[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjZJgeaFfQJDNNI2QBH1kyioc--Hsiqm9CN-VLUziX5o":3,"$feM7N_z_nJHo1EvpbOQtW946onVXv9dWU1bOV-LmbZgM":348,"$fPo9aickLYZY6QkVjmgCgopXcw4dLVlnvhQZsFNv2fGc":352},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":56,"crawl_stats":35,"alternatives":62,"analysis":174,"fingerprints":324},"sticky","Sticky","2.5.6","cvmh","https:\u002F\u002Fprofiles.wordpress.org\u002Fcvmh\u002F","\u003Cp>Adds sticky support for pages and\u002For custom posts.\u003C\u002Fp>\n\u003Ch4>Current features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Easy to use\u003C\u002Fli>\n\u003Cli>Shortcode & Widget\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Looking for a WordPress agency? Contact us: \u003Ca href=\"http:\u002F\u002Fwww.agence-web-cvmh.fr\" rel=\"nofollow ugc\">agence web WordPress\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>How to uninstall Sticky\u003C\u002Fh3>\n\u003Cp>To uninstall Sticky, you just have to de-activate the plugin from the plugins list.\u003C\u002Fp>\n","Adds sticky support for pages and\u002For custom posts.",70,7109,100,2,"2022-01-26T19:40:00.000Z","5.9.13","3.6","",[20,4,21],"pages","widget","http:\u002F\u002Fwww.agence-web-cvmh.fr","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsticky.zip",63,1,"2026-05-19 12:04:07","2026-04-16T10:56:18.058Z","no_bundle",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":26,"updated_date":41,"references":42,"days_to_patch":35,"patch_diff_files":44,"patch_trac_url":35,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":48,"research_summary":49,"research_vulnerable_code":50,"research_fix_diff":51,"research_exploit_outline":52,"research_model_used":53,"research_started_at":54,"research_completed_at":55,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2026-6397","sticky-authenticated-contributor-stored-cross-site-scripting-via-readmoretext-shortcode-attribute","Sticky \u003C= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute","The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the `cvmh_sticky_front_render()` function — the `readmoretext` attribute value is passed through `apply_filters()` and directly concatenated into the HTML output without any escaping function such as `esc_html()`. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the injected shortcode.",null,"\u003C=2.5.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-20 01:25:46",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F135783c5-8175-4775-a013-f1e2bef04479?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for verifying the Stored Cross-Site Scripting (XSS) vulnerability in the **Sticky** plugin (versions \u003C= 2.5.6).\n\n## 1. Vulnerability Summary\nThe Sticky plugin fails to sanitize or escape the `readmoretext` attribute within the `[cvmh-sticky]` shortcode. The vulnerability exists in the `cvmh_sticky_front_render()` function, which processes the shortcode attributes and generates the HTML for the frontend. The attribute is passed through WordPress filters and directly concatenated into the output string. Because no output escaping (like `esc_html()` or `esc_attr()`) is applied to this specific attribute, a Contributor-level user can inject arbitrary HTML and JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (Gutenberg or Classic) or the REST API.\n*   **Vulnerable Component:** `[cvmh-sticky]` shortcode.\n*   **Vulnerable Attribute:** `readmoretext`.\n*   **Authentication:** Required (Contributor or higher).\n*   **Vector:** Stored XSS. The payload is saved in the `post_content` of a WordPress post\u002Fpage and executes when the post is viewed or previewed.\n*   **Impact:** If an Administrator views or previews the post containing the payload, the attacker can execute scripts in the Admin's session, potentially leading to unauthorized user creation, site configuration changes, or cookie theft.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode in the `init` hook:\n    `add_shortcode('cvmh-sticky', 'cvmh_sticky_front_render');`\n2.  **Attribute Handling:** The `cvmh_sticky_front_render($atts)` function receives the user-provided attributes.\n3.  **Processing:** The code likely extracts the `readmoretext` attribute:\n    `$read_more = isset($atts['readmoretext']) ? $atts['readmoretext'] : 'Read More';`\n4.  **Filtering:** The value may be passed through `apply_filters()`, which does not provide security sanitization.\n5.  **Sink:** The value is concatenated into an HTML string:\n    `$output .= '\u003Cdiv class=\"cvmh-read-more\">' . $read_more . '\u003C\u002Fdiv>';`\n6.  **Return:** The unescaped `$output` is returned to WordPress for rendering.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this via the WordPress UI or REST API as a Contributor, a nonce is required to save the post.\n\n### REST API Method (Recommended for Automation)\n1.  **Identify Nonce:** The WordPress REST API uses a nonce typically localized in the `wpApiSettings` object.\n2.  **Acquisition:**\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`) as a Contributor.\n    *   Execute via `browser_eval`: `window.wpApiSettings.nonce`.\n3.  **Post Creation:** Use the acquired nonce in the `X-WP-Nonce` header to create a post containing the payload.\n\n### Legacy Post Editor Method\n1.  **Identify Nonce:** The standard post editor uses a hidden field named `_wpnonce`.\n2.  **Acquisition:**\n    *   Navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n    *   Execute via `browser_eval`: `document.querySelector('#_wpnonce').value`.\n\n## 5. Exploitation Strategy\nThe goal is to store the payload and then trigger its execution.\n\n### Step 1: Authentication\nAuthenticate as a user with the **Contributor** role.\n\n### Step 2: Payload Injection (via HTTP Request)\nUse the `http_request` tool to create a new post containing the malicious shortcode.\n\n**Request Template (REST API):**\n*   **Method:** `POST`\n*   **URL:** `https:\u002F\u002F[target]\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [REST_NONCE]`\n*   **Body:**\n```json\n{\n  \"title\": \"Sticky XSS Test\",\n  \"content\": \"[cvmh-sticky readmoretext='\u003Cimg src=x onerror=alert(document.domain)>']\",\n  \"status\": \"pending\"\n}\n```\n*Note: Contributors cannot \"publish\", so status must be \"pending\".*\n\n### Step 3: Triggering the XSS\n1.  Obtain the ID of the created post from the response.\n2.  Navigate to the preview URL: `https:\u002F\u002F[target]\u002F?p=[POST_ID]&preview=true`.\n3.  Observe the execution of `alert(document.domain)`.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure the **Sticky** plugin (version \u003C= 2.5.6) is active.\n2.  **User Creation:** Create a user with the `contributor` role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Target Page:** No specific page is required; the attacker creates their own.\n\n## 7. Expected Results\n*   The HTTP request to create the post should return `201 Created`.\n*   The HTML source of the preview page should contain:\n    `\u003Cdiv class=\"...\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fdiv>` (exact class names inferred).\n*   The browser should trigger an alert box showing the domain name.\n\n## 8. Verification Steps (Post-Exploit)\nConfirm the payload is stored correctly in the database using WP-CLI:\n```bash\nwp post get [POST_ID] --field=post_content\n```\nCheck that the output contains the raw, unescaped shortcode attribute.\n\n## 9. Alternative Approaches\n### Double Quote Breakout\nIf the plugin places the attribute value inside an HTML attribute (e.g., `value=\"...\"`) instead of a tag body, use:\n`[cvmh-sticky readmoretext='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\n### Event Handler Injection\nIf simple script tags are filtered by an intermediary WAF (but not the plugin), use event handlers:\n`[cvmh-sticky readmoretext='\u003Ca onmouseover=alert(1)>Hover Me\u003C\u002Fa>']`","The Sticky plugin for WordPress (versions \u003C= 2.5.6) is vulnerable to Stored Cross-Site Scripting via the 'readmoretext' attribute of the [cvmh-sticky] shortcode. This occurs because the plugin fails to escape the attribute's value before concatenating it into the HTML output, allowing authenticated users with Contributor-level access to execute arbitrary scripts in the session of an administrative user.","\u002F\u002F File: sticky.php (inferred)\nfunction cvmh_sticky_front_render($atts) {\n    $atts = shortcode_atts( array(\n        'readmoretext' => 'Read More',\n    ), $atts );\n\n    \u002F\u002F The attribute is passed through filters but remains unsanitized\n    $read_more = apply_filters('cvmh_sticky_read_more_text', $atts['readmoretext']);\n\n    \u002F\u002F ... \n\n    \u002F\u002F Vulnerability: Concatenation of unsanitized attribute into HTML output\n    $output .= '\u003Cdiv class=\"cvmh-read-more\">' . $read_more . '\u003C\u002Fdiv>';\n\n    return $output;\n}","--- a\u002Fsticky.php\n+++ b\u002Fsticky.php\n@@ -XX,7 +XX,7 @@\n-    $output .= '\u003Cdiv class=\"cvmh-read-more\">' . $read_more . '\u003C\u002Fdiv>';\n+    $output .= '\u003Cdiv class=\"cvmh-read-more\">' . esc_html($read_more) . '\u003C\u002Fdiv>';","1. Authenticate to the WordPress dashboard with a Contributor-level account.\n2. Create a new post or edit an existing draft.\n3. Insert the [cvmh-sticky] shortcode with a malicious 'readmoretext' attribute, for example: [cvmh-sticky readmoretext='\u003Cimg src=x onerror=alert(document.domain)>'].\n4. Save the post as 'Pending Review' or a Draft.\n5. When an administrator views the post preview, the JavaScript payload in the 'readmoretext' attribute executes in their browser context.","gemini-3-flash-preview","2026-05-20 17:03:51","2026-05-20 17:04:37",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":57,"total_installs":58,"avg_security_score":59,"avg_patch_time_days":60,"trust_score":59,"computed_at":61},5,180,81,30,"2026-06-02T23:34:46.322Z",[63,87,109,131,152],{"slug":64,"name":65,"version":66,"author":67,"author_profile":68,"description":69,"short_description":70,"active_installs":71,"downloaded":72,"rating":73,"num_ratings":74,"last_updated":75,"tested_up_to":76,"requires_at_least":17,"requires_php":77,"tags":78,"homepage":83,"download_link":84,"security_score":13,"vuln_count":25,"unpatched_count":85,"last_vuln_date":86,"fetched_at":27},"sticky-menu-or-anything-on-scroll","Sticky Menu & Sticky Header","2.35","WebFactory","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebfactory\u002F","\u003Cp>The \u003Ca href=\"https:\u002F\u002Fwpsticky.com\u002F\" rel=\"nofollow ugc\">WP Sticky\u003C\u002Fa> Menu (or Sticky Header) On Scroll plugin allows you to \u003Cstrong>make any element on your pages “sticky”\u003C\u002Fstrong> as soon as it hits the top of the page when you scroll down. Although this is commonly used to keep menus at the top of your page to create floating menus, the plugin allows you to make any element sticky. Make a sticky header, stick menu, sticky widget (fixed widget), sticky logo, sticky call to action or a floating menu.\u003C\u002Fp>\n\u003Cp>You just need to know how to pick the right selector for the element you want to make sticky, and you need to be sure it’s a unique selector. Sometimes a simple selector like “nav”, “#main-menu”, “.menu-main-menu-1” is enough. Other times you will have to be more detailed and use a more specific selector such as “header > ul:first-child” or “nav.top .menu-header ul.main”. If you don’t like messing with any code check out out the visual element picker in \u003Ca href=\"https:\u002F\u002Fwpsticky.com\u002F\" rel=\"nofollow ugc\">WP Sticky PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Any element can stick\u003C\u002Fstrong>: although common use is for navigation menus, or header the plugin will let you pick any unique element with a name, class or ID to stick at the top of the page once you scroll past it. Use it for sticky widget, sticky sidebar, sticky header, sticky menu, sticky header, sticky call-to-action box, sticky banner ad, etc. Need to make \u003Ca href=\"https:\u002F\u002Fwpsticky.com\u002F\" rel=\"nofollow ugc\">multiple elements sticky\u003C\u002Fa>? Check out WP Sticky PRO.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Positioning from top\u003C\u002Fstrong>: optionally, you can add any amount of space between the sticky element and the top of the page, so that the element is not always stuck at the “ceiling” of the page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enable for certain screen sizes only\u003C\u002Fstrong>: optionally, you can set a minimum and\u002For maximum screen size where the stickiness should work. This can be handy if you have a responsive site and you don’t want your element to be sticky on smaller screens, for example.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enable only on some pages\u003C\u002Fstrong>: sometimes you don’t want the element to be sticky on the entire site. \u003Ca href=\"https:\u002F\u002Fwpsticky.com\u002F\" rel=\"nofollow ugc\">WP Sticky PRO\u003C\u002Fa> gives you the option to pick posts, pages, categories, tags and CPTs where you don’t want the element to be sticky.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Push-up element\u003C\u002Fstrong>: optionally, you can pick any other element lower on the page that will push the sticky element up again (for example a sidebar widget).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Bar aware\u003C\u002Fstrong>: checks if the current user has an Admin Toolbar at the top of the page. If it has, the sticky element will not obscure it (or be obscured by it).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Z-index\u003C\u002Fstrong>: in case there are other elements on the page that obscure or peek through your sticky element, you can add a Z-index easily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Legacy Mode\u003C\u002Fstrong>: in 2.0, a new method of making things sticky was introduced. In Legacy Mode, the old method will be used. See FAQ for details.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dynamic Mode\u003C\u002Fstrong>: some issues that frequently appear in responsive themes have been address by adding a Dynamic Mode (Legacy Mode only). See FAQ for details.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Debug Mode:\u003C\u002Fstrong> find out possible reasons why your element doesn’t stick by switching on Debug Mode, and error messages will appear in your browser’s console.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Having \u003Cstrong>problems with SSL\u003C\u002Fstrong>? Moving a site from HTTP to HTTPS? Install our free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-force-ssl\u002F\" rel=\"ugc\">WP Force SSL\u003C\u002Fa> plugin. It’s a great way to fix all SSL problems.\u003C\u002Fp>\n\u003Ch4>GDPR compatibility\u003C\u002Fh4>\n\u003Cp>We are not lawyers. Please do not take any of the following as legal advice.\u003Cbr \u002F>\nSticky does not track, collect or process any user data on the front end or in the admin. Nothing is logged or pushed to any 3rd parties. We also don’t use any 3rd party services or CDNs. Based on that, we feel it’s GDPR compatible, but again, please, don’t take this as legal advice.\u003C\u002Fp>\n","Sticky Menu or Sticky Header sticks elements at the top of the screen when you scroll, or create a floating sticky menu or fixed widget.",100000,1821049,94,758,"2026-04-15T19:35:00.000Z","7.0","5.2",[79,4,80,81,82],"floating-menu","sticky-header","sticky-menu","sticky-widget","https:\u002F\u002Fwpsticky.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsticky-menu-or-anything-on-scroll.2.35.zip",0,"2020-09-08 00:00:00",{"slug":88,"name":89,"version":90,"author":91,"author_profile":92,"description":93,"short_description":94,"active_installs":95,"downloaded":96,"rating":73,"num_ratings":97,"last_updated":98,"tested_up_to":99,"requires_at_least":100,"requires_php":101,"tags":102,"homepage":106,"download_link":107,"security_score":108,"vuln_count":85,"unpatched_count":85,"last_vuln_date":35,"fetched_at":27},"q2w3-fixed-widget","Fixed Widget and Sticky Elements for WordPress","6.2.3","monetizemore","https:\u002F\u002Fprofiles.wordpress.org\u002Fmonetizemore\u002F","\u003Cp>Use Fixed Widget to create sticky widgets, sticky blocks, and other elements that stay in the visible screen area when a user scrolls the page up or down.\u003C\u002Fp>\n\u003Cp>Sticky widgets are more visible than unfixed widgets and therefore have a significantly higher click-through rate.\u003C\u002Fp>\n\u003Cp>That’s why this option is worthwhile for ads or other elements that visitors should interact with. Meanwhile, Google also allows the integration of \u003Ca href=\"https:\u002F\u002Fwpadvancedads.com\u002Fgoogle-adsense-sticky-ads\u002F\" rel=\"nofollow ugc\">sticky AdSense ads\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpadvancedads.com\u002Ffixed-widget-wordpress\u002F\" rel=\"nofollow ugc\">Manual and demo\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Fixed Widget is completely free of charge.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sticky Widgets\u003C\u002Fstrong> Use the Fixed Widget option on any widget and blocks in the sidebar\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sticky Elements\u003C\u002Fstrong> Choose any element on your site and make it sticky\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Margin Top\u003C\u002Fstrong> allows you to stop sticky elements to cover floating menu bars\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Margin Bottom\u003C\u002Fstrong> pushes sticky elements up before they reach a certain distance towards the bottom window\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Stop Elements\u003C\u002Fstrong> push sticky elements up when they are scrolling into view\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Stop Blocks\u003C\u002Fstrong> defines blocks in your sidebar that push fixed blocks out of the page\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Minimum Screen Width\u003C\u002Fstrong> and \u003Cstrong>Minimum Screen Height\u003C\u002Fstrong> allow you to disable sticky behavior on small screens\u003C\u002Fli>\n\u003Cli>Written in plain JavaScript for better performance\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Compatibility\u003C\u002Fh4>\n\u003Cp>Theme requirements:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>wp_head()\u003C\u002Fcode> and \u003Ccode>wp_footer()\u003C\u002Fcode> functions in \u003Ccode>header.php\u003C\u002Fcode> and \u003Ccode>footer.php\u003C\u002Fcode> files\u003C\u002Fli>\n\u003Cli>JavaScript errors could break sticky widgets\u003C\u002Fli>\n\u003C\u002Ful>\n","More attention and a higher ad performance with fixed sticky widgets.",90000,2293806,261,"2023-03-30T07:15:00.000Z","6.2.9","5.0","7.2",[103,104,105,82,21],"ads","fixed-widget","sidebar","https:\u002F\u002Fwpadvancedads.com\u002Ffixed-widget-wordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fq2w3-fixed-widget.6.2.3.zip",85,{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":117,"downloaded":118,"rating":73,"num_ratings":119,"last_updated":120,"tested_up_to":121,"requires_at_least":122,"requires_php":18,"tags":123,"homepage":127,"download_link":128,"security_score":129,"vuln_count":25,"unpatched_count":85,"last_vuln_date":130,"fetched_at":27},"widgets-on-pages","Widgets on Pages","1.9.0","toddhalfpenny","https:\u002F\u002Fprofiles.wordpress.org\u002Ftoddhalfpenny\u002F","\u003Cp>The easiest, and highest rated way to Add Widgets to Posts and\u002For Pages. Create unlimited dynamic sidebars (widget areas) and insert these into a WordPress post or page.\u003C\u002Fp>\n\u003Cp>Create as many widget areas (Turbo Sidebars) from the settings menu, and these can be used multiple times.\u003C\u002Fp>\n\u003Cp>Each sidebar can be called independently by a shortcode, and you can call more than one per post\u002Fpage.\u003C\u002Fp>\n\u003Cp>Sidebars can be included in the post\u002Fpage by using a shortcode like the following, where \u003Ccode>x\u003C\u002Fcode> is the name of the sidebar.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[widgets_on_pages id=x]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cblockquote>\n\u003Cp>With the \u003Ca href=\"https:\u002F\u002Fdatamad.co.uk\u002Fwordpress-plugins\u002Fwidgets-on-pages\u002F\" rel=\"nofollow ugc\">PRO\u003C\u002Fa> version the widgets can be inserted simply with clicks-not-code using a wizard in the visual editor. This version also includes layout options to easily set the widgets in columns\u002Fgrid presentation.\u003C\u002Fp>\n\u003Cp>Pro version also supports the configurable option to automatically add widgets to all your posts and\u002For pages. Choose the layout options and whether to add the sidebar and widgets before or after the content. Ideal for adding lists of related posts to the end of every post. Each post and page can also be individually excluded from the auto-inclsion of the widgets.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdatamad.co.uk\u002Fwordpress-plugins\u002Fwidgets-on-pages\u002F\" rel=\"nofollow ugc\">Pro version\u003C\u002Fa> key features\u003Cbr \u002F>\n  * Responsive Horizontal\u002FColumn\u002FGrid layout\u003Cbr \u002F>\n  * Auto insert in Header, Content, or Footer\u003Cbr \u002F>\n  * Priority Support\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Basic In-Content Instructions\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Create a Turbo Sidebar, these are your special widget containers\u003C\u002Fli>\n\u003Cli>Add widgets to the Turbo Sidebar in the same way as you do for normal sidebars\u003C\u002Fli>\n\u003Cli>If using the visual editor use the Add Turbo Sidebar button to add the Shortcode into your post or page where you’d like it to appear.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The sidebars can also be added to any theme, using template tags. This is an ace way to add widgets\u002Fsidebars to a theme’s header and footer (or any other part of a theme).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Demo Video\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fw2LfCihCqRI?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Current Features Include\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Highest Rating – 122 5* Reviews\u003C\u002Fli>\n\u003Cli>No Coding needed\u003C\u002Fli>\n\u003Cli>Create unlimited sidebars\u003C\u002Fli>\n\u003Cli>Place them in posts\u002Fpages\u002Fcustom post types\u003C\u002Fli>\n\u003Cli>Add to themes using template tags\u003C\u002Fli>\n\u003Cli>Works with ALL widgets and themes (let us know if you have an issue)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Recent Reviews\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>∗ ∗ ∗ ∗ ∗\u003C\u002Fstrong>  Just purchased PRO version and well worth the money. – \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Fextremely-useful-plugin-19\u002F\" rel=\"ugc\">@artmuns\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>∗ ∗ ∗ ∗ ∗\u003C\u002Fstrong> Works as advertised + timely response to support request – \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Fworks-as-advertised-timely-response-to-support-request\u002F\" rel=\"ugc\">@3cstudio\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>∗ ∗ ∗ ∗ ∗\u003C\u002Fstrong> Saving me HOURS of work – \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Fsaving-me-hours-of-work\u002F\" rel=\"ugc\">@andynick\u003C\u002Fa>\u003C\u002Fp>\n","The easiest and highest rated way to Add Widgets or Sidebars to Posts and Pages using Visual editor,  shortcodes or template tags.",20000,671267,161,"2024-11-13T11:11:00.000Z","6.7.0","2.8",[20,105,124,125,126],"widgets","widgets-in-page","widgets-in-post","https:\u002F\u002Fdatamad.co.uk\u002Fwordpress-plugins\u002Fwidgets-on-pages\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidgets-on-pages.zip",92,"2023-01-17 00:00:00",{"slug":132,"name":133,"version":134,"author":135,"author_profile":136,"description":137,"short_description":138,"active_installs":139,"downloaded":140,"rating":11,"num_ratings":14,"last_updated":141,"tested_up_to":142,"requires_at_least":143,"requires_php":18,"tags":144,"homepage":148,"download_link":149,"security_score":150,"vuln_count":14,"unpatched_count":85,"last_vuln_date":151,"fetched_at":27},"essential-widgets","Essential Widgets","3.0.1","Catch Themes","https:\u002F\u002Fprofiles.wordpress.org\u002Fcatchthemes\u002F","\u003Cp>Essential Widgets – a free WordPress plugin for widgets allows you to create and add interesting widgets on your website to make it more attractive and welcoming. Essential Widgets stays true to the essence of its name and offers exactly what you expect from a widgets plugin—all the “essential” widgets for your website. The plugin has been crafted beautifully to draw the extra attention to the important parts of your website. Essential Widgets provides you with the ability to have more control over the widgets with the various customization options. This free WordPress plugin for widgets allows you to create 7 different interesting widgets on your website. All the 7 widgets provided to you comes with so many customization options and are very easy to use. So, with Essential Widgets plugin, customize the interesting widgets your way and display them anywhere you want on your website to make it more dynamic.\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>EW: Archives\u003Cbr \u002F>\nThe Archives widget comes with various customization options. Choose a title, limit the number of posts, select the archive type, post type, order and more with the Archives widget.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Authors\u003Cbr \u002F>\nDisplaying the author’s information is kind of a must-have feature if your website has multiple authors. Our new WordPress widgets plugin allows you to add Authors widget. With this widget, you can show the list of the authors on your website, the number of posts, select feed type, and more.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Categories\u003Cbr \u002F>\nEssential Widgets Pro supports Categories widget. The widget provides you with various customizable options such as the title of the widget, taxonomy option, order option, number of categories to show, display as a list or none, number of posts to display, sort by option, select feed type ton display and display as text or image.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Menus\u003Cbr \u002F>\nBored with the same default menu? Our new WordPress plugin for widgets, Essential Widgets Pro supports Menus widget. With the Menus widget filled with various customization options, you can display your menus elegantly anywhere you want on your website.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Pages\u003Cbr \u002F>\nDisplay a list of pages with the Pages widget. With various customization options being provided to you, you can showcase the pages that are more important on your website wherever you want with Essential Widgets Pro.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Posts\u003Cbr \u002F>\nEssential Widgets Pro supports Posts widget. With the widget and its customizable options, you can easily display a list of posts on your website. You can add a title, select the post type, number of items to display, order, sort by, and more.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>EW: Tags\u003Cbr \u002F>\nAnd last, but definitely not the least, the Tags widget. You can display a list of tags as cloud or list, select the order of the tags, sort by option and the number of items to be displayed. The widget also provides you with more customization options including the unit, separator, search, text type, and more.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cp>To translate the plugin, use translate.wordpress.org (GlotPress). You only need your WordPress.org account to join the collaborative translation project.\u003C\u002Fp>\n\u003Cp>You can translate Essential Widgets on \u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fessential-widgets\u002F\" rel=\"nofollow ugc\">translate.wordpress.org\u003C\u002Fa>.\u003C\u002Fp>\n","Essential Widgets is a WordPress plugin for widgets that allows you to create and add amazing widgets with high customization option",10000,490680,"2026-01-26T17:59:00.000Z","6.9.4","5.9",[145,20,146,147,124],"categories","posts","tags","https:\u002F\u002Fcatchplugins.com\u002Fplugins\u002Fessential-widgets\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-widgets.3.0.1.zip",98,"2026-02-04 18:41:50",{"slug":153,"name":154,"version":155,"author":156,"author_profile":157,"description":158,"short_description":159,"active_installs":139,"downloaded":160,"rating":161,"num_ratings":162,"last_updated":163,"tested_up_to":164,"requires_at_least":165,"requires_php":18,"tags":166,"homepage":171,"download_link":172,"security_score":129,"vuln_count":25,"unpatched_count":85,"last_vuln_date":173,"fetched_at":27},"ultimate-posts-widget","Ultimate Posts Widget","2.3.2","cl272","https:\u002F\u002Fprofiles.wordpress.org\u002Fcl272\u002F","\u003Cp>\u003Cstrong>Try it out on your free dummy site: Click here => \u003Ca href=\"https:\u002F\u002Fdemo.tastewp.com\u002Fultimate-posts-widget\" rel=\"nofollow ugc\">https:\u002F\u002Ftastewp.com\u002Fplugins\u002Fultimate-posts-widget\u003C\u002Fa>.\u003C\u002Fstrong>\u003Cbr \u002F>\n(this trick works for all plugins in the WP repo – just replace “wordpress” with “tastewp” in the URL)\u003C\u002Fp>\n\u003Cp>UPDATE: Plugin ownership changed for this plugin. We are currently evaluating possible enhancements for it. Stay tuned! If you have any suggestions yourself, please let us know in the Support Forum.\u003C\u002Fp>\n\u003Cp>Note: This is a \u003Cstrong>classic widget\u003C\u002Fstrong> type, in order for it to work on the latest version of WordPress you will need \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fclassic-widgets\u002F\" rel=\"ugc\">Classic Widgets\u003C\u002Fa> plugin installed on your site.\u003C\u002Fp>\n\u003Cp>The ultimate widget for displaying posts, custom post types or sticky posts with an array of options to customize the display.\u003C\u002Fp>\n\u003Cp>Designed for both the average user and developer, Ultimate Posts Widgets aims to provide flexibility and ease of use for displaying any kinds of posts within your widget areas. An array of widget options are available as well as hooks, filters and custom templates for more advanced customization.\u003C\u002Fp>\n\u003Ch4>Options\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Filter by categories\u003C\u002Fli>\n\u003Cli>Filter by current category\u003C\u002Fli>\n\u003Cli>Filter by tags\u003C\u002Fli>\n\u003Cli>Filter by current tag\u003C\u002Fli>\n\u003Cli>Filter by custom post types\u003C\u002Fli>\n\u003Cli>Filter by sticky posts\u003C\u002Fli>\n\u003Cli>Select number of posts to display\u003C\u002Fli>\n\u003Cli>Display title\u003C\u002Fli>\n\u003Cli>Display publish date\u002Ftime with custom format options\u003C\u002Fli>\n\u003Cli>Display post author and link\u003C\u002Fli>\n\u003Cli>Display post comment count\u003C\u002Fli>\n\u003Cli>Display excerpt or full content\u003C\u002Fli>\n\u003Cli>Display read more link with custom label\u003C\u002Fli>\n\u003Cli>Display featured image and at any size\u003C\u002Fli>\n\u003Cli>Display post categories\u003C\u002Fli>\n\u003Cli>Display post tags\u003C\u002Fli>\n\u003Cli>Display custom fields\u003C\u002Fli>\n\u003Cli>Add text or HTML before and after posts list\u003C\u002Fli>\n\u003Cli>Add CSS class to widget\u003C\u002Fli>\n\u003Cli>Add widget title link\u003C\u002Fli>\n\u003Cli>Change excerpt length (in words)\u003C\u002Fli>\n\u003Cli>Order by date, title, number of comments, random or a custom field\u003C\u002Fli>\n\u003Cli>Exclude current post from the list\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Documentation\u003C\u002Fh4>\n\u003Cp>See the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-posts-widget\u002Ffaq\u002F\" rel=\"ugc\">FAQ tab\u003C\u002Fa> for documentation on custom templates, hooks, common issues, and more.\u003C\u002Fp>\n\u003Ch4>Support\u003C\u002Fh4>\n\u003Cp>For help please ask in the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fultimate-posts-widget\u002F\" rel=\"ugc\">Support Forum\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Enjoy this plugin? \u003Ca href=\"https:\u002F\u002Fsellcodes.com\u002F5U4SICyc\" rel=\"nofollow ugc\">Send a tip to support development\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin is part of the Inisev product family – \u003Ca href=\"https:\u002F\u002Finisev.com\" rel=\"nofollow ugc\">check out our other products\u003C\u002Fa>.\u003C\u002Fp>\n","The ultimate widget for displaying posts, custom post types or sticky posts with an array of options.",492825,90,55,"2024-07-17T01:21:00.000Z","6.6.5","3.5",[167,168,169,170,21],"custom-post-types","featured-image","recent-posts","sticky-posts","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-posts-widget\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-posts-widget.2.3.2.zip","2024-02-13 00:00:00",{"attackSurface":175,"codeSignals":228,"taintFlows":300,"riskAssessment":318,"analyzedAt":323},{"hooks":176,"ajaxHandlers":220,"restRoutes":221,"shortcodes":222,"cronEvents":227,"entryPointCount":25,"unprotectedCount":85},[177,183,187,192,197,200,202,206,210,214,217],{"type":178,"name":179,"callback":180,"file":181,"line":182},"action","admin_menu","cvmh_sticky_admin_menu","includes\\admin.php",7,{"type":178,"name":184,"callback":185,"file":181,"line":186},"admin_enqueue_scripts","cvmh_sticky_admin_enqueue_scripts",15,{"type":188,"name":189,"callback":190,"file":181,"line":191},"filter","plugin_action_links_sticky\u002Fsticky.php","cvmh_sticky_admin_add_action_links",79,{"type":178,"name":193,"callback":194,"priority":25,"file":195,"line":196},"plugins_loaded","cvmh_sticky_constants","sticky.php",16,{"type":178,"name":193,"callback":198,"priority":14,"file":195,"line":199},"cvmh_sticky_i18n",25,{"type":178,"name":193,"callback":201,"priority":47,"file":195,"line":60},"cvmh_sticky_setup",{"type":178,"name":193,"callback":203,"priority":204,"file":195,"line":205},"cvmh_sticky_includes",4,35,{"type":178,"name":207,"callback":208,"file":195,"line":209},"widgets_init","register",46,{"type":178,"name":211,"callback":212,"file":195,"line":213},"wp_enqueue_scripts","cvmh_sticky_front_enqueues",48,{"type":178,"name":184,"callback":215,"file":195,"line":216},"cvmh_sticky_admin_scripts",51,{"type":178,"name":218,"callback":215,"file":195,"line":219},"customize_controls_enqueue_scripts",52,[],[],[223],{"tag":224,"callback":225,"file":226,"line":204},"cvmh-sticky","cvmh_sticky_front_shortcode","includes\\shortcode.php",[],{"dangerousFunctions":229,"sqlUsage":230,"outputEscaping":232,"fileOperations":85,"externalRequests":85,"nonceChecks":25,"capabilityChecks":25,"bundledLibraries":299},[],{"prepared":14,"raw":85,"locations":231},[],{"escaped":233,"rawEcho":234,"locations":235},12,37,[236,239,241,242,243,245,246,248,250,252,253,254,255,257,259,261,263,264,266,268,270,271,273,275,277,279,282,283,284,286,288,290,291,293,296,297,298],{"file":237,"line":60,"context":238},"includes\\form.php","raw output",{"file":237,"line":240,"context":238},40,{"file":237,"line":240,"context":238},{"file":237,"line":219,"context":238},{"file":237,"line":244,"context":238},61,{"file":237,"line":244,"context":238},{"file":237,"line":247,"context":238},62,{"file":237,"line":249,"context":238},68,{"file":237,"line":251,"context":238},71,{"file":237,"line":251,"context":238},{"file":237,"line":191,"context":238},{"file":237,"line":191,"context":238},{"file":237,"line":256,"context":238},80,{"file":237,"line":258,"context":238},87,{"file":237,"line":260,"context":238},95,{"file":237,"line":262,"context":238},101,{"file":237,"line":262,"context":238},{"file":237,"line":265,"context":238},102,{"file":237,"line":267,"context":238},109,{"file":237,"line":269,"context":238},115,{"file":237,"line":269,"context":238},{"file":237,"line":272,"context":238},116,{"file":237,"line":274,"context":238},124,{"file":237,"line":276,"context":238},128,{"file":237,"line":278,"context":238},135,{"file":280,"line":281,"context":238},"includes\\settings.php",28,{"file":280,"line":281,"context":238},{"file":280,"line":281,"context":238},{"file":280,"line":285,"context":238},39,{"file":280,"line":287,"context":238},57,{"file":280,"line":289,"context":238},58,{"file":280,"line":289,"context":238},{"file":280,"line":292,"context":238},59,{"file":294,"line":295,"context":238},"includes\\widget.php",49,{"file":294,"line":219,"context":238},{"file":294,"line":162,"context":238},{"file":294,"line":287,"context":238},[],[301],{"entryPoint":302,"graph":303,"unsanitizedCount":85,"severity":317},"\u003Csettings> (includes\\settings.php:0)",{"nodes":304,"edges":314},[305,309],{"id":306,"type":307,"label":308,"file":280,"line":285},"n0","source","$_SERVER['REQUEST_URI']",{"id":310,"type":311,"label":312,"file":280,"line":285,"wp_function":313},"n1","sink","echo() [XSS]","echo",[315],{"from":306,"to":310,"sanitized":316},true,"low",{"summary":319,"deductions":320},"The \"sticky\" plugin v2.5.6 exhibits a generally strong security posture based on the provided static analysis. The plugin successfully utilizes prepared statements for its SQL queries, has no identified dangerous functions, file operations, or external HTTP requests. Furthermore, it implements nonce and capability checks, indicating an effort to protect its entry points. Taint analysis also shows no critical or high-severity unsanitized flows.\n\nHowever, a notable concern arises from the output escaping. With 49 total outputs and only 24% properly escaped, a significant portion of the plugin's output is potentially vulnerable to Cross-Site Scripting (XSS) attacks. This lack of robust output sanitization represents the primary risk identified in the code analysis. The absence of any known vulnerabilities in its history is positive, suggesting a history of responsible development, but it does not negate the current risks identified in the static analysis.\n\nIn conclusion, while the plugin demonstrates good practices in areas like SQL sanitization and authentication checks, the high percentage of unescaped output presents a tangible security weakness. Developers should prioritize addressing the output escaping issues to mitigate potential XSS vulnerabilities.",[321],{"reason":322,"points":182},"Insufficient output escaping (24% proper)","2026-03-16T21:36:42.404Z",{"wat":325,"direct":338},{"assetPaths":326,"generatorPatterns":331,"scriptPaths":332,"versionParams":333},[327,328,329,330],"\u002Fwp-content\u002Fplugins\u002Fsticky\u002Fassets\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fsticky\u002Fassets\u002Fjs\u002Fadmin.js","\u002Fwp-content\u002Fplugins\u002Fsticky\u002Fassets\u002Fcss\u002Ffront.css","\u002Fwp-content\u002Fplugins\u002Fsticky\u002Fassets\u002Fjs\u002Ffront.js",[],[328,330],[334,335,336,337],"sticky\u002Fassets\u002Fcss\u002Fadmin.css?ver=","sticky\u002Fassets\u002Fjs\u002Fadmin.js?ver=","sticky\u002Fassets\u002Fcss\u002Ffront.css?ver=","sticky\u002Fassets\u002Fjs\u002Ffront.js?ver=",{"cssClasses":339,"htmlComments":341,"htmlAttributes":342,"restEndpoints":344,"jsGlobals":345,"shortcodeOutput":346},[340],"cvmh-sticky-admin-style",[],[343],"data-sticky-visibility",[],[4],[347],"\u003Cdiv class=\"cvmh-sticky-posts\">",{"error":316,"url":349,"statusCode":350,"statusMessage":351,"message":351},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsticky\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":85,"versions":353},[]]