[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZszECbI4aEAcVRiyDYmG-meynckzIBZPeMk7amWSDVM":3,"$fNE80NdpGfzVyk2WZgH4LxHgY7OGKTsB8YXf7-i55bBY":190,"$fdSLP0QN0V8w4CDq1-w3oKrL-cHXKiaNsXR4qYLu4BZQ":195},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":48,"crawl_stats":36,"alternatives":55,"analysis":56,"fingerprints":148},"smart-wetransfer","Smart WeTransfer","1.3","mrityunjay","https:\u002F\u002Fprofiles.wordpress.org\u002Fmrityunjay\u002F","\u003Cp>Upload large files upto 2GB using this plugin. This plugin uses wetransfer API and all uploads are saved in wetransfer website for 7 days. So no burden of space on your\u003Cbr \u002F>\nserver! Simply install and use given shortcode to display uplaod form. Manage uploads using given interface.\u003C\u002Fp>\n\u003Ch3>Donations\u003C\u002Fh3>\n\u003Cp>If you liked this plugin, Please donate.\u003C\u002Fp>\n","Upload large files upto 2GB using this plugin. This plugin uses wetransfer API and all uploads are saved in wetransfer website for 7 days.",70,3833,86,3,"2020-07-21T18:35:00.000Z","5.4.19","3.5","5.6",[20,21,22],"large-files-upload","transfer-big-files","wetransfer","https:\u002F\u002Fgrittechnologies.com\u002Fplugins","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-wetransfer.zip",63,1,"2025-09-29 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":27,"updated_date":42,"references":43,"days_to_patch":36,"patch_diff_files":45,"patch_trac_url":36,"research_status":36,"research_verified":46,"research_rounds_completed":47,"research_plan":36,"research_summary":36,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":36,"research_model_used":36,"research_started_at":36,"research_completed_at":36,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":46,"poc_model_used":36,"poc_verification_depth":36},"CVE-2025-62909","smart-wetransfer-missing-authorization","Smart WeTransfer \u003C= 1.3 - Missing Authorization","The Smart WeTransfer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.",null,"\u003C=1.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-10-29 15:03:44",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd4828a91-fd56-4c38-8666-d296721120e9?source=api-prod",[],false,0,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":50,"avg_security_score":51,"avg_patch_time_days":52,"trust_score":53,"computed_at":54},2,80,74,30,76,"2026-05-20T04:47:12.360Z",[],{"attackSurface":57,"codeSignals":104,"taintFlows":129,"riskAssessment":130,"analyzedAt":147},{"hooks":58,"ajaxHandlers":92,"restRoutes":97,"shortcodes":98,"cronEvents":103,"entryPointCount":49,"unprotectedCount":26},[59,66,70,74,78,81,83,88],{"type":60,"name":61,"callback":62,"priority":63,"file":64,"line":65},"action","admin_enqueue_scripts","wetransfer_load_admin_scripts",100,"includes\\scripts.php",8,{"type":60,"name":67,"callback":68,"file":64,"line":69},"admin_footer","wetransfer_delete_action_fun",27,{"type":60,"name":61,"callback":71,"priority":63,"file":72,"line":73},"wetransfer_admin_styles","includes\\style.php",11,{"type":60,"name":75,"callback":76,"priority":63,"file":72,"line":77},"wp_enqueue_scripts","wetransfer_front_end_styles",19,{"type":60,"name":61,"callback":71,"priority":63,"file":79,"line":80},"includes\\styles.php",13,{"type":60,"name":75,"callback":76,"priority":63,"file":79,"line":82},21,{"type":60,"name":84,"callback":85,"file":86,"line":87},"init","smart_wetransfer_send_notification","smart-wetransfer.php",141,{"type":60,"name":89,"callback":90,"file":86,"line":91},"admin_menu","wetransfer_settings_page",219,[93],{"action":94,"nopriv":46,"callback":95,"hasNonce":46,"hasCapCheck":46,"file":64,"line":96},"delete_action","wetransfer_delete_action",41,[],[99],{"tag":100,"callback":101,"file":86,"line":102},"smartTransfer","wetransfer_getForm",97,[],{"dangerousFunctions":105,"sqlUsage":106,"outputEscaping":111,"fileOperations":47,"externalRequests":47,"nonceChecks":47,"capabilityChecks":26,"bundledLibraries":128},[],{"prepared":47,"raw":26,"locations":107},[108],{"file":86,"line":109,"context":110},229,"$wpdb->get_results() with variable interpolation",{"escaped":73,"rawEcho":65,"locations":112},[113,115,117,119,121,123,124,126],{"file":86,"line":69,"context":114},"raw output",{"file":86,"line":116,"context":114},37,{"file":86,"line":118,"context":114},45,{"file":86,"line":120,"context":114},50,{"file":86,"line":122,"context":114},57,{"file":86,"line":11,"context":114},{"file":86,"line":125,"context":114},85,{"file":86,"line":127,"context":114},254,[],[],{"summary":131,"deductions":132},"The \"smart-wetransfer\" v1.3 plugin exhibits several concerning security weaknesses despite some positive indicators. The presence of an unprotected AJAX handler significantly increases the attack surface, as this entry point lacks proper authentication checks, making it vulnerable to unauthorized access and potential exploitation. While the code analysis indicates a lack of dangerous functions and file operations, the fact that 100% of SQL queries are not using prepared statements is a major concern, as it opens the door to SQL injection vulnerabilities. Furthermore, the plugin has a history of known vulnerabilities, including a currently unpatched medium severity issue, which suggests a pattern of security oversight in its development and maintenance. While the plugin does perform some output escaping, the percentage is not high enough to fully mitigate cross-site scripting (XSS) risks in the remaining unescaped outputs.",[133,135,138,141,144],{"reason":134,"points":65},"Unprotected AJAX handler found",{"reason":136,"points":137},"100% of SQL queries lack prepared statements",9,{"reason":139,"points":140},"Unpatched medium severity CVE found",17,{"reason":142,"points":143},"Missing nonce checks",7,{"reason":145,"points":146},"Only 58% of output properly escaped",5,"2026-03-16T21:33:19.962Z",{"wat":149,"direct":159},{"assetPaths":150,"generatorPatterns":153,"scriptPaths":154,"versionParams":156},[151,152],"\u002Fwp-content\u002Fplugins\u002Fsmart-wetransfer\u002Fincludes\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fsmart-wetransfer\u002Fincludes\u002Fscript.js",[],[155],"https:\u002F\u002Fprod-embed-cdn.wetransfer.net\u002Fv1\u002Flatest.js",[157,158],"smart-wetransfer\u002Fincludes\u002Fstyle.css?ver=","smart-wetransfer\u002Fincludes\u002Fscript.js?ver=",{"cssClasses":160,"htmlComments":167,"htmlAttributes":169,"restEndpoints":174,"jsGlobals":175,"shortcodeOutput":177},[161,162,163,164,165,166],"form-control","btn","btn-primary","grit-style","table","error",[168],"The next input element will hold the transfer link. For testing purposes, you\n  could change the type attribute to \"text\", instead of \"hidden\".",[170,171,172,173],"data-widget-host","wtEmbedKey","wtEmbedOutput","wtEmbedLanguage",[],[176],"WETRANSFER_PLUGIN_PATH",[178,179,180,181,182,183,184,185,186,187,188,189],"\u003Ch3 style='color:green'>","\u003Cspan class=\"error\">","\u003Cinput type='text' name='your_name' class='form-control' placeholder='Your Name'>","\u003Cinput type='email' name='your_email' class='form-control' placeholder='Your Email' required>","\u003Cinput type='text' name='your_file' class='form-control' placeholder='File Name'>","\u003Cdiv data-widget-host=\"habitat\" id=\"wt_embed\">","\u003Cscript type=\"text\u002Fprops\">\n    {\n      \"wtEmbedKey\": \"","\",\n      \"wtEmbedOutput\": \".wt_embed_output\",\n      \"wtEmbedLanguage\": \"en\"\n    }\n  \u003C\u002Fscript>","\u003C\u002Fdiv>","\u003Cscript async src=\"https:\u002F\u002Fprod-embed-cdn.wetransfer.net\u002Fv1\u002Flatest.js\">\u003C\u002Fscript>","\u003Cinput type=\"hidden\" name=\"wt_embed_output\" class=\"wt_embed_output\" \u002F>","\u003Cinput type='submit' class='btn btn-primary' name='submit_file' value='Submit'>",{"error":191,"url":192,"statusCode":193,"statusMessage":194,"message":194},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsmart-wetransfer\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":49,"versions":196},[197,205],{"version":198,"download_url":199,"svn_tag_url":200,"released_at":36,"has_diff":46,"diff_files_changed":201,"diff_lines":36,"trac_diff_url":202,"vulnerabilities":203,"is_current":46},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-wetransfer.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsmart-wetransfer\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsmart-wetransfer%2Ftags%2F1.0&new_path=%2Fsmart-wetransfer%2Ftags%2F1.1",[204],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":36},{"version":206,"download_url":207,"svn_tag_url":208,"released_at":36,"has_diff":46,"diff_files_changed":209,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":210,"is_current":46},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-wetransfer.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsmart-wetransfer\u002Ftags\u002F1.0\u002F",[],[211],{"id":32,"url_slug":33,"title":34,"severity":38,"cvss_score":39,"vuln_type":41,"patched_in_version":36}]