[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftKdj1AYLzAVH2Vv0wkij363m9adCCxVkIk4ntRvU9jg":3,"$fFrWZOyRIoWOl3uZMPF_78bSr8ixujIXsrC23isx8DAY":238,"$fa80XdoRBrl0uR4bKNmvpjQwnZTwoJLKtqDAG8HSSvsQ":242},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":56,"crawl_stats":36,"alternatives":62,"analysis":156,"fingerprints":217},"stickeasy-protected-contact-form","StickEasy Protected Contact Form","1.0.4","Kasuga","https:\u002F\u002Fprofiles.wordpress.org\u002Fkasuga16\u002F","\u003Cp>\u003Cstrong>StickEasy Protected Contact Form\u003C\u002Fstrong> is the fastest way to get a functional contact form on your WordPress site. This plugin is focused on \u003Cstrong>simplicity and speed\u003C\u002Fstrong>, allowing you to create a minimal contact form by simply placing a shortcode on any page.\u003C\u002Fp>\n\u003Cp>There’s no complex setup or field builder. Just install, place the shortcode, and start receiving messages.\u003C\u002Fp>\n\u003Cp>As an added benefit, the form includes \u003Cstrong>built-in basic spam protection\u003C\u002Fstrong> (nonce verification, a honeypot field, submission time validation, a bad words filter, and a human interaction check) to keep most automated bots away without the need for CAPTCHAs or third-party services.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch3>1. Simple Setup (Shortcode)\u003C\u002Fh3>\n\u003Cp>To instantly add the contact form, insert the following shortcode into any \u003Cstrong>post\u003C\u002Fstrong> or \u003Cstrong>page\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ccode>[spcf_form]\u003C\u002Fcode>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>2. Basic Customization\u003C\u002Fh3>\n\u003Cp>You can adjust the basic form behavior from \u003Cstrong>Settings\u003C\u002Fstrong> \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cstrong>StickEasy Contact\u003C\u002Fstrong>.\u003Cbr \u002F>\nThe following options are available:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Contact Form Settings\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Edit Form Labels\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Customize the visible labels for each field (\u003Cstrong>Name, Email, Message\u003C\u002Fstrong>) to match your website’s tone or language.\u003Cbr \u002F>\n\u003Cstrong>NOTE:\u003C\u002Fstrong> Basic HTML such as \u003Ccode>\u003Cstrong>\u003C\u002Fcode> or \u003Ccode>\u003Cbr>\u003C\u002Fcode> can be used for emphasis or formatting.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Toggle the Name field on or off with a single checkbox. Useful when you prefer a shorter form or want to accept anonymous messages.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Specify the \u003Cstrong>recipient email address\u003C\u002Fstrong> for messages.\u003Cbr \u002F>\n\u003Cstrong>By default, messages are sent to the Administration Email Address\u003C\u002Fstrong> set in your WordPress settings (“Settings” \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> “General”).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Custom Success Message\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Edit the message shown after the form is successfully submitted.\u003Cbr \u002F>\nYou can also use simple HTML formatting, such as \u003Ccode>\u003Cbr>\u003C\u002Fcode>for line breaks.\u003Cbr \u002F>\nExample: “Thank you!\u003Ccode>\u003Cbr>\u003C\u002Fcode>We will get back to you within 2 business days.”\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Spam Protection Settings\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>Enable or disable all built-in spam protection features at once.\u003Cbr \u002F>\nIncluded protections: \u003Cstrong>Honeypot, Submission Time Check, and Forbidden Word Filter\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Minimum Submission Time\u003Cbr \u002F>\nSet the minimum number of seconds a visitor must remain on the page before submitting.\u003Cbr \u002F>\nA value between 3 and 10 seconds is generally recommended.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Forbidden Word Filter\u003Cbr \u002F>\nAdd blocked words, domains, email patterns, or IP addresses to prevent spam submissions.\u003Cbr \u002F>\n\u003Cstrong>Note:\u003C\u002Fstrong>\u003Cbr \u002F>\nThe Forbidden Word Filter list also applies to the visitor’s email address and IP address, not just the message body.\u003Cbr \u002F>\nExamples:\u003Cbr \u002F>\n　\u003Ccode>viagra\u003C\u002Fcode>\u003Cbr \u002F>\n　\u003Ccode>bit.ly\u003C\u002Fcode>\u003Cbr \u002F>\n　\u003Ccode>visitor@email.com\u003C\u002Fcode>\u003Cbr \u002F>\n　\u003Ccode>123.45.67.89\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Just drop the shortcode on any page — your super simple, hassle-free contact form is ready!",0,345,"2026-02-18T11:31:00.000Z","6.9.4","6.3","7.4",[18,19,20,21,22],"contact-form","easy","minimal","shortcode","simple","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.4.zip",99,1,"2026-02-13 14:25:27","2026-04-16T10:56:18.058Z","no_bundle",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":27,"updated_date":43,"references":44,"days_to_patch":26,"patch_diff_files":46,"patch_trac_url":36,"research_status":47,"research_verified":48,"research_rounds_completed":49,"research_plan":50,"research_summary":51,"research_vulnerable_code":36,"research_fix_diff":36,"research_exploit_outline":52,"research_model_used":53,"research_started_at":54,"research_completed_at":55,"research_error":36,"poc_status":36,"poc_video_id":36,"poc_summary":36,"poc_steps":36,"poc_tested_at":36,"poc_wp_version":36,"poc_php_version":36,"poc_playwright_script":36,"poc_exploit_code":36,"poc_has_trace":48,"poc_model_used":36,"poc_verification_depth":36},"CVE-2025-13973","stickeasy-protected-contact-form-unauthenticated-information-disclosure","StickEasy Protected Contact Form \u003C= 1.0.1 - Unauthenticated Information Disclosure","The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.",null,"\u003C=1.0.1","1.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-02-14 03:25:27",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F86edc116-054f-4962-a57c-0ce7e1b8ff8c?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-13973\n\n## 1. Vulnerability Summary\nThe **StickEasy Protected Contact Form** plugin (versions \u003C= 1.0.1) suffers from an unauthenticated sensitive information disclosure vulnerability. The plugin implements a spam detection mechanism that logs details of flagged submissions to a static text file: `wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`. Because this file is stored within the public `uploads` directory without restrictive access controls (like an `.htaccess` file or an empty `index.php`), any unauthenticated user can predict the URL and download the log, exposing visitor IP addresses, email addresses, and form content.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`\n*   **Method:** HTTP GET\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** \n    1. The plugin must have processed at least one submission that was flagged as \"spam\".\n    2. The directory `wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002F` must have been created (typically happens upon the first spam event).\n\n## 3. Code Flow (Inferred)\nSince source files are not provided, the following flow is inferred from the vulnerability description and common WordPress plugin patterns:\n\n1.  **Form Submission:** A user submits a contact form (likely via a `wp_ajax_nopriv_` handler or a `POST` request to a page containing the plugin's shortcode).\n2.  **Spam Detection:** The plugin runs a check (e.g., honeypot, timing, or content filtering). \n3.  **Logging Sink:** If the check fails (spam detected), the plugin calls a logging function.\n    *   It likely uses `wp_upload_dir()` to find the path.\n    *   It writes data to `spcf-log.txt` using `file_put_contents($file, $data, FILE_APPEND)`.\n    *   The data includes `$_SERVER['REMOTE_ADDR']`, the email field, and the message snippet.\n4.  **Exposure:** The file is saved with default permissions in a web-accessible directory.\n\n## 4. Nonce Acquisition Strategy\nReading the sensitive log file requires **no nonce**, as it is a direct request to a static file served by the webserver (Nginx\u002FApache).\n\nHowever, to **generate** test data (triggering the log entry), a nonce might be required for the form submission.\n1.  **Identify Shortcode:** Search for `add_shortcode` in the plugin directory to find the form's tag (likely `[stickeasy-contact-form]` or similar).\n2.  **Identify Nonce Key:** Look for `wp_create_nonce` or `wp_localize_script` in the plugin code to see if the form uses a CSRF token.\n3.  **Strategy:** \n    *   Use `wp-cli` to create a page with the discovered shortcode.\n    *   Navigate to the page using `browser_navigate`.\n    *   Extract any nonce using `browser_eval`.\n    *   Submit the form via `http_request` or `browser_click`.\n\n## 5. Exploitation Strategy\n1.  **Discovery:** Confirm the plugin is active and determine the exact shortcode by grepping the source: `grep -r \"add_shortcode\" .`\n2.  **Environment Setup:** Create a post\u002Fpage containing the form.\n3.  **Trigger Logging:** \n    *   Analyze the spam detection logic (e.g., search for \"honeypot\" or \"hidden\" fields).\n    *   Submit a form entry that intentionally triggers the spam filter (e.g., filling out a hidden honeypot field or submitting too quickly).\n4.  **Information Retrieval:** Perform a GET request to the log file location.\n\n### Expected HTTP Request (Data Retrieval)\n```http\nGET \u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt HTTP\u002F1.1\nHost: localhost\nConnection: close\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `stickeasy-protected-contact-form` version 1.0.1 is installed.\n2.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact Us\" --post_status=publish --post_content='[stickeasy-contact-form]'\n    ```\n    *(Note: Replace `[stickeasy-contact-form]` with the actual shortcode found in the code.)*\n3.  **Identify Spam Trigger:**\n    *   Grep the code for the logging logic: `grep -r \"spcf-log.txt\" .`\n    *   Identify what causes the plugin to write to this file (e.g., if a field named `spcf_honeypot` is not empty).\n\n## 7. Expected Results\n*   **Successful Trigger:** The plugin creates the directory and file in `wp-content\u002Fuploads\u002F`.\n*   **Successful Disclosure:** The HTTP GET request returns a `200 OK` with a response body containing plain text logs, for example:\n    ```\n    [2023-10-27 10:00:00] SPAM Detected - IP: 192.168.1.1, Email: victim@example.com, Message: \"Check out this link...\"\n    ```\n\n## 8. Verification Steps\n1.  **Check Filesystem via CLI:**\n    ```bash\n    ls -l \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt\n    ```\n2.  **Verify Content:**\n    ```bash\n    cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt\n    ```\n3.  **Confirm Accessibility:** Check the HTTP response status of the direct URL.\n\n## 9. Alternative Approaches\nIf the plugin uses an obscure spam detection method:\n*   **Analysis:** Look for `is_spam` or `check_spam` functions in the code.\n*   **Brute Force:** If the trigger is just \"high frequency\", use a loop to submit multiple requests quickly to see if the log populates.\n*   **Direct Path Check:** If the uploads directory is protected by a generic `.htaccess` (unlikely in default WP), try to see if the plugin provides an admin setting to view logs, which might have its own IDOR or access control flaw.","The StickEasy Protected Contact Form plugin for WordPress (versions up to 1.0.1) stores spam detection logs in a publicly accessible text file within the WordPress uploads directory. This allows unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and form submission content.","The exploit involves two main steps: first, triggering the creation or update of the log file by submitting a contact form entry that fails the plugin's spam detection logic (such as filling out a hidden honeypot field). Second, an unauthenticated attacker performs a direct HTTP GET request to the predictable file path: `http:\u002F\u002F[target-site]\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`. If successful, the server returns the plain-text log containing PII of previous site visitors.","gemini-3-flash-preview","2026-04-20 23:48:36","2026-04-20 23:49:13",{"slug":57,"display_name":7,"profile_url":8,"plugin_count":58,"total_installs":59,"avg_security_score":60,"avg_patch_time_days":26,"trust_score":60,"computed_at":61},"kasuga16",8,140,100,"2026-05-20T08:31:20.858Z",[63,84,106,122,140],{"slug":64,"name":65,"version":66,"author":67,"author_profile":68,"description":69,"short_description":70,"active_installs":71,"downloaded":72,"rating":73,"num_ratings":74,"last_updated":75,"tested_up_to":76,"requires_at_least":77,"requires_php":23,"tags":78,"homepage":23,"download_link":83,"security_score":60,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"wp-anywhere-widgets","WP Anywhere Widgets","4.0","Yudiz Solutions Ltd.","https:\u002F\u002Fprofiles.wordpress.org\u002Fyudiz\u002F","\u003Cp>“WP Anywhere Widgets” is a powerful and user-friendly plugin designed to give you complete control over widget placement on your WordPress site. With this plugin, you can create unique widgets and display them in any desired location—whether it’s posts, pages, sidebars, or custom areas. No coding required!\u003C\u002Fp>\n\u003Cp>Create unique widgets and embed them seamlessly across your site—in posts, pages, sidebars, headers, footers, or any custom area—enhancing both functionality and design while improving user engagement.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Classic & Block Widgets Support\u003C\u002Fstrong>: Fully compatible with both the Classic Widgets and Block Widgets editors, making it future-ready and versatile.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Widget Creation\u003C\u002Fstrong>: Easily create widgets tailored to your specific needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Display Anywhere\u003C\u002Fstrong>: Embed widgets in posts, pages, headers, footers, sidebars, or custom sections using shortcodes or PHP functions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Widget Shortcode Page\u003C\u002Fstrong>: Access a dedicated admin page listing all widget shortcodes for easy copy-paste usage on the frontend.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcode Support\u003C\u002Fstrong>: Place widgets anywhere using shortcodes for maximum flexibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reusable Widgets\u003C\u002Fstrong>: Use the same widget across multiple areas to maintain a consistent look and feel.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Intuitive User Interface\u003C\u002Fstrong>: Manage and edit your widgets through a clean and simple admin interface.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Theme and Plugin Compatibility\u003C\u002Fstrong>: Works seamlessly with most WordPress themes and plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Need Plugin Support?\u003C\u002Fh3>\n\u003Cp>Please submit a request \u003Ca href=\"https:\u002F\u002Fwww.yudiz.com\u002Fwordpress-plugin-support\u002F?plugin=WP%20Anywhere%20Widgets\" rel=\"nofollow ugc\">here\u003C\u002Fa> for Support. We will get back to you quickly.\u003C\u002Fp>\n","Create and display widgets anywhere on your site with WP Anywhere Widgets—simple, flexible, and code-free!",700,4997,96,4,"2025-05-27T10:08:00.000Z","6.8.5","3.3",[79,21,80,81,82],"easy-widget","simple-widget","widget","widget-shortcode","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-anywhere-widgets.4.0.zip",{"slug":85,"name":86,"version":87,"author":88,"author_profile":89,"description":90,"short_description":91,"active_installs":92,"downloaded":93,"rating":11,"num_ratings":11,"last_updated":94,"tested_up_to":95,"requires_at_least":96,"requires_php":23,"tags":97,"homepage":102,"download_link":103,"security_score":104,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":105},"akm-feedback-form","AKM Feedback Form","1.0.1","Akaal.Media","https:\u002F\u002Fprofiles.wordpress.org\u002Fakaalmedia\u002F","\u003Cp>Install and activate the plugin.\u003Cbr \u002F>\nThen add the [AKMFORM] shorttag in pages and posts to display a simple and easy to use Feedback form. This Plugin is best to use in sidebar. All Emails are directly forward to admin’s Email address\u003Cbr \u002F>\nThis feedback form includes jquery form validation.\u003C\u002Fp>\n","Just insert the [AKMFORM] shortcode in pages of your WordPress site to display a simple and easy to use Feedback form.",10,2467,"2015-06-28T16:20:00.000Z","4.2.39","3.0.1",[98,99,100,101],"easy-contact-form","easy-to-use","free-feedback-form","simple-contact-form","http:\u002F\u002Fwww.akaalmedia.com\u002Fwordpress-plugins\u002Fakm-Feedback-form.zip","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fakm-feedback-form.1.0.1.zip",85,"2026-04-06T09:54:40.288Z",{"slug":107,"name":108,"version":109,"author":110,"author_profile":111,"description":112,"short_description":113,"active_installs":92,"downloaded":114,"rating":60,"num_ratings":26,"last_updated":115,"tested_up_to":116,"requires_at_least":23,"requires_php":117,"tags":118,"homepage":120,"download_link":121,"security_score":104,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"alidani-contact-form","ALIDANI Contact forms","1.4","ehssan1985","https:\u002F\u002Fprofiles.wordpress.org\u002Fehssan1985\u002F","\u003Cp>ALIDANI Contact Forms features:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>► Email delivery    \n► Saves messages into database\n► Printable list of messages\n► Easy to change colour and text of the form\n► Field validation\n► One-click contact form\n► Classic and ajax submission\n► ... and more features (see below)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>ALIDANI Contact Form\u003C\u002Fstrong> is a powerful and easy WordPress plugin to create \u003Cstrong>contact forms\u003C\u002Fstrong> and \u003Cstrong>send their data email addresses\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>ALIDANI Contact Form\u003C\u002Fstrong> also \u003Cstrong>saves the contact form data into a database\u003C\u002Fstrong> and the option to change the content of the email with the ability to response and send the email back.\u003C\u002Fp>\n\u003Ch4>ALIDANI Contact Forms Main Features:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Email delivery:\u003C\u002Fstrong> The contact form data is sent to the wordpress database with the opportunity to edit the contect.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Form data saved into the database:\u003C\u002Fstrong> Avoid losing submissions and keep a record of the received contact form messages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>list of receiving messages:\u003C\u002Fstrong> show list of received emails.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Date and time of receiving the emails:\u003C\u002Fstrong> Shows the date and time of sending the email.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Edit the contect:\u003C\u002Fstrong> Provide easy way to edit the email’s content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy to send email:\u003C\u002Fstrong> Provide easy way to replay on the email.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Form Validation:\u003C\u002Fstrong> Set validation rules for each contact form field. Keep your data clean.\u003C\u002Fli>\n\u003C\u002Ful>\n","Contact form with visual form builder. Contact form that sends the data to email, to a database list and easy to update the content.",1855,"2021-09-13T07:13:00.000Z","5.7.15","5.6.25",[119],"simple-contact-form-that-sends-the-data-to-email-and-also-to-a-database-with-easy-way-to-manage-and-response-to-the-emails","https:\u002F\u002Fwww.uniquetechnology.com.au\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falidani-contact-form.1.4.zip",{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":92,"downloaded":130,"rating":11,"num_ratings":11,"last_updated":131,"tested_up_to":132,"requires_at_least":133,"requires_php":23,"tags":134,"homepage":138,"download_link":139,"security_score":104,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"eazy-contact-form","Eazy Contact Form","1.0","NLK Plumbing","https:\u002F\u002Fprofiles.wordpress.org\u002Fnlkplumbings\u002F","\u003Cp>This is a very easy contact form with validation. Use shortcode [eazy_contact] for page & for widget [eazy_widget] to display form on page or use the widget to display contact form in sidebar.\u003C\u002Fp>\n\u003Ch4>Our Services as below:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fnlkplumbing.com.au\u002F\" rel=\"dofollow nofollow ugc\">Plumber Melbourne\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.taylorandsons.com.au\u002F\" rel=\"dofollow nofollow ugc\">Emergency Plumbing Melbourne\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fnlkplumbing.com.au\u002Fblocked-drains-melbourne\u002F\" rel=\"dofollow nofollow ugc\">Blocked Drains Melbourne\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fbestplumbing.com.au\u002F\" rel=\"dofollow nofollow ugc\">Best Plumber Adelaide\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fallmatplumbing.com.au\u002F\" rel=\"dofollow nofollow ugc\">Plumbing Adelaide\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.dohertyplumbingsolutions.com.au\u002F\" rel=\"dofollow nofollow ugc\">Blocked Drains Melbourne\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","This is a very easy contact form with validation. Use shortcode [eazy_contact] for page & for widget [eazy_widget] to display form on page or use  &hellip;",1717,"2018-05-11T10:48:00.000Z","4.7.33","3.7",[18,98,135,136,137],"easy-simple-contact-form","email-form","responsive-contact-form","http:\u002F\u002Fnlkplumbing.com.au\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feazy-contact-form.1.0.zip",{"slug":141,"name":142,"version":143,"author":144,"author_profile":145,"description":146,"short_description":147,"active_installs":92,"downloaded":148,"rating":11,"num_ratings":11,"last_updated":149,"tested_up_to":150,"requires_at_least":151,"requires_php":23,"tags":152,"homepage":154,"download_link":155,"security_score":104,"vuln_count":11,"unpatched_count":11,"last_vuln_date":36,"fetched_at":28},"yeem-contact-form","Yeem Contact Form","1.0.0","kurky17","https:\u002F\u002Fprofiles.wordpress.org\u002Fkurky17\u002F","\u003Cp>This is a very straightforward contact form which comes with the basic elements that we need in our “Contact Us” page.  The form builder interface is unbelievably easy to use!  It is as simple as CLICK IT, LABEL IT, SAVE IT!\u003Cbr \u002F>\nThe form elements can also be rearranged by drag-and-drop.\u003C\u002Fp>\n\u003Cp>It supports the following fields:\u003Cbr \u002F>\n    *   Text\u003Cbr \u002F>\n    *   Email\u003Cbr \u002F>\n    *   Date (Calendar pop-up)\u003Cbr \u002F>\n    *   Comment\u002FMessage Box\u003Cbr \u002F>\n    *   Drop Down Selection\u003Cbr \u002F>\n    *   Checkboxes\u003Cbr \u002F>\n    *   Radio Buttons\u003C\u002Fp>\n\u003Cp>This is perfect for those who only need a NAME, EMAIL, MESSAGE kind of contact form as well as those who require a lengthy and detailed form for bookings!\u003C\u002Fp>\n\u003Cp>There is also a separate Settings page where you can provide your email address, the confirmation message to your customer, as well as the acknowledgement to your customer after sending the form.\u003C\u002Fp>\n\u003Cp>Currently, it only supports the use of a shortcode [yeem_contact_form] which you can include in your post or page. Only one (1) form is supported.\u003C\u002Fp>\n","Yeem Contact Form is a simple contact form plugin with very easy to use form builder.",1141,"2017-08-19T16:28:00.000Z","4.8.28","4.7.5",[18,98,101,153],"yeem","http:\u002F\u002Fwww.michelleanneyee.com\u002Fyeem-contact-form","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyeem-contact-form.zip",{"attackSurface":157,"codeSignals":183,"taintFlows":207,"riskAssessment":208,"analyzedAt":216},{"hooks":158,"ajaxHandlers":169,"restRoutes":176,"shortcodes":177,"cronEvents":182,"entryPointCount":49,"unprotectedCount":11},[159,165],{"type":160,"name":161,"callback":162,"file":163,"line":164},"action","admin_enqueue_scripts","spcf_enqueue_admin_assets","stickeasy-protected-contact-form.php",22,{"type":160,"name":166,"callback":167,"file":163,"line":168},"admin_menu","closure",503,[170,174],{"action":171,"nopriv":48,"callback":171,"hasNonce":172,"hasCapCheck":48,"file":163,"line":173},"spcf_send",true,327,{"action":171,"nopriv":172,"callback":171,"hasNonce":172,"hasCapCheck":48,"file":163,"line":175},328,[],[178],{"tag":179,"callback":180,"file":163,"line":181},"spcf_form","spcf_render_form",234,[],{"dangerousFunctions":184,"sqlUsage":192,"outputEscaping":194,"fileOperations":74,"externalRequests":11,"nonceChecks":74,"capabilityChecks":26,"bundledLibraries":206},[185,189],{"fn":186,"file":163,"line":187,"context":188},"unserialize",108,"$defaults        = unserialize( SPCF_DEFAULT_OPTIONS_ARRAY );",{"fn":186,"file":163,"line":190,"context":191},589,"$default_options = unserialize( SPCF_DEFAULT_OPTIONS_ARRAY );",{"prepared":11,"raw":11,"locations":193},[],{"escaped":195,"rawEcho":74,"locations":196},70,[197,200,202,204],{"file":163,"line":198,"context":199},295,"raw output",{"file":163,"line":201,"context":199},564,{"file":163,"line":203,"context":199},578,{"file":163,"line":205,"context":199},584,[],[],{"summary":209,"deductions":210},"The \"stickeasy-protected-contact-form\" plugin v1.0.4 exhibits a generally good security posture, with robust use of prepared statements for SQL queries and a high percentage of properly escaped outputs. The plugin also implements nonce and capability checks for its entry points, limiting the potential for unauthorized access. The attack surface is relatively small and appears to be protected, with no unauthenticated entry points detected in the static analysis.\n\nHowever, the presence of two \"unserialize\" function calls is a significant concern. While no taint analysis flows were identified as unsanitized, the use of unserialize without careful validation can lead to remote code execution vulnerabilities if the serialized data originates from an untrusted source. The plugin's vulnerability history shows one past medium-severity CVE related to the exposure of sensitive information, which, while currently patched, suggests a potential for such issues. The past vulnerability, although resolved, combined with the inherent risks of unserialize, warrants caution.\n\nIn conclusion, the plugin demonstrates strong adherence to fundamental security practices like prepared statements and output escaping. The well-managed attack surface and absence of unpatched CVEs are positive indicators. Nevertheless, the critical risk associated with the \"unserialize\" function, even without current detected exploitation paths, remains the most pressing concern that needs to be addressed to further strengthen the plugin's security.",[211,214],{"reason":212,"points":213},"Use of unserialize function",15,{"reason":215,"points":92},"Past medium severity CVE","2026-03-17T06:01:55.256Z",{"wat":218,"direct":228},{"assetPaths":219,"generatorPatterns":222,"scriptPaths":223,"versionParams":225},[220,221],"\u002Fwp-content\u002Fplugins\u002Fstickeasy-protected-contact-form\u002Fassets\u002Fspcf-style.css","\u002Fwp-content\u002Fplugins\u002Fstickeasy-protected-contact-form\u002Fassets\u002Fspcf-script.js",[],[224],"\u002Fwp-content\u002Fplugins\u002Fstickeasy-protected-contact-form\u002Fassets\u002Fspcf-helper.js",[226,227],"stickeasy-protected-contact-form\u002Fassets\u002Fspcf-style.css?ver=1.0.0","stickeasy-protected-contact-form\u002Fassets\u002Fspcf-script.js?ver=1.0.0",{"cssClasses":229,"htmlComments":230,"htmlAttributes":231,"restEndpoints":232,"jsGlobals":233,"shortcodeOutput":236},[],[],[],[],[234,235],"spcf_ajax_obj","spcf_human",[237],"\u003Cform id=\"spcf-form\" method=\"post\">",{"error":172,"url":239,"statusCode":240,"statusMessage":241,"message":241},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fstickeasy-protected-contact-form\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":74,"versions":243},[244,249,255,262],{"version":6,"download_url":24,"svn_tag_url":245,"released_at":36,"has_diff":48,"diff_files_changed":246,"diff_lines":36,"trac_diff_url":247,"vulnerabilities":248,"is_current":172},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.2&new_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.4",[],{"version":38,"download_url":250,"svn_tag_url":251,"released_at":36,"has_diff":48,"diff_files_changed":252,"diff_lines":36,"trac_diff_url":253,"vulnerabilities":254,"is_current":48},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.1&new_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.2",[],{"version":87,"download_url":256,"svn_tag_url":257,"released_at":36,"has_diff":48,"diff_files_changed":258,"diff_lines":36,"trac_diff_url":259,"vulnerabilities":260,"is_current":48},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.0&new_path=%2Fstickeasy-protected-contact-form%2Ftags%2F1.0.1",[261],{"id":32,"url_slug":33,"title":34,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":38},{"version":143,"download_url":263,"svn_tag_url":264,"released_at":36,"has_diff":48,"diff_files_changed":265,"diff_lines":36,"trac_diff_url":36,"vulnerabilities":266,"is_current":48},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.0\u002F",[],[267],{"id":32,"url_slug":33,"title":34,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":38}]