posts on your WordPress blog and feed\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftop-10\u002F\" rel=\"ugc\">Top 10\u003C\u002Fa> – Track daily and total visits on your blog posts and display the popular and trending posts\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fknowledgebase\u002F\" rel=\"ugc\">Knowledge Base\u003C\u002Fa> – Create a knowledge base or FAQ section on your WordPress site\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbetter-search\u002F\" rel=\"ugc\">Better Search\u003C\u002Fa> – Enhance the default WordPress search with contextual results sorted by relevance\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwebberzone-link-warnings\u002F\" rel=\"ugc\">WebberZone Link Warnings\u003C\u002Fa> – Add accessible warnings for external links and target=”_blank” links\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fautoclose\u002F\" rel=\"ugc\">Auto-Close\u003C\u002Fa> – Automatically close comments, pingbacks and trackbacks and manage revisions\u003C\u002Fli>\n\u003C\u002Ful>\n","The ultimate snippet manager for WordPress. Create and manage custom HTML, CSS, or JS code snippets and control where and when they are displayed.",2000,86526,96,"2026-04-03T12:19:00.000Z","6.8.5","6.3",[20,21,23,24,130],"snippets","https:\u002F\u002Fwebberzone.com\u002Fplugins\u002Fadd-to-all\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadd-to-all.2.3.1.zip","2025-04-01 00:00:00",{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":108,"downloaded":142,"rating":143,"num_ratings":76,"last_updated":144,"tested_up_to":145,"requires_at_least":146,"requires_php":147,"tags":148,"homepage":150,"download_link":151,"security_score":152,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"code-prettify-syntax-highlighter","Code Prettify Syntax Highlighter","1.0","TrueFalse","https:\u002F\u002Fprofiles.wordpress.org\u002Ftruefalse\u002F","\u003Cp>English:\u003C\u002Fp>\n\u003Cp>This plugin to select blocks of code takes advantage of JavaScript-library ‘google-code-prettify’. If it is for his work simply insert frame \u003Cpre> tag with class ‘prettyprint’.\u003C\u002Fp>\n\u003Cp>*** Tip: In order to optimize the use of resources, try to use only one option – ‘Automatically replace the tags \u003Cpre> to \u003Cpre class=”prettyprint linenums”> before saving post.’\u003C\u002Fp>\n\u003Cp>Russian:\u003C\u002Fp>\n\u003Cp>Данный плагин для выделения блоков кода использует возможности JavaScript-библиотеки ‘google-code-prettify’. При это для его работы достаточно просто обрамлять вставки тегом \u003Cpre> с классом ‘prettyprint’.\u003C\u002Fp>\n\u003Cp>***Совет: в целях оптимизации потребления ресурсов старайтесь использовать только 1 флажок – ‘Автоматически заменять \u003Cpre> на \u003Cpre class=”prettyprint linenums”> перед сохранением записи.’\u003C\u002Fp>\n","Highlighting the code in the post with JavaScript library «google-code-prettify».",2234,100,"2012-12-17T04:46:00.000Z","3.5.2","3.5","",[20,21,149,23,24],"highlighter","http:\u002F\u002Fwww.sooource.net\u002Fcode-prettify-syntax-highlighter","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcode-prettify-syntax-highlighter.zip",85,{"slug":154,"name":155,"version":156,"author":157,"author_profile":158,"description":159,"short_description":160,"active_installs":108,"downloaded":161,"rating":29,"num_ratings":29,"last_updated":162,"tested_up_to":163,"requires_at_least":164,"requires_php":147,"tags":165,"homepage":170,"download_link":171,"security_score":152,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"os-html5-shortcodes","OS HTML5 Shortcodes","1.3","Offshorent Solutions Pvt Ltd","https:\u002F\u002Fprofiles.wordpress.org\u002Foffshorent\u002F","\u003Cp>Using shortcodes you can easily add HTML codes such as ad codes, javascript, video embedding, etc in your pages, posts or custom posts.\u003C\u002Fp>\n\u003Ch4>No limit for the Free version\u003C\u002Fh4>\n\u003Cp>The Free version of the OS HTML5 Shortcodes plugin is not limited.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Admin interface to manage OS HTML5 Shortcodes.\u003C\u002Fli>\n\u003Cli>HTML codes such as ad codes, javascript, video embedding etc.\u003C\u002Fli>\n\u003Cli>Very easy to use ( through shortcodes ).\u003C\u002Fli>\n\u003Cli>HTML5 support.\u003C\u002Fli>\n\u003Cli>Use through TinyMCE buttons.\u003C\u002Fli>\n\u003Cli>OS HTML5 Shortcodes Widget.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Support\u003C\u002Fp>\n\u003Cp>So that others can share in the answer, please submit your support requests through the WordPress forums for OS HTML5 Shortcodes(https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fos-html5-shortcodes).\u003C\u002Fp>\n","Using shortcodes you can easily add HTML codes such as ad codes, javascript, video embedding, etc in your pages, posts or custom posts.",1778,"2017-04-24T10:24:00.000Z","4.7.33","4.3",[166,167,24,168,169],"etc-to-your-pages","include-html-codes-uch-as-ad-codes","posts-or-custom-post-type-easily-using-shortcodes","video-embedding","http:\u002F\u002Foffshorent.com\u002Fblog\u002Fextensions\u002Fos-html5-shortcodes","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fos-html5-shortcodes.1.3.zip",{"slug":173,"name":174,"version":175,"author":176,"author_profile":177,"description":178,"short_description":179,"active_installs":180,"downloaded":181,"rating":182,"num_ratings":183,"last_updated":184,"tested_up_to":16,"requires_at_least":185,"requires_php":186,"tags":187,"homepage":189,"download_link":190,"security_score":182,"vuln_count":48,"unpatched_count":29,"last_vuln_date":191,"fetched_at":31},"shortcoder","Shortcoder — Create Shortcodes for Anything","6.5.2","vaakash","https:\u002F\u002Fprofiles.wordpress.org\u002Fvaakash\u002F","\u003Cp>Shortcoder plugin allows to create a custom shortcodes for HTML, JavaScript, CSS and other code snippets. Now the shortcodes can be used in posts\u002Fpages and the snippet will be replaced in place.\u003C\u002Fp>\n\u003Ch3>✍ Create shortcodes easily\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Give a name for the shortcode\u003C\u002Fli>\n\u003Cli>Paste the HTML\u002FJavaScript\u002FCSS as shortcode content\u003C\u002Fli>\n\u003Cli>Save !\u003C\u002Fli>\n\u003Cli>Now insert the shortcode \u003Ccode>[sc name=\"my_shortcode\"]\u003C\u002Fcode> in your post\u002Fpage.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Voila !\u003C\u002Fstrong> You got the HTML\u002FJavascript\u002FCSS in your post.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>✨ Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Create \u003Cstrong>custom shortcodes\u003C\u002Fstrong> easily and use them in any place where shortcode is supported.\u003C\u002Fli>\n\u003Cli>Have any \u003Cstrong>HTML\u003C\u002Fstrong>, \u003Cstrong>Javascript\u003C\u002Fstrong>, \u003Cstrong>CSS\u003C\u002Fstrong> as Shortcode content.\u003C\u002Fli>\n\u003Cli>Insert: \u003Cstrong>Custom parameters\u003C\u002Fstrong> in shortcode\u003C\u002Fli>\n\u003Cli>Insert: \u003Cstrong>WordPress parameters\u003C\u002Fstrong> in shortcode\u003C\u002Fli>\n\u003Cli>Multiple editors: Code, Visual and text modes.\u003C\u002Fli>\n\u003Cli>Globally disable the shortcode when not needed.\u003C\u002Fli>\n\u003Cli>Disable shortcode on desktop, mobile devices.\u003C\u002Fli>\n\u003Cli>A button in post editor to pick the shortcodes to insert.\u003C\u002Fli>\n\u003Cli>Execute blocks HTML in shortcode content.\u003C\u002Fli>\n\u003Cli>Insert shortcodes in Gutenberg\u002Fblock editor.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🎲 An example usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Create a shortcode named “adsenseAd” in the Shortcoder admin page.\u003C\u002Fli>\n\u003Cli>Paste the adsense code in the box given and save it.\u003C\u002Fli>\n\u003Cli>Use \u003Ccode>[sc name=\"adsenseAd\"]\u003C\u002Fcode> in your posts and pages.\u003C\u002Fli>\n\u003Cli>Tada !!! the ad code is replaced and it appears in the post.\u003C\u002Fli>\n\u003Cli>Now you can edit the ad code at one place and the code is updated in all the locations where the shortcode is used.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Similarly shortcodes can be created for frequently used snippets.\u003C\u002Fp>\n\u003Cp>You can also add \u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">custom parameters\u003C\u002Fa> (like \u003Ccode>%%id%%\u003C\u002Fcode>) inside the snippets, and change it’s value like \u003Ccode>[sc name=\"youtube\" id=\"GrlRADfvjII\"]\u003C\u002Fcode> when using them.\u003C\u002Fp>\n\u003Ch3>🧱 Using in block editor\u003C\u002Fh3>\n\u003Cp>Though shortcodes can be used in \u003Cstrong>any\u003C\u002Fstrong> place manually, Shortcoder provides below options to select and insert the shortcodes created easily when working with the block editor.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Shortcoder block\u003C\u002Fli>\n\u003Cli>Toolbar button to select and insert shortcodes inline (under “more”)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>💎 Upgrade to PRO\u003C\u002Fh3>\n\u003Cp>Shortcoder also provides a \u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">PRO version\u003C\u002Fa> which has additional features to further enhance the experience. Below features are offered in the PRO version.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom editor\u003C\u002Fstrong> – Edit Shortcode content using block editor or page builder plugins like Elementor and WPBakery.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>(New) Translation with WPML\u003C\u002Fstrong> – Translate Shortcode content with WPML.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Revisions\u003C\u002Fstrong> – Revisions support for Shortcode content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Locate shortcode\u003C\u002Fstrong> – Search posts and pages where a shortcode is used.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Extra code\u003C\u002Fstrong> – Include extra code to the footer when a shortcode is used in a page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">Get started with Shortcoder – PRO\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Links\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002Ffaq\u002F\" rel=\"nofollow ugc\">FAQs\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fforum\u002F\" rel=\"nofollow ugc\">Support forum\u002FReport bugs\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F#pro\" rel=\"nofollow ugc\">PRO features\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Create custom \"Shortcodes\" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets",100000,1903638,98,226,"2026-03-01T17:44:00.000Z","4.9.0","5.3",[20,23,24,188,130],"shortcode","https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcoder.6.5.2.zip","2026-01-09 00:00:00",{"slug":193,"name":194,"version":195,"author":196,"author_profile":197,"description":198,"short_description":199,"active_installs":200,"downloaded":201,"rating":202,"num_ratings":203,"last_updated":204,"tested_up_to":16,"requires_at_least":205,"requires_php":18,"tags":206,"homepage":210,"download_link":211,"security_score":27,"vuln_count":212,"unpatched_count":29,"last_vuln_date":213,"fetched_at":31},"advanced-iframe","Advanced iFrame","2026.1","mdempfle","https:\u002F\u002Fprofiles.wordpress.org\u002Fmdempfle\u002F","\u003Cblockquote>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.advanced-iframe.com\u002F\" rel=\"nofollow ugc\">New website: advanced-iframe.com\u003C\u002Fa>\u003C\u002Fstrong>\u003Cbr \u002F>\n  \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fdemo-advanced-iframe-2-0\" rel=\"nofollow ugc\">Demo\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Include content the way YOU like in an iframe that can hide and modify elements, does auto height, forward parameters and does many, many more…\u003C\u002Fp>\n\u003Ch4>Main features of advanced iframe\u003C\u002Fh4>\n\u003Cp>By entering the shortcode ‘[advanced_iframe]’ you can include any webpage to any page or article.\u003C\u002Fp>\n\u003Cp>Advanced iFrame now has out of the box support for embedded 3D models using the p3d 3D viewer. Go to https:\u002F\u002Fp3d.in\u002Fb\u002F24 and download a pre-configured plugin where the model does scale already nicely on all devices. Get started for free! If you need more storage or access to the Premium features of p3d.in, you can get a 50% discount on your first payment with the coupon AIFRAME on checkout.\u003C\u002Fp>\n\u003Cp>The following cool features compared to a normal iframe are implemented:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hide areas of the layout to give the iframe more space (see screenshot)\u003C\u002Fli>\n\u003Cli>Show only specific areas of the iframe when the iframe is on a same domain (The Pro version supports this on different domains) or include parts directly by jQuery\u003C\u002Fli>\n\u003Cli>Modify css styles in the parent and the iframe to e.g. change the width of the content area (see screen-shot)\u003C\u002Fli>\n\u003Cli>Forward parameters to the iframe\u003C\u002Fli>\n\u003Cli>Resize the iframe to the content height or width on loading, AJAX or click\u003C\u002Fli>\n\u003Cli>Responsive videos (moved from the pro to the the free version in v2022)\u003C\u002Fli>\n\u003Cli>Scroll the parent to the top when the iframe is loaded\u003C\u002Fli>\n\u003Cli>Hide the content until it is fully loaded\u003C\u002Fli>\n\u003Cli>Add a css and js file to the parent page\u003C\u002Fli>\n\u003Cli>Security code: You can only insert the shortcode with a valid security code from the administration.\u003C\u002Fli>\n\u003Cli>Many additional cool features are available the pro version – see https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In the free version you can update to the pro version directly or test all features in the 30 days trial!\u003C\u002Fp>\n\u003Cp>Please note: Modification inside the iframe are only possible if you are on the same domain or use a workaround like described in the settings.\u003C\u002Fp>\n\u003Cp>So please check first if the iframe page and the parent page are one the same domain. www.example.com and text.example.com are different domains! Please check in the documentation if you can use the feature you like\u003C\u002Fp>\n\u003Cp>A free iframe checker is available at\u003Cbr \u002F>\nhttps:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Ffree-iframe-checker.\u003Cbr \u002F>\nThis tool does check if a page is allowed to be included!\u003C\u002Fp>\n\u003Cp>All settings can be set with shortcode attributes as well. If you only use one iframe please use the settings in the administration because there each parameter is explained in detail and also the defaults are set there.\u003C\u002Fp>\n\u003Ch4>Limitations of the free version\u003C\u002Fh4>\n\u003Cp>The free version has no functional restrictions and is for personal and small non-commercial sites. After 10.000 views\u002Fmonth you have to opt-in to get unlimited views. If you do not opt-in the iframe is still working 100% and at the bottom of the iframe a small notice to opt-in is shown.\u003C\u002Fp>\n\u003Ch4>Upgrading to Advanced IFrame Pro\u003C\u002Fh4>\n\u003Cp>It’s quick and painless to get Advanced iFrame Pro. Simply sign up for the 30 days trail or buy directly in the plugin. You can than use the plugin on commercial, business, and professional sites and blogs. You furthermore get:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Show only specific areas of the iframe even when the iframe is on different domain\u003C\u002Fli>\n\u003Cli>Graphical content selector: https:\u002F\u002Fwww.mdempfle.de\u002Fdemos\u002Fconfigurator\u002Fadvanced-iframe-area-selector.html\u003C\u002Fli>\n\u003Cli>External workaround supports iframe modifications\u003C\u002Fli>\n\u003Cli>Widget support\u003C\u002Fli>\n\u003Cli>No view limit\u003C\u002Fli>\n\u003Cli>Hide areas of an iframe\u003C\u002Fli>\n\u003Cli>Browser detection\u003C\u002Fli>\n\u003Cli>Change link targets\u003C\u002Fli>\n\u003Cli>URL forward parameter mapping.\u003C\u002Fli>\n\u003Cli>Zoom iframe content\u003C\u002Fli>\n\u003Cli>Accordion menu\u003C\u002Fli>\n\u003Cli>jQuery help\u003C\u002Fli>\n\u003Cli>Advanced lazy load\u003C\u002Fli>\n\u003Cli>Standalone version – can be used in ANY php page!\u003C\u002Fli>\n\u003Cli>And much more…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can find the comparison chart here: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart\u003Cbr \u002F>\nSee the pro demo here:\u003Cbr \u002F>\nhttps:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-pro-demo\u003C\u002Fp>\n\u003Ch4>Administration\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Go to Settings -> Advanced iFrame\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Quick start guide\u003C\u002Fh4>\n\u003Cp>The quickstart guide is also available as video: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-video-tutorials\u003C\u002Fp>\n\u003Cp>To include a webpage to your page please check the following things first:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Check if your page page is allowed to be included https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Ffree-iframe-checker!\u003C\u002Fli>\n\u003Cli>Check if the iframe page and the parent page are one the same domain. www.example.com and text.example.com are different domains!\u003C\u002Fli>\n\u003Cli>Can you modify the page that should be included?\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Most likely you have one of the following setups:\u003C\u002Fp>\n\u003Col>\n\u003Cli>iframe cannot be included:  You cannot include the content because the owner does not allow this.\u003C\u002Fli>\n\u003Cli>iframe can be included and you are on a different domain: See the feature comparison chart: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart and the feature overview https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-features-availability-overview. To resize the content to the height\u002Fwidth or modify css you need to modify the remote iframe page by adding one line of Javascript to enable the provided workaround.\u003C\u002Fli>\n\u003Cli>iframe can be included and you are on the same domain: All features of the plugin can be used.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If you mix http and https read https:\u002F\u002Fwww.advanced-iframe.com\u002Fiframe-do-not-mix-http-and-https. Parent https and iframe http does not work on all mayor browsers!\u003C\u002Fp>\n\u003Ch4>Advanced iframe attributes\u003C\u002Fh4>\n\u003Cp>Below you find all possible shortcode attributes. If you only use one iframe please use the settings in the administration because there each parameter is explained in detail and also the defaults are set there.\u003C\u002Fp>\n\u003Cp>Setting an attribute does overwrite the setting in the administration.\u003C\u002Fp>\n\u003Cp>[advanced_iframe securitykey=””   src=””\u003Cbr \u002F>\n  id=””   name=””\u003Cbr \u002F>\n  width=””   height=””\u003Cbr \u002F>\n  marginwidth=””   marginheight=””\u003Cbr \u002F>\n  scrolling=””   frameborder=””\u003Cbr \u002F>\n  class=””   style=””\u003Cbr \u002F>\n  content_id=””   content_styles=””\u003Cbr \u002F>\n  hide_elements=””   url_forward_parameter=””\u003Cbr \u002F>\n  onload=””   onload_resize=””\u003Cbr \u002F>\n  onload_scroll_top=””   onload_show_element_only=””\u003Cbr \u002F>\n  store_height_in_cookie=””   additional_height=””\u003Cbr \u002F>\n  additional_js=””   additional_css=””\u003Cbr \u002F>\n  iframe_content_id=””   iframe_content_styles=””\u003Cbr \u002F>\n  iframe_hide_elements=””  hide_page_until_loaded=””\u003Cbr \u002F>\n  include_hide_page_until_loaded=””\u003Cbr \u002F>\n  include_url=”” include_content=””\u003Cbr \u002F>\n  include_height=””  include_fade=””\u003Cbr \u002F>\n  onload_resize_width=””   resize_on_ajax=””\u003Cbr \u002F>\n  resize_on_ajax_jquery=””   resize_on_click=””\u003Cbr \u002F>\n  resize_on_click_elements=””   use_shortcode_attributes_only=””\u003Cbr \u002F>\n  onload_resize_delay=””\u003Cbr \u002F>\n  ]\u003C\u002Fp>\n","Include content the way YOU like in an iframe that can hide and modify elements, does auto-height, forward parameters and does many, many more...",40000,2398184,86,55,"2026-04-10T22:11:00.000Z","5.5",[22,207,208,209,188],"iframe","modify-css","resize","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fadvanced-iframe\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-iframe.zip",12,"2026-01-19 00:00:00",{"attackSurface":215,"codeSignals":273,"taintFlows":298,"riskAssessment":326,"analyzedAt":335},{"hooks":216,"ajaxHandlers":269,"restRoutes":270,"shortcodes":271,"cronEvents":272,"entryPointCount":29,"unprotectedCount":29},[217,223,226,232,236,240,245,250,253,255,257,262,266],{"type":218,"name":219,"callback":220,"file":221,"line":222},"filter","the_content","ce_filter","includes\\add-embeds.php",119,{"type":218,"name":224,"callback":220,"file":221,"line":225},"widget_content",120,{"type":227,"name":228,"callback":229,"file":230,"line":231},"action","wp_enqueue_scripts","ce_main_scripts","includes\\add-scripts.php",22,{"type":218,"name":233,"callback":220,"priority":76,"file":234,"line":235},"the_excerpt","includes\\initialise.php",21,{"type":227,"name":237,"callback":238,"file":234,"line":239},"init","ce_initialisation",61,{"type":227,"name":241,"callback":242,"file":243,"line":244},"admin_menu","ce_menu","includes\\screens.php",36,{"type":218,"name":246,"callback":247,"priority":108,"file":248,"line":249},"update_post_metadata","sec_sanitize_meta_on_write","includes\\secure.php",63,{"type":218,"name":251,"callback":247,"priority":108,"file":248,"line":252},"add_post_metadata",64,{"type":218,"name":246,"callback":247,"priority":108,"file":248,"line":254},70,{"type":218,"name":251,"callback":247,"priority":108,"file":248,"line":256},71,{"type":218,"name":258,"callback":259,"priority":108,"file":260,"line":261},"plugin_row_meta","sec_plugin_meta","includes\\shared.php",42,{"type":218,"name":263,"callback":264,"priority":108,"file":260,"line":265},"plugin_action_links","sec_action_links",68,{"type":227,"name":267,"callback":268,"file":260,"line":222},"admin_init","sec_requirements_check",[],[],[],[],{"dangerousFunctions":274,"sqlUsage":275,"outputEscaping":278,"fileOperations":29,"externalRequests":76,"nonceChecks":48,"capabilityChecks":48,"bundledLibraries":297},[],{"prepared":276,"raw":29,"locations":277},6,[],{"escaped":249,"rawEcho":111,"locations":279},[280,283,285,287,289,291,293,296],{"file":281,"line":254,"context":282},"includes\\options-screen.php","raw output",{"file":281,"line":284,"context":282},104,{"file":281,"line":286,"context":282},107,{"file":281,"line":288,"context":282},110,{"file":281,"line":290,"context":282},113,{"file":281,"line":292,"context":282},116,{"file":294,"line":295,"context":282},"includes\\search-screen.php",15,{"file":294,"line":13,"context":282},[],[299],{"entryPoint":300,"graph":301,"unsanitizedCount":29,"severity":325},"\u003Csearch-screen> (includes\\search-screen.php:0)",{"nodes":302,"edges":321},[303,308,314,316],{"id":304,"type":305,"label":306,"file":294,"line":307},"n0","source","$_POST",23,{"id":309,"type":310,"label":311,"file":294,"line":312,"wp_function":313},"n1","sink","echo() [XSS]",37,"echo",{"id":315,"type":305,"label":306,"file":294,"line":307},"n2",{"id":317,"type":310,"label":318,"file":294,"line":319,"wp_function":320},"n3","get_results() [SQLi]",51,"get_results",[322,324],{"from":304,"to":309,"sanitized":323},true,{"from":315,"to":317,"sanitized":323},"low",{"summary":327,"deductions":328},"The 'simple-embed-code' plugin v2.5.2 presents a mixed security profile.  On the positive side, the static analysis reveals an exceptionally small attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events.  Furthermore, all observed SQL queries utilize prepared statements, and the majority of output is properly escaped, indicating good development practices for preventing common vulnerabilities like XSS and SQL injection within the current code. The presence of nonce and capability checks, though limited, is also a positive sign.\n\nHowever, the plugin's vulnerability history is a significant concern. With three known medium-severity CVEs, including SSRF, XSS, and Uncontrolled Resource Consumption, the plugin has demonstrated a pattern of introducing security flaws. While none of these are currently unpatched, the recurrence of such issues, particularly SSRF and XSS, suggests potential weaknesses in input validation or handling of external resources. The external HTTP request, though only one, could be a vector if not handled with extreme care, especially given the past SSRF vulnerabilities.\n\nIn conclusion, while the current version exhibits improved code hygiene in certain areas, the historical vulnerability record necessitates caution. The lack of a large attack surface is a strength, but the past patterns of SSRF and XSS, even if medium severity, combined with the single external HTTP request, suggest a need for ongoing vigilance and thorough review of any new vulnerabilities discovered for this plugin.",[329,331,333],{"reason":330,"points":295},"Medium severity vulnerabilities in history",{"reason":332,"points":108},"Potential for SSRF\u002FXSS based on history",{"reason":334,"points":55},"One external HTTP request","2026-03-16T17:35:37.361Z",{"wat":337,"direct":344},{"assetPaths":338,"generatorPatterns":340,"scriptPaths":341,"versionParams":342},[339],"\u002Fwp-content\u002Fplugins\u002Fsimple-embed-code\u002Fcss\u002Fvideo-container.min.css",[],[],[343],"simple-embed-code\u002Fcss\u002Fvideo-container.min.css?ver=",{"cssClasses":345,"htmlComments":347,"htmlAttributes":348,"restEndpoints":349,"jsGlobals":350,"shortcodeOutput":351},[346],"ce-video-container",[],[],[],[],[],{"error":323,"url":353,"statusCode":354,"statusMessage":355,"message":355},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsimple-embed-code\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":357,"versions":358},14,[359,364,371,381,391,402,413,424,435,446,457,467,478,489],{"version":6,"download_url":26,"svn_tag_url":360,"released_at":39,"has_diff":54,"diff_files_changed":361,"diff_lines":39,"trac_diff_url":362,"vulnerabilities":363,"is_current":323},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.5.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.5.1&new_path=%2Fsimple-embed-code%2Ftags%2F2.5.2",[],{"version":70,"download_url":365,"svn_tag_url":366,"released_at":39,"has_diff":54,"diff_files_changed":367,"diff_lines":39,"trac_diff_url":368,"vulnerabilities":369,"is_current":54},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.5.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.5.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.4&new_path=%2Fsimple-embed-code%2Ftags%2F2.5.1",[370],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":372,"download_url":373,"svn_tag_url":374,"released_at":39,"has_diff":54,"diff_files_changed":375,"diff_lines":39,"trac_diff_url":376,"vulnerabilities":377,"is_current":54},"2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.3.9&new_path=%2Fsimple-embed-code%2Ftags%2F2.4",[378,379,380],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":382,"download_url":383,"svn_tag_url":384,"released_at":39,"has_diff":54,"diff_files_changed":385,"diff_lines":39,"trac_diff_url":386,"vulnerabilities":387,"is_current":54},"2.3.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.3.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.3.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.2.2&new_path=%2Fsimple-embed-code%2Ftags%2F2.3.9",[388,389,390],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":392,"download_url":393,"svn_tag_url":394,"released_at":39,"has_diff":54,"diff_files_changed":395,"diff_lines":39,"trac_diff_url":396,"vulnerabilities":397,"is_current":54},"2.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.2.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.2.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.1.2&new_path=%2Fsimple-embed-code%2Ftags%2F2.2.2",[398,399,400,401],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":403,"download_url":404,"svn_tag_url":405,"released_at":39,"has_diff":54,"diff_files_changed":406,"diff_lines":39,"trac_diff_url":407,"vulnerabilities":408,"is_current":54},"2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F2.0.2&new_path=%2Fsimple-embed-code%2Ftags%2F2.1.2",[409,410,411,412],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":414,"download_url":415,"svn_tag_url":416,"released_at":39,"has_diff":54,"diff_files_changed":417,"diff_lines":39,"trac_diff_url":418,"vulnerabilities":419,"is_current":54},"2.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.2.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F2.0.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.6.1&new_path=%2Fsimple-embed-code%2Ftags%2F2.0.2",[420,421,422,423],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":425,"download_url":426,"svn_tag_url":427,"released_at":39,"has_diff":54,"diff_files_changed":428,"diff_lines":39,"trac_diff_url":429,"vulnerabilities":430,"is_current":54},"1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.6.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.6.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.5.1&new_path=%2Fsimple-embed-code%2Ftags%2F1.6.1",[431,432,433,434],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":436,"download_url":437,"svn_tag_url":438,"released_at":39,"has_diff":54,"diff_files_changed":439,"diff_lines":39,"trac_diff_url":440,"vulnerabilities":441,"is_current":54},"1.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.5.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.5.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.4.1&new_path=%2Fsimple-embed-code%2Ftags%2F1.5.1",[442,443,444,445],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":447,"download_url":448,"svn_tag_url":449,"released_at":39,"has_diff":54,"diff_files_changed":450,"diff_lines":39,"trac_diff_url":451,"vulnerabilities":452,"is_current":54},"1.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.4.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.4.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.3&new_path=%2Fsimple-embed-code%2Ftags%2F1.4.1",[453,454,455,456],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":156,"download_url":458,"svn_tag_url":459,"released_at":39,"has_diff":54,"diff_files_changed":460,"diff_lines":39,"trac_diff_url":461,"vulnerabilities":462,"is_current":54},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.2&new_path=%2Fsimple-embed-code%2Ftags%2F1.3",[463,464,465,466],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":468,"download_url":469,"svn_tag_url":470,"released_at":39,"has_diff":54,"diff_files_changed":471,"diff_lines":39,"trac_diff_url":472,"vulnerabilities":473,"is_current":54},"1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.1&new_path=%2Fsimple-embed-code%2Ftags%2F1.2",[474,475,476,477],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":479,"download_url":480,"svn_tag_url":481,"released_at":39,"has_diff":54,"diff_files_changed":482,"diff_lines":39,"trac_diff_url":483,"vulnerabilities":484,"is_current":54},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-embed-code%2Ftags%2F1.0&new_path=%2Fsimple-embed-code%2Ftags%2F1.1",[485,486,487,488],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84},{"version":137,"download_url":490,"svn_tag_url":491,"released_at":39,"has_diff":54,"diff_files_changed":492,"diff_lines":39,"trac_diff_url":39,"vulnerabilities":493,"is_current":54},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-embed-code.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-embed-code\u002Ftags\u002F1.0\u002F",[],[494,495,496,497],{"id":65,"url_slug":66,"title":67,"severity":41,"cvss_score":42,"vuln_type":71,"patched_in_version":70},{"id":91,"url_slug":92,"title":93,"severity":41,"cvss_score":97,"vuln_type":99,"patched_in_version":96},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":79,"url_slug":80,"title":81,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":84}]