[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fINmxPU_sv5GWyuPHI-_shV2yp40bo_mFtW3xMESOU0I":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":37,"analysis":128,"fingerprints":293},"simpleticker","SimpleTicker","0.9","michael.bartel","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichaelbartel\u002F","\u003Cp>A simple ticker plugin for wordpress. It supports multiple tickers. You can define an update interval\u003Cbr \u002F>\nin minutes in which the client updates it’s message list from the server. This update request includes\u003Cbr \u002F>\nnew messages, which have been posted until the last update. You can also specify the amount of messages that\u003Cbr \u002F>\nthe client fades through and the time each message stays on the screen. Each message is stored with an\u003Cbr \u002F>\ncreation timestamp. You can tell the ticker only to show messages not older than a defined number of minutes.\u003Cbr \u002F>\nIf there are no messages to display, then the ticker turns itself invisible.\u003C\u002Fp>\n\u003Cp>Every ticker has it’s own RSS Feed, which can be received by either given it’s ID or name.\u003C\u002Fp>\n\u003Cp>If you want to use the SimpleTicker data from an other application such as an iPhone or Android App, you can\u003Cbr \u002F>\nget all ticker data and messages via an JSON based API. It is also possible to add and delete messages\u003Cbr \u002F>\nwith the JSON API. Your application will need a password for each ticker, if it want’s to add or delete messages.\u003C\u002Fp>\n\u003Ch3>Copyright\u003C\u002Fh3>\n\u003Cp>WordPress – Plugin “SimpleTicker”\u003Cbr \u002F>\n(c) 2013 Michael Bartel, MIT\u002FX11-license\u003Cbr \u002F>\neMail: Michael.Bartel@gmx.net\u003C\u002Fp>\n\u003Ch3>History\u003C\u002Fh3>\n\u003Cp>Version 0.95\u003Cbr \u002F>\n – Refactoring\u003C\u002Fp>\n\u003Cp>Version 0.9\u003Cbr \u002F>\n – Bugfixing\u003C\u002Fp>\n\u003Cp>Version 0.8\u003Cbr \u002F>\n – Improvements to the Android App\u003C\u002Fp>\n\u003Cp>Version 0.7\u003Cbr \u002F>\n – Android App improvments\u003C\u002Fp>\n\u003Cp>Version 0.6\u003Cbr \u002F>\n – Android App and Bug fixes\u003C\u002Fp>\n\u003Cp>Version 0.5\u003Cbr \u002F>\n – added RSS Feed\u003C\u002Fp>\n\u003Cp>Version 0.4\u003Cbr \u002F>\n – added Template-Engine and XML API\u003C\u002Fp>\n\u003Cp>Version 0.3\u003Cbr \u002F>\n – added JSON API\u003C\u002Fp>\n\u003Cp>Version 0.2\u003Cbr \u002F>\n – added auto-hide\u003C\u002Fp>\n\u003Cp>Version 0.1\u003Cbr \u002F>\n – first version V3.1\u003C\u002Fp>\n\u003Ch3>Use Ticker\u003C\u002Fh3>\n\u003Cp>To use the ticker on your wordpress pages or articles copy the following text into the page. After that replace #id# with the id of your ticker.\u003C\u002Fp>\n\u003Cp>[simpleticker id=#id#]\u003C\u002Fp>\n\u003Cp>Example for ticker 1 (with id 1): [simpleticker id=1]\u003C\u002Fp>\n\u003Ch3>RSS Feed\u003C\u002Fh3>\n\u003Cp>You will receive the content of the RSS Feed for a specific ticker when you call SimpleTicker.php from your plugin folder (URL) and append ‘?action=rssFeed&id=1’. Instead of id=1 you can use name=Tickername.\u003C\u002Fp>\n\u003Ch3>APIs\u003C\u002Fh3>\n\u003Cp>All APIs are handled with GET paramters. The ‘action’ parameter specifys which function you want to call.\u003C\u002Fp>\n\u003Ch3>JSON API\u003C\u002Fh3>\n\u003Cp>Instead of the using the id parameter with the tickers ID, you can use the name parameter with it’s name. The JSON API provides the following functionalities:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>jsonGetTickerList – Returns a full list of all available tickers containing the tickers id and name.\u003C\u002Fli>\n\u003Cli>jsonGetTickerMessages – Returns a list with the last 50 messages of a ticker. You have to specify the ticker by giving it’s ID in the parameter ‘id’. The list contains the message id, the message itself and the createdOn timestamp.\u003C\u002Fli>\n\u003Cli>jsonManageTicker – You need a password to call the action. All further parameters are given in a BASE64 encoded encrypted JSON string provided as GET parameter named ‘data’. You have to set the ‘id’ parameter as above to define a ticker. The JSON string contains an action attribute which can either be ‘addMessage’ or ‘removeMessage’. The ‘addMessage’ actions takes an additional ‘message’ attribute containing the new message and the ‘removeMessage’ action takes an ‘id’ attribute.\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple ticker plugin for wordpress. It supports multiple tickers. You can define an update interval",10,4120,20,1,"2013-11-20T13:52:00.000Z","3.2.1","2.6","",[20,21,22,23,24],"news","newsticker","text","textticker","ticker","http:\u002F\u002Fsimpleticker.mbartel.de\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimpleticker.0.95.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},"michaelbartel",30,84,"2026-04-04T11:19:42.173Z",[38,56,76,92,112],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":46,"downloaded":47,"rating":48,"num_ratings":14,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":18,"tags":52,"homepage":18,"download_link":55,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"awesome-wp-widget-newsticker","Awesome Wp Widget Newsticker","1.0","nayon46","https:\u002F\u002Fprofiles.wordpress.org\u002Fnayon46\u002F","\u003Cp>news Ticker is a multi-functional data display plugin. Easily add custom news tickers to your site either through shortcodes, direct functions, or in a custom Ditty News Ticker Widget.\u003C\u002Fp>\n\u003Cp>News Ticker is a free, flat, stylish, modern, easy to use and flexible wordpress jQuery news ticker. If you have a magazine or blogging site then then it’s a highly recommend plugin for your website\u002Fblog.\u003C\u002Fp>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n\u003Cp>You may provide arbitrary sections, in the same format as the ones above.  This may be of use for extremely complicated\u003Cbr \u002F>\nplugins where more information needs to be conveyed that doesn’t fit into the categories of “description” or\u003Cbr \u002F>\n“installation.”  Arbitrary sections will be shown below the built-in sections outlined above.\u003C\u002Fp>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Cp>Ordered list:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Some feature\u003C\u002Fli>\n\u003Cli>Another feature\u003C\u002Fli>\n\u003Cli>Something else about the plugin\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Unordered list:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>something\u003C\u002Fli>\n\u003Cli>something else\u003C\u002Fli>\n\u003Cli>third thing\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Here’s a link to \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" title=\"Your favorite software\" rel=\"ugc\">WordPress\u003C\u002Fa> and one to \u003Ca href=\"http:\u002F\u002Fdaringfireball.net\u002Fprojects\u002Fmarkdown\u002Fsyntax\" title=\"Markdown is what the parser uses to process much of the readme file\" rel=\"nofollow ugc\">Markdown’s Syntax Documentation\u003C\u002Fa>.\u003Cbr \u002F>\nTitles are optional, naturally.\u003C\u002Fp>\n\u003Cp>Markdown uses email style notation for blockquotes and I’ve been told:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Asterisks for \u003Cem>emphasis\u003C\u002Fem>. Double it up  for \u003Cstrong>strong\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cpre>\u003Ccode>\u003C?php code(); \u002F\u002F goes in backticks ?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n","news Ticker widget is a multi-functional data display plugin.",200,6459,100,"2024-01-07T03:02:00.000Z","6.4.8","5.0.1",[21,53,54],"widget-newsticker","wordpress-newsticker","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fawesome-wp-widget-newsticker.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":48,"downloaded":64,"rating":65,"num_ratings":66,"last_updated":67,"tested_up_to":68,"requires_at_least":69,"requires_php":18,"tags":70,"homepage":74,"download_link":75,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"fikraticker","FikraTicker","0.2","Nael Bawadekji","https:\u002F\u002Fprofiles.wordpress.org\u002Ffikratech\u002F","\u003Cp>FikraTicker provides WordPress with a sleek and multi-options newsticker. It can be displayed in any place in your website\u002Fblog. This ticker shows the latest news\u002Fposts. You can control the news display from the control panel.\u003C\u002Fp>\n\u003Cp>This newsticker is an ideal solution for anyone who wants to give his site a magazine\u002Fnews style.\u003C\u002Fp>\n\u003Cp>This newsticker comes with the following features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>It supports the languages that are written from right to left and vice versa (RTL, LTR);  \u003C\u002Fli>\n\u003Cli>A Control Panel, that enables you to control the ticker in detail, such as the style, speed, width and the number of  publications;  \u003C\u002Fli>\n\u003Cli>It supports 4 basic effects: Slide, Fade, Scroll and Ticker.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check out the \u003Ca href=\"http:\u002F\u002Ffikratech.com\u002Fticker\u002F\" rel=\"nofollow ugc\">Demo\u003C\u002Fa>\u003C\u002Fp>\n","FikraTicker is a simple and multi-effects newsticker that displays the recent news\u002Fposts on your website\u002Fblog",15862,92,5,"2013-11-08T14:36:00.000Z","3.5.2","3.0",[71,21,72,73,24],"fade","posts","slide","http:\u002F\u002Ffikratech.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffikraticker.zip",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":11,"downloaded":84,"rating":48,"num_ratings":14,"last_updated":18,"tested_up_to":85,"requires_at_least":69,"requires_php":18,"tags":86,"homepage":89,"download_link":90,"security_score":48,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":91},"announceme","AnnounceME","0.3.3","Berni1337","https:\u002F\u002Fprofiles.wordpress.org\u002Fberni1337\u002F","\u003Cp>AnnounceME is a simple plugin, coded to help you publishing important Announcements, which can be read by every user of your Blog. AnnounceME uses the same design as WordPress in backend, to make it easier to handle with it.\u003C\u002Fp>\n","AnnounceME is a simple plugin, coded to help you publishing important Announcements.",3287,"3.1.4",[87,88,21],"announce","announcement","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fannounceme\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fannounceme.zip","2026-03-15T14:44:11.924Z",{"slug":93,"name":94,"version":41,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":11,"downloaded":99,"rating":48,"num_ratings":14,"last_updated":100,"tested_up_to":101,"requires_at_least":102,"requires_php":103,"tags":104,"homepage":110,"download_link":111,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"newstick-ultra","NewsTick Ultra","Geeky Nigeria","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohnvictor82\u002F","\u003Cp>NewsTick Ultra is a stylish and beautifully designed news ticker plugin that brings the freedom of customisation at your fingertips!\u003C\u002Fp>\n\u003Cp>With NewsTick Ultra, you can conveniently set a category for posts to display on the bar or use an alternative content instead. Use the shortcode, [newstick-ultra] to display the ticker on relevant places.\u003C\u002Fp>\n\u003Cp>Major features in NewsTick Ultra include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Easily accessible shortcode.\u003C\u002Fli>\n\u003Cli>Colour Customisation\u003C\u002Fli>\n\u003Cli>Display custom content\u003C\u002Fli>\n\u003Cli>Select number of posts to display.  \u003C\u002Fli>\n\u003Cli>Low on memory usage\u003C\u002Fli>\n\u003C\u002Ful>\n","A stylish and customisable news ticker that displays news or alternative content.",1055,"2020-07-21T08:29:00.000Z","5.4.19","5.4","7.2",[105,106,107,108,109],"beautiful-newsticker","customisable-newticker-plugin","flexible-newsticker-plugin","newsticker-for-wordpress","well-designed-newsticker","https:\u002F\u002Fgeeky.com.ng\u002Fnewstick-ultra-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewstick-ultra.1.0.zip",{"slug":113,"name":114,"version":115,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":11,"downloaded":120,"rating":48,"num_ratings":14,"last_updated":121,"tested_up_to":122,"requires_at_least":123,"requires_php":18,"tags":124,"homepage":18,"download_link":127,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"posts-news-ticker","Posts News Ticker","1.0.0","hamzarauf","https:\u002F\u002Fprofiles.wordpress.org\u002Fhamzarauf\u002F","\u003Cp>Show Latest posts news ticker at bottom…\u003C\u002Fp>\n\u003Cp>For backwards compatibility, if this section is missing, the full length of the short description will be used, and\u003Cbr \u002F>\nMarkdown parsed.\u003C\u002Fp>\n\u003Cp>A few notes about the sections above:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>“Contributors” is a comma separated list of wordpress.org usernames\u003C\u002Fli>\n\u003Cli>“Tags” is a comma separated list of tags that apply to the plugin\u003C\u002Fli>\n\u003Cli>“Requires at least” is the lowest version that the plugin will work on\u003C\u002Fli>\n\u003Cli>“Tested up to” is the highest version that you’ve \u003Cem>successfully used to test the plugin\u003C\u002Fem>. Note that it might work on\u003Cbr \u002F>\nhigher versions… this is just the highest one you’ve verified.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Stable tag should indicate the Subversion “tag” of the latest stable version, or “trunk,” if you use \u003Ccode>\u002Ftrunk\u002F\u003C\u002Fcode> for\u003Cbr \u002F>\nstable.\u003C\u002Fp>\n\u003Cp>Note that the \u003Ccode>readme.txt\u003C\u002Fcode> of the stable tag is the one that is considered the defining one for the plugin, so\u003Cbr \u002F>\nif the \u003Ccode>\u002Ftrunk\u002Freadme.txt\u003C\u002Fcode> file says that the stable tag is \u003Ccode>4.3\u003C\u002Fcode>, then it is \u003Ccode>\u002Ftags\u002F4.3\u002Freadme.txt\u003C\u002Fcode> that’ll be used\u003Cbr \u002F>\nfor displaying information about the plugin.  In this situation, the only thing considered from the trunk \u003Ccode>readme.txt\u003C\u002Fcode>\u003Cbr \u002F>\nis the stable tag pointer.  Thus, if you develop in trunk, you can update the trunk \u003Ccode>readme.txt\u003C\u002Fcode> to reflect changes in\u003Cbr \u002F>\nyour in-development version, without having that information incorrectly disclosed about the current stable version\u003Cbr \u002F>\nthat lacks those changes — as long as the trunk’s \u003Ccode>readme.txt\u003C\u002Fcode> points to the correct stable tag.\u003C\u002Fp>\n\u003Cp>If no stable tag is provided, it is assumed that trunk is stable, but you should specify “trunk” if that’s where\u003Cbr \u002F>\nyou put the stable version, in order to eliminate any doubt.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n\u003Cp>You may provide arbitrary sections, in the same format as the ones above.  This may be of use for extremely complicated\u003Cbr \u002F>\nplugins where more information needs to be conveyed that doesn’t fit into the categories of “description” or\u003Cbr \u002F>\n“installation.”  Arbitrary sections will be shown below the built-in sections outlined above.\u003C\u002Fp>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Cp>Ordered list:\u003C\u002Fp>\n\u003Col>\n\u003Cli>10 Latest Blog posts \u003C\u002Fli>\n\u003Cli>Rotating text \u003C\u002Fli>\n\u003Cli>Current time\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Here’s a link to \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" title=\"Your favorite software\" rel=\"ugc\">WordPress\u003C\u002Fa> and one to \u003Ca href=\"http:\u002F\u002Fdaringfireball.net\u002Fprojects\u002Fmarkdown\u002Fsyntax\" title=\"Markdown is what the parser uses to process much of the readme file\" rel=\"nofollow ugc\">Markdown’s Syntax Documentation\u003C\u002Fa>.\u003Cbr \u002F>\nTitles are optional, naturally.\u003C\u002Fp>\n\u003Cp>Markdown uses email style notation for blockquotes and I’ve been told:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Asterisks for \u003Cem>emphasis\u003C\u002Fem>. Double it up  for \u003Cstrong>strong\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cpre>\u003Ccode>\u003C?php code(); \u002F\u002F goes in backticks ?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Show Latest posts news ticker at bottom",3390,"2017-01-22T16:33:00.000Z","4.7.32","4.6",[125,20,21,72,126],"blog","rotate","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fposts-news-ticker.zip",{"attackSurface":129,"codeSignals":152,"taintFlows":213,"riskAssessment":278,"analyzedAt":292},{"hooks":130,"ajaxHandlers":145,"restRoutes":146,"shortcodes":147,"cronEvents":151,"entryPointCount":14,"unprotectedCount":28},[131,137,141],{"type":132,"name":133,"callback":134,"file":135,"line":136},"action","init","initSimpleTicker","simpleticker.php",98,{"type":132,"name":138,"callback":139,"file":135,"line":140},"wp_head","simpleTickerBaseURL",114,{"type":132,"name":142,"callback":143,"file":135,"line":144},"admin_menu","showSimpleTickerAdminPage",143,[],[],[148],{"tag":4,"callback":149,"file":135,"line":150},"printSimpleTicker",132,[],{"dangerousFunctions":153,"sqlUsage":154,"outputEscaping":189,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":212},[],{"prepared":155,"raw":156,"locations":157},4,14,[158,161,163,165,167,169,171,173,176,178,180,182,185,187],{"file":135,"line":159,"context":160},125,"$wpdb->query() with variable interpolation",{"file":135,"line":162,"context":160},126,{"file":135,"line":164,"context":160},173,{"file":135,"line":166,"context":160},177,{"file":135,"line":168,"context":160},183,{"file":135,"line":170,"context":160},184,{"file":135,"line":172,"context":160},202,{"file":135,"line":174,"context":175},228,"$wpdb->get_results() with variable interpolation",{"file":135,"line":177,"context":175},279,{"file":135,"line":179,"context":175},387,{"file":135,"line":181,"context":175},403,{"file":135,"line":183,"context":184},432,"$wpdb->get_row() with variable interpolation",{"file":135,"line":186,"context":160},439,{"file":135,"line":188,"context":160},447,{"escaped":28,"rawEcho":11,"locations":190},[191,194,196,198,200,202,204,206,208,210],{"file":135,"line":192,"context":193},31,"raw output",{"file":135,"line":195,"context":193},34,{"file":135,"line":197,"context":193},41,{"file":135,"line":199,"context":193},44,{"file":135,"line":201,"context":193},47,{"file":135,"line":203,"context":193},58,{"file":135,"line":205,"context":193},116,{"file":135,"line":207,"context":193},234,{"file":135,"line":209,"context":193},285,{"file":135,"line":211,"context":193},302,[],[214],{"entryPoint":215,"graph":216,"unsanitizedCount":276,"severity":277},"\u003Csimpleticker> (simpleticker.php:0)",{"nodes":217,"edges":265},[218,223,228,231,235,240,242,245,250,252,255,257,260,263],{"id":219,"type":220,"label":221,"file":135,"line":222},"n0","source","$_GET (x4)",25,{"id":224,"type":225,"label":226,"file":135,"line":192,"wp_function":227},"n1","sink","echo() [XSS]","echo",{"id":229,"type":220,"label":230,"file":135,"line":192},"n2","$_GET",{"id":232,"type":233,"label":234,"file":135,"line":192},"n3","transform","→ getAJAXSimpleTickerDetails()",{"id":236,"type":225,"label":237,"file":135,"line":238,"wp_function":239},"n4","get_row() [SQLi]",346,"get_row",{"id":241,"type":220,"label":230,"file":135,"line":195},"n5",{"id":243,"type":233,"label":244,"file":135,"line":195},"n6","→ getAJAXSimpleTickerMessages()",{"id":246,"type":225,"label":247,"file":135,"line":248,"wp_function":249},"n7","get_results() [SQLi]",370,"get_results",{"id":251,"type":220,"label":230,"file":135,"line":199},"n8",{"id":253,"type":233,"label":254,"file":135,"line":199},"n9","→ getSimpleTickerMessages()",{"id":256,"type":225,"label":247,"file":135,"line":181,"wp_function":249},"n10",{"id":258,"type":220,"label":230,"file":135,"line":259},"n11",50,{"id":261,"type":233,"label":262,"file":135,"line":259},"n12","→ manageSimpleTicker()",{"id":264,"type":225,"label":237,"file":135,"line":183,"wp_function":239},"n13",[266,268,269,270,271,272,273,274,275],{"from":219,"to":224,"sanitized":267},false,{"from":229,"to":232,"sanitized":267},{"from":232,"to":236,"sanitized":267},{"from":241,"to":243,"sanitized":267},{"from":243,"to":246,"sanitized":267},{"from":251,"to":253,"sanitized":267},{"from":253,"to":256,"sanitized":267},{"from":258,"to":261,"sanitized":267},{"from":261,"to":264,"sanitized":267},8,"high",{"summary":279,"deductions":280},"The simpleticker v0.9 plugin exhibits a mixed security posture. On the positive side, it has no recorded CVEs, suggesting a history of relative stability and perhaps good development practices in the past. The static analysis also shows no direct indications of dangerous functions, file operations, or external HTTP requests, which are common vectors for exploitation. The limited attack surface is also a positive sign.\n\nHowever, several critical concerns are raised by the code analysis. The most significant is the 100% of outputs that are not properly escaped, alongside a single flow with an unsanitized path identified in the taint analysis. This combination strongly indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where user-supplied data, if not sanitized and escaped, could be injected into the output and executed by a visitor's browser. Additionally, while the plugin uses prepared statements for a majority of its SQL queries, 22% still rely on them, which could be a risk if not handled carefully. The complete absence of nonce and capability checks, even with a limited attack surface, is concerning as it leaves the single shortcode entry point potentially vulnerable to unauthorized actions or information disclosure if it interacts with sensitive data or functionality.\n\nIn conclusion, while the plugin lacks a history of public vulnerabilities, the static analysis reveals significant internal weaknesses, particularly concerning XSS risks due to unescaped output and unsanitized taint flows. The lack of robust authorization checks on its entry point further exacerbates these potential issues. The plugin's security could be substantially improved by prioritizing output escaping and implementing proper validation and sanitization for all user-influenced data, along with adding capability checks to its shortcode.",[281,283,286,288,290],{"reason":282,"points":276},"Unescaped output detected",{"reason":284,"points":285},"Taint flow with unsanitized path",12,{"reason":287,"points":66},"Missing nonce checks",{"reason":289,"points":66},"Missing capability checks",{"reason":291,"points":155},"SQL queries without prepared statements","2026-03-17T01:23:58.528Z",{"wat":294,"direct":301},{"assetPaths":295,"generatorPatterns":298,"scriptPaths":299,"versionParams":300},[296,297],"\u002Fwp-content\u002Fplugins\u002Fsimpleticker\u002Fsimpleticker.css","\u002Fwp-content\u002Fplugins\u002Fsimpleticker\u002Fsimpleticker.js",[],[297],[],{"cssClasses":302,"htmlComments":303,"htmlAttributes":304,"restEndpoints":305,"jsGlobals":307,"shortcodeOutput":308},[5],[],[],[306],"\u002Fwp-json\u002Fsimpleticker",[139],[309,310],"\u003Cdiv id=\"SimpleTicker","\" class=\"SimpleTicker\">\u003Cspan>\u003C\u002Fspan>\u003C\u002Fdiv>"]