[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feBzyLJixLuLL9vyqdvNIvp-sCoXQJ10D9xASng9saEw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":129,"fingerprints":211},"stop-junk","Stop Junk","1.0","Matthew Bretag","https:\u002F\u002Fprofiles.wordpress.org\u002Fmbretag\u002F","\u003Cp>Stops spam on comments box. User needs to enter result of a simple math problem in a text box before posting a comment. User will only be prompted if not logged in. It’s a simple to use plugin that won’t leave your user frustrated when trying to post. \u003Ca href=\"http:\u002F\u002Fstopjunk.megatag.me\" rel=\"nofollow ugc\">Try the demo here.\u003C\u002Fa>\u003C\u002Fp>\n","Stops spam on comments box. User needs to enter result of a simple math problem in a text box before posting a comment.",40,3927,0,"2012-05-07T11:14:00.000Z","3.3.2","3.0","",[19,20,21,22,23],"comments","junk","post","spam","verification","http:\u002F\u002Fstopjunk.megatag.me\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-junk.1.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"mbretag",1,30,84,"2026-04-05T11:53:41.055Z",[37,57,78,94,115],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":17,"tags":52,"homepage":55,"download_link":56,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"comment-email-verify","Comment E-Mail Verification","0.4.2","Martin Lormes","https:\u002F\u002Fprofiles.wordpress.org\u002Ftfnab\u002F","\u003Cp>If a comment is held for moderation an email message is sent to the comment author with a link to verify the comment author’s email address. When the comment author clicks on that link the comment gets approved immediately. This makes discussions more lively as users don’t have to wait for the blog admin to approve the comment.\u003C\u002Fp>\n\u003Cp>Blog owners may also choose to hold the comments in the moderation queue even after successful verification. The verification status is shown in the comment lists in the admin.\u003C\u002Fp>\n\u003Cp>If an author has a previously approved comment and his comments gets approved automatically according to the ‘comment_whitelist’ option in WordPress no email is sent.\u003C\u002Fp>\n\u003Cp>If a comment is classified as spam by Akismet or another anti-spam plugin no email is sent.\u003C\u002Fp>\n\u003Cp>This plugin uses the \u003Ccode>commentmeta\u003C\u002Fcode> table and thus requires WordPress 2.9\u003C\u002Fp>\n\u003Cp>PHP5 strongly recommended\u003C\u002Fp>\n","If a comment is held for moderation an email message is sent to the comment author with a link to verify the comment author's email address.",90,16179,96,4,"2014-02-25T21:49:00.000Z","3.7.41","2.9",[19,53,54,22,23],"email","email-verification","http:\u002F\u002Ften-fingers-and-a-brain.com\u002Fwordpress-plugins\u002Fcomment-email-verify\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomment-email-verify.0.4.2.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":67,"num_ratings":68,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":72,"tags":73,"homepage":76,"download_link":77,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"move-comments","Move Comments","2.4","apostolis","https:\u002F\u002Fprofiles.wordpress.org\u002Fapostolis\u002F","\u003Cp>This plugin allows you to move comments between posts in a simple and easy way by adding a page under (\\’Move\\’) under the \\’Comments\\’ section in the admin Dashboard.\u003C\u002Fp>\n\u003Cp>Enjoy the plugin!\u003C\u002Fp>\n","This plugin allows you to move comments between posts in a simple and easy way by adding a page under (\\'Move\\') under the \\'Comments\\& …",70,11360,92,7,"2018-09-04T21:39:00.000Z","4.9.29","4.6","7.0.0",[19,74,75,21,22],"move","page","http:\u002F\u002Fwww.dountsis.com\u002Fprojects\u002Fmove-comments\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmove-comments.2.4.zip",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":33,"downloaded":86,"rating":13,"num_ratings":13,"last_updated":87,"tested_up_to":50,"requires_at_least":88,"requires_php":17,"tags":89,"homepage":92,"download_link":93,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"wp-jquery-spam","WP jQuery Spam","1.2","Soar360","https:\u002F\u002Fprofiles.wordpress.org\u002Fsoar360\u002F","\u003Cp>WP jQuery Spam是一个适用于WordPress的反垃圾评论插件，它可以通过动态向评论表单增加隐藏域的方式来拦截垃圾评论。只要评论信息不是通过浏览器正规提交，那么评论就会被拦截，并写入当天的robot日志。\u003C\u002Fp>\n\u003Cp>此插件可以拦截大部分垃圾评论机器人。在此之前，博主也深受垃圾评论的烦恼，每天收到的垃圾评论邮件就有数十封，这个插件启用后，再也邮箱再也没有被Robot垃圾邮件惊扰，这真真是极好的。\u003C\u002Fp>\n\u003Ch4>特色\u003C\u002Fh4>\n\u003Cp>该插件体积小巧，安装方便，无需额外设置，可谓“即插即用”。兼容WP-Super-Cache插件，并且针对“Invoker”主题做了优化。程序代码不足百行，且做足了优化，对程序性能影响极小，实乃站长开博，居家旅行的必备良品。\u003C\u002Fp>\n\u003Ch4>官方网站\u003C\u002Fh4>\n\u003Cblockquote>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.sum16.com\" rel=\"nofollow ugc\">http:\u002F\u002Fwww.sum16.com\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n","帮助广大WordPress用户拦截垃圾评论",1754,"2014-01-26T06:00:00.000Z","2.8",[19,90,20,91,22],"jquery","pinglunla","http:\u002F\u002Fwww.sum16.com\u002Fmy\u002Fwp-jquery-spam.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-jquery-spam.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":104,"num_ratings":105,"last_updated":106,"tested_up_to":107,"requires_at_least":108,"requires_php":17,"tags":109,"homepage":113,"download_link":114,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"block-disposable-email-addresses","Block Disposable Email","0.8","gsetz","https:\u002F\u002Fprofiles.wordpress.org\u002Fgsetz\u002F","\u003Cp>This plugin prevents people from registering with disposable email addresses (dea) like the ones provided by mailinator (also known as throw-away email, one-time email). It protects your most important asset, your registered user base, by preventing contamination by fake accounts. This plugin working principle is similar to spam blacklists.\u003C\u002Fp>\n\u003Cp>It hooks in the wordpress function is_email() so it will extend the known email validation of wordpress to detect dea domains.\u003C\u002Fp>\n\u003Cp>The plugin itself does not contain a list of domains to block. Instead of local maintenance the plugin uses the service of http:\u002F\u002Fwww.block-disposable-email.com. This is a very accurate free service for up to 200 queries a month. For huge sites several commercial plans are available.\u003C\u002Fp>\n\u003Cp>Please see the FAQ section for some more information.\u003C\u002Fp>\n","This plugin detects one-time email addresses (disposable email, trashmail, mailinator, 10minutemail) and helps to keep your userbase and comments clea …",10,4288,46,3,"2017-03-16T18:51:00.000Z","4.6.30","3.3.1",[19,110,111,22,112],"disposable-email","posts","temporary-email","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fblock-disposable-email-addresses\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblock-disposable-email-addresses.zip",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":102,"downloaded":123,"rating":13,"num_ratings":13,"last_updated":124,"tested_up_to":70,"requires_at_least":125,"requires_php":17,"tags":126,"homepage":127,"download_link":128,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"contentpress","Contentpress","1.2.2","Omegatheme","https:\u002F\u002Fprofiles.wordpress.org\u002Fcaselock\u002F","\u003Cp>ContentPress is a plugin for wordpress that helps to shows the list of content as the table that included with the filter by: Defined Categories, Defined years and Alphabet filter.\u003Cbr \u002F>\nIt can be used for many purposes such as: Press release, publication of the company and\u002For for the board of events and\u002For the diary blog.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Note that to use the filter with alphabetic and use the blog layout you need buy the full version, please visit details to https:\u002F\u002Fwww.omegatheme.com\u003C\u002Fp>\n\u003C\u002Fblockquote>\n","Omegatheme ContentPress is a plugin for Wordpress that users worldwide love to use!",1991,"2018-04-19T08:58:00.000Z","4.0.0",[19,116,75,21,22],"https:\u002F\u002Fwww.omegatheme.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontentpress.zip",{"attackSurface":130,"codeSignals":151,"taintFlows":166,"riskAssessment":204,"analyzedAt":210},{"hooks":131,"ajaxHandlers":147,"restRoutes":148,"shortcodes":149,"cronEvents":150,"entryPointCount":13,"unprotectedCount":13},[132,138,142],{"type":133,"name":134,"callback":135,"file":136,"line":137},"filter","preprocess_comment","check_math","stop-junk.php",67,{"type":133,"name":139,"callback":140,"file":136,"line":141},"comment_form_field_comment","add_math",73,{"type":143,"name":144,"callback":145,"file":136,"line":146},"action","admin_menu","stop_junk_add_pages",79,[],[],[],[],{"dangerousFunctions":152,"sqlUsage":153,"outputEscaping":155,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":32,"bundledLibraries":165},[],{"prepared":13,"raw":13,"locations":154},[],{"escaped":13,"rawEcho":48,"locations":156},[157,160,162,164],{"file":136,"line":158,"context":159},253,"raw output",{"file":136,"line":161,"context":159},265,{"file":136,"line":163,"context":159},271,{"file":136,"line":163,"context":159},[],[167,193],{"entryPoint":168,"graph":169,"unsanitizedCount":13,"severity":192},"stop_junk_plugin_page (stop-junk.php:183)",{"nodes":170,"edges":188},[171,176,182,184],{"id":172,"type":173,"label":174,"file":136,"line":175},"n0","source","$_POST",223,{"id":177,"type":178,"label":179,"file":136,"line":180,"wp_function":181},"n1","sink","update_option() [Settings Manipulation]",229,"update_option",{"id":183,"type":173,"label":174,"file":136,"line":175},"n2",{"id":185,"type":178,"label":186,"file":136,"line":163,"wp_function":187},"n3","echo() [XSS]","echo",[189,191],{"from":172,"to":177,"sanitized":190},true,{"from":183,"to":185,"sanitized":190},"low",{"entryPoint":194,"graph":195,"unsanitizedCount":13,"severity":192},"\u003Cstop-junk> (stop-junk.php:0)",{"nodes":196,"edges":201},[197,198,199,200],{"id":172,"type":173,"label":174,"file":136,"line":175},{"id":177,"type":178,"label":179,"file":136,"line":180,"wp_function":181},{"id":183,"type":173,"label":174,"file":136,"line":175},{"id":185,"type":178,"label":186,"file":136,"line":163,"wp_function":187},[202,203],{"from":172,"to":177,"sanitized":190},{"from":183,"to":185,"sanitized":190},{"summary":205,"deductions":206},"The \"stop-junk\" plugin version 1.0 demonstrates a seemingly strong security posture based on the provided static analysis.  The plugin has zero recorded vulnerabilities, including no known CVEs, which is a significant positive indicator.  Furthermore, its attack surface is reported as zero, with no AJAX handlers, REST API routes, shortcodes, or cron events, implying a minimal interaction footprint.  All observed SQL queries utilize prepared statements, a crucial best practice for preventing SQL injection. The absence of dangerous functions, file operations, and external HTTP requests further contributes to its perceived security.\n\nHowever, a critical concern arises from the output escaping analysis. With 4 total outputs and 0% properly escaped, this indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. Any data displayed to users that originates from user input or other potentially untrusted sources could be rendered without proper sanitization, allowing attackers to inject malicious scripts. The plugin also lacks nonce checks and relies on only one capability check, which, while not inherently a direct vulnerability in itself given the zero attack surface, could become a point of weakness if the attack surface were to expand in future versions or if the single capability check is insufficient for its purpose.\n\nIn conclusion, while the plugin's lack of historical vulnerabilities and its absence of common entry points are commendable, the complete lack of output escaping presents a significant and immediate risk. This needs to be addressed to prevent potential XSS attacks. The current security posture is a mixed bag, with strengths in SQL handling and attack surface minimization overshadowed by a severe weakness in output sanitization.",[207],{"reason":208,"points":209},"0% output escaping",8,"2026-03-16T22:18:28.371Z",{"wat":212,"direct":217},{"assetPaths":213,"generatorPatterns":214,"scriptPaths":215,"versionParams":216},[],[],[],[],{"cssClasses":218,"htmlComments":220,"htmlAttributes":221,"restEndpoints":228,"jsGlobals":229,"shortcodeOutput":230},[219],"stop-junk-math",[],[222,223,224,225,226,227],"name=\"math_val\"","id=\"math_val\"","name=\"num1\"","name=\"num2\"","name=\"stop_junk_submit_hidden\"","name=\"stop_junk_math_color\"",[],[],[231,232,233],"\u003Cp class=\"stop-junk-math\">\u003Clabel for=\"math_val\">Validation Code\u003C\u002Flabel>\u003Cspan class=\"required\">*\u003C\u002Fspan>\u003Cspan","\u003Cinput style=\"width:100px;\" id=\"math_val\" name=\"math_val\" type=\"text\" size=\"10\" aria-required='true' \u002F>","\u003Cinput name=\"num1\" value=\""]