[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fala8kVGftw4w42ilPxxj7Crx6V-KrRdgbeR1JnwBdRU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":17,"download_link":18,"security_score":19,"vuln_count":13,"unpatched_count":13,"last_vuln_date":20,"fetched_at":21,"vulnerabilities":22,"developer":23,"crawl_stats":20,"alternatives":28,"analysis":29,"fingerprints":117},"smp-twitter-module-oauth","Social Media Pack – Twitter Module","1.2","socialmediapack","https:\u002F\u002Fprofiles.wordpress.org\u002Fsocialmediapack\u002F","\u003Cp>The social media pack automatically sends your wordpress posts onto twitter\u003C\u002Fp>\n","The social media pack automatically sends your wordpress posts onto twitter",10,10207,0,"2010-08-11T11:04:00.000Z","",[],"http:\u002F\u002Fwww.socialmediapack.co.uk","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmp-twitter-module-oauth.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":24,"total_installs":11,"avg_security_score":19,"avg_patch_time_days":25,"trust_score":26,"computed_at":27},1,30,84,"2026-04-04T11:09:35.920Z",[],{"attackSurface":30,"codeSignals":45,"taintFlows":79,"riskAssessment":98,"analyzedAt":116},{"hooks":31,"ajaxHandlers":41,"restRoutes":42,"shortcodes":43,"cronEvents":44,"entryPointCount":13,"unprotectedCount":13},[32,38],{"type":33,"name":34,"callback":35,"file":36,"line":37},"action","admin_menu","smp_twitter_add_options","socialmediapack.php",29,{"type":33,"name":39,"callback":40,"file":36,"line":25},"publish_post","sendToTwitter",[],[],[],[],{"dangerousFunctions":46,"sqlUsage":53,"outputEscaping":65,"fileOperations":24,"externalRequests":54,"nonceChecks":13,"capabilityChecks":24,"bundledLibraries":78},[47,51],{"fn":48,"file":36,"line":49,"context":50},"unserialize",78,"$access_token = unserialize($access_token->access_token);",{"fn":48,"file":36,"line":52,"context":50},148,{"prepared":54,"raw":55,"locations":56},2,3,[57,60,63],{"file":36,"line":58,"context":59},42,"$wpdb->get_var() with variable interpolation",{"file":36,"line":61,"context":62},73,"$wpdb->get_row() with variable interpolation",{"file":36,"line":64,"context":62},143,{"escaped":13,"rawEcho":66,"locations":67},4,[68,72,74,76],{"file":69,"line":70,"context":71},"callback.php",39,"raw output",{"file":36,"line":73,"context":71},90,{"file":36,"line":75,"context":71},122,{"file":36,"line":77,"context":71},133,[],[80],{"entryPoint":81,"graph":82,"unsanitizedCount":24,"severity":97},"\u003Ccallback> (callback.php:0)",{"nodes":83,"edges":94},[84,89],{"id":85,"type":86,"label":87,"file":69,"line":88},"n0","source","$_GET['oauth_token']",13,{"id":90,"type":91,"label":92,"file":69,"line":88,"wp_function":93},"n1","sink","get_row() [SQLi]","get_row",[95],{"from":85,"to":90,"sanitized":96},false,"high",{"summary":99,"deductions":100},"The smp-twitter-module-oauth plugin version 1.2 presents a mixed security posture. While it boasts a zero-attack surface in terms of exposed AJAX handlers, REST API routes, shortcodes, and cron events, which is a significant positive, several concerning code signals and taint analysis results indicate potential weaknesses.\n\nThe presence of the `unserialize` function, a known dangerous function, is a critical concern. This, coupled with a high-severity taint flow with an unsanitized path, strongly suggests a potential for remote code execution or other severe vulnerabilities if an attacker can control the data being unserialized or passed through the unsanitized path. Furthermore, the lack of output escaping on all identified outputs is a major vulnerability, opening the door to cross-site scripting (XSS) attacks.\n\nThe plugin has a clean vulnerability history with no recorded CVEs. This is a good sign, suggesting that the developers have either been diligent in past development or the plugin has not been a significant target for exploitation. However, the lack of known vulnerabilities does not negate the risks identified in the static and taint analysis, which highlight inherent dangers within the current codebase. The complete absence of nonce checks and a single capability check are also areas of concern, especially given the potential for insecure function usage.\n\nIn conclusion, while the plugin's minimal attack surface is commendable, the critical risks associated with `unserialize`, unsanitized taint flows, and lack of output escaping cannot be overlooked. The absence of known vulnerabilities is a positive but should not lead to complacency given these internal code weaknesses. Developers should prioritize addressing these identified issues.",[101,104,106,109,111,114],{"reason":102,"points":103},"Dangerous function 'unserialize' present",15,{"reason":105,"points":103},"High severity taint flow with unsanitized path",{"reason":107,"points":108},"Output escaping not properly implemented (0%)",8,{"reason":110,"points":11},"No nonce checks",{"reason":112,"points":113},"Only 1 capability check found",5,{"reason":115,"points":113},"SQL queries with potential for injection (40% prepared)","2026-03-17T01:33:08.299Z",{"wat":118,"direct":124},{"assetPaths":119,"generatorPatterns":121,"scriptPaths":122,"versionParams":123},[120],"\u002Fwp-content\u002Fplugins\u002Fsmp-twitter-module-oauth\u002FtwitterFramework\u002Ftwitteroauth.php",[],[],[],{"cssClasses":125,"htmlComments":126,"htmlAttributes":128,"restEndpoints":129,"jsGlobals":130,"shortcodeOutput":132},[],[127],"\u003C!--\n\t\twindow.location = \"",[],[],[131],"window.location",[]]