[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAvOfd6CvH13eDu9gBPvRTxDOncR7tm2fHIXqqohWQ2I":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":13,"tags":16,"homepage":20,"download_link":21,"security_score":22,"vuln_count":11,"unpatched_count":11,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":31,"analysis":32,"fingerprints":120},"spruce-api-extension","Spruce Extension","3.0.12","junh4533","https:\u002F\u002Fprofiles.wordpress.org\u002Fjunh4533\u002F","\u003Cp>A Spruce extension that offers a suite of features, including a Youtube live stream feed, Youtube channel feed, and an interactive JavaScript Map. Developed specifically for Senator Cardin’s website.\u003C\u002Fp>\n","A Spruce extension that offers a suite of features, including a Youtube live stream feed, Youtube channel feed, and an interactive JavaScript Map.",0,1440,"","5.8.13","5.8.3",[17,18,19],"spruceextension","v3-0-12","youtubeapi","https:\u002F\u002Fwww.sprucetech.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fspruce-api-extension.3.0.12.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":11,"avg_security_score":22,"avg_patch_time_days":28,"trust_score":29,"computed_at":30},1,30,94,"2026-04-05T17:24:12.227Z",[],{"attackSurface":33,"codeSignals":65,"taintFlows":78,"riskAssessment":106,"analyzedAt":119},{"hooks":34,"ajaxHandlers":51,"restRoutes":52,"shortcodes":53,"cronEvents":63,"entryPointCount":64,"unprotectedCount":11},[35,41,44,46,49],{"type":36,"name":37,"callback":38,"file":39,"line":40},"action","plugins_loaded","anonymous","includes\\class-spruce_api_extension.php",142,{"type":36,"name":42,"callback":38,"file":39,"line":43},"admin_enqueue_scripts",157,{"type":36,"name":42,"callback":38,"file":39,"line":45},158,{"type":36,"name":47,"callback":38,"file":39,"line":48},"wp_enqueue_scripts",173,{"type":36,"name":47,"callback":38,"file":39,"line":50},174,[],[],[54,59],{"tag":55,"callback":56,"file":57,"line":58},"sae-get-earmarks","spruce_extension_earmarks","spruce_api_extension.php",299,{"tag":60,"callback":61,"file":57,"line":62},"sae-live-stream","spruce_extension_get_streams",300,[],2,{"dangerousFunctions":66,"sqlUsage":67,"outputEscaping":69,"fileOperations":27,"externalRequests":11,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":77},[],{"prepared":11,"raw":11,"locations":68},[],{"escaped":70,"rawEcho":64,"locations":71},27,[72,75],{"file":57,"line":73,"context":74},140,"raw output",{"file":57,"line":76,"context":74},181,[],[79,98],{"entryPoint":80,"graph":81,"unsanitizedCount":11,"severity":97},"spruce_extension_earmarks (spruce_api_extension.php:190)",{"nodes":82,"edges":94},[83,88],{"id":84,"type":85,"label":86,"file":57,"line":87},"n0","source","$_POST",234,{"id":89,"type":90,"label":91,"file":57,"line":92,"wp_function":93},"n1","sink","echo() [XSS]",266,"echo",[95],{"from":84,"to":89,"sanitized":96},true,"low",{"entryPoint":99,"graph":100,"unsanitizedCount":11,"severity":97},"\u003Cspruce_api_extension> (spruce_api_extension.php:0)",{"nodes":101,"edges":104},[102,103],{"id":84,"type":85,"label":86,"file":57,"line":87},{"id":89,"type":90,"label":91,"file":57,"line":92,"wp_function":93},[105],{"from":84,"to":89,"sanitized":96},{"summary":107,"deductions":108},"The spruce-api-extension plugin, version 3.0.12, exhibits a generally strong security posture based on the static analysis. The absence of known CVEs and critical vulnerability history indicates a potentially well-maintained and secure codebase. The code demonstrates good practices with 100% of SQL queries utilizing prepared statements and a high percentage (93%) of output escaping.  Furthermore, there are no critical or high-severity taint analysis flows, suggesting that potentially malicious input is not being processed in a dangerous manner.\n\nHowever, there are several areas that raise concerns. The lack of nonce checks and capability checks across all entry points (AJAX, REST API, and shortcodes) is a significant weakness. This means that any user, regardless of their role or logged-in status, could potentially trigger the plugin's functionality. While the attack surface for AJAX and REST API is currently zero, this could change with future updates. The presence of file operations, even if not showing in the current taint analysis, warrants attention, as it can be a vector for malicious file manipulation if not handled with extreme care. The two shortcodes, while not explicitly showing unprotected aspects in this analysis, are potential entry points that should ideally have robust authorization checks.\n\nIn conclusion, while the plugin benefits from a clean vulnerability history and good practices in SQL and output escaping, the complete absence of nonce and capability checks on its entry points presents a notable risk. The plugin is currently secure from known vulnerabilities, but its internal security mechanisms for handling user input are lacking, leaving it open to potential exploitation if new vulnerabilities are introduced or if attackers can find ways to exploit the existing shortcodes. The presence of file operations also adds a layer of potential risk that needs careful monitoring.",[109,112,114,117],{"reason":110,"points":111},"Missing nonce checks on entry points",10,{"reason":113,"points":111},"Missing capability checks on entry points",{"reason":115,"points":116},"File operations present",5,{"reason":118,"points":116},"Shortcodes present without specific auth checks noted","2026-03-17T05:43:29.764Z",{"wat":121,"direct":132},{"assetPaths":122,"generatorPatterns":126,"scriptPaths":127,"versionParams":128},[123,124,125],"\u002Fwp-content\u002Fplugins\u002Fspruce-api-extension\u002Fassets\u002Fcss\u002Fcustom.css","\u002Fwp-content\u002Fplugins\u002Fspruce-api-extension\u002Fassets\u002Fjs\u002Fyoutube.js","\u002Fwp-content\u002Fplugins\u002Fspruce-api-extension\u002Fassets\u002Fjs\u002Fmain.js",[],[124,125],[129,130,131],"spruce-api-extension\u002Fassets\u002Fcss\u002Fcustom.css?ver=","spruce-api-extension\u002Fassets\u002Fjs\u002Fyoutube.js?ver=","spruce-api-extension\u002Fassets\u002Fjs\u002Fmain.js?ver=",{"cssClasses":133,"htmlComments":140,"htmlAttributes":141,"restEndpoints":151,"jsGlobals":152,"shortcodeOutput":154},[134,135,136,137,138,139],"et_pb_module","et_pb_text","et_pb_code","et_pb_button_module_wrapper","et_pb_button","link-flash",[],[142,143,144,145,146,147,148,149,150],"data-field_id","data-subcommittee","data-project-title","data-requested-by","data-recipient-name","data-project-purpose","data-project-location","data-amt-requested","data-amt-funded",[],[153],"spruce_api_extension",[155,156,157,158,159,160],"\u003Ch1 style=\"text-align: left;\">Watch Live\u003C\u002Fh1>","\u003Cp style=\"color: #B11F29; margin-bottom: 1rem;\">","\u003Ch3 style=\"color: black; font-weight: bold; line-height: 2rem;\">","\u003Ca class=\"et_pb_button et_pb_button_1 link-flash et_pb_bg_layout_light\"","\u003Ciframe style=\"height: 100%; width: auto; aspect-ratio: 16 \u002F 9;\"","\u003Ch3 style=\"margin-top: 2rem; color: #042B61; font-size: 22px !important; font-weight: bold;\">"]