[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX0SWJ_tpzGKQ7YUV3j0AJGkSd5kpzzI5um7r9MBlwQ4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":74,"crawl_stats":34,"alternatives":82,"analysis":83,"fingerprints":294},"sully","SULly","4.4","Greg Ross","https:\u002F\u002Fprofiles.wordpress.org\u002Fgregross\u002F","\u003Cp>With WordPress 3.7, updates happen automatically for you, however there is only an e-mail notifications sent.  WordPress has a robust administration interface so SULly records all system updates (either automatic or manually done through the admin interface) in to a table and presents the last 10 updates to you in a dashboard widget.\u003C\u002Fp>\n\u003Cp>Also note that this plugin can only display logs for items installed after SULly itself is installed.\u003C\u002Fp>\n\u003Cp>This code is released under the GPL v2, see license.txt for details.\u003C\u002Fp>\n\u003Ch3>Roadmap\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>None at this time!\u003C\u002Fli>\n\u003C\u002Ful>\n","System Update Logger - Record system updates including plugins, themes and core updates.",30,3136,100,1,"2024-06-01T21:56:00.000Z","6.5.8","3.7.0","",[20],"admin-updates-log","http:\u002F\u002Ftoolstack.com\u002Fsully","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsully.4.4.zip",89,4,0,"2024-06-22 00:00:00","2026-03-15T15:16:48.613Z",[29,45,55,66],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":36,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":26,"updated_date":41,"references":42,"days_to_patch":44},"CVE-2024-5151","sully-authenticated-admin-stored-cross-site-scripting","SULly \u003C= 4.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting","The SULly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=4.3","4.3.1","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-06-27 14:19:04",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0b270ec6-8dc1-432b-bf68-671966a9761a?source=api-prod",6,{"id":46,"url_slug":47,"title":48,"description":49,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":36,"severity":37,"cvss_score":50,"cvss_vector":51,"vuln_type":40,"published_date":26,"updated_date":52,"references":53,"days_to_patch":44},"CVE-2024-5032","sully-reflected-cross-site-scripting","SULly \u003C= 4.3 - Reflected Cross-Site Scripting","The SULly plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2024-06-27 14:21:57",[54],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8b968849-32ef-4cc9-8ac6-5477b2906952?source=api-prod",{"id":56,"url_slug":57,"title":58,"description":59,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":36,"severity":37,"cvss_score":60,"cvss_vector":61,"vuln_type":62,"published_date":26,"updated_date":63,"references":64,"days_to_patch":44},"CVE-2024-5034","sully-cross-site-request-forgery-to-plugin-reset","SULly \u003C= 4.3.0 - Cross-Site Request Forgery to Plugin Reset","The SULly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to reset the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2024-06-27 14:21:07",[65],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3f0e97c-f41f-47ed-93c7-cff5915e9d01?source=api-prod",{"id":67,"url_slug":68,"title":69,"description":70,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":36,"severity":37,"cvss_score":50,"cvss_vector":51,"vuln_type":62,"published_date":26,"updated_date":71,"references":72,"days_to_patch":44},"CVE-2024-5033","sully-cross-site-request-forgery-to-stored-cross-site-scripting","SULly \u003C= 4.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting","The SULly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","2024-06-27 14:20:15",[73],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc8c89eea-f6b0-4771-ab7d-05e266324d58?source=api-prod",{"slug":75,"display_name":7,"profile_url":8,"plugin_count":76,"total_installs":77,"avg_security_score":78,"avg_patch_time_days":79,"trust_score":80,"computed_at":81},"gregross",34,7510,88,39,80,"2026-04-04T03:37:36.077Z",[],{"attackSurface":84,"codeSignals":126,"taintFlows":244,"riskAssessment":280,"analyzedAt":293},{"hooks":85,"ajaxHandlers":122,"restRoutes":123,"shortcodes":124,"cronEvents":125,"entryPointCount":25,"unprotectedCount":25},[86,93,97,103,106,109,113,117],{"type":87,"name":88,"callback":89,"priority":90,"file":91,"line":92},"action","init","SULlySetup",10,"sully.php",860,{"type":87,"name":94,"callback":95,"priority":14,"file":91,"line":96},"admin_menu","SULlyAddDashboardMenu",863,{"type":98,"name":99,"callback":100,"priority":101,"file":91,"line":102},"filter","auto_core_update_send_email","__return_false",50,870,{"type":98,"name":104,"callback":100,"priority":101,"file":91,"line":105},"send_core_update_notification_email",871,{"type":98,"name":107,"callback":100,"priority":101,"file":91,"line":108},"automatic_updates_send_debug_email",872,{"type":87,"name":110,"callback":111,"file":91,"line":112},"wp_dashboard_setup","SULlyLoad",876,{"type":98,"name":114,"callback":115,"priority":90,"file":91,"line":116},"upgrader_pre_download","SULlyStoreName",878,{"type":98,"name":118,"callback":119,"priority":120,"file":91,"line":121},"upgrader_post_install","SULlyStoreResult",1000,880,[],[],[],[],{"dangerousFunctions":127,"sqlUsage":143,"outputEscaping":170,"fileOperations":44,"externalRequests":25,"nonceChecks":241,"capabilityChecks":242,"bundledLibraries":243},[128,133,136,139,141],{"fn":129,"file":130,"line":131,"context":132},"unserialize","includes\\page.dashboard.php",58,"SULlyUpdateSystemSettings( SULlyGetSystemInfo(), unserialize( get_option( 'SULly_System_Settings' ) ",{"fn":129,"file":134,"line":135,"context":132},"includes\\widget.dashboard.php",14,{"fn":129,"file":91,"line":137,"context":138},482,"$systemoptions = unserialize( get_option( 'SULly_System_Settings' ) );",{"fn":129,"file":91,"line":140,"context":138},500,{"fn":129,"file":91,"line":142,"context":132},655,{"prepared":14,"raw":144,"locations":145},12,[146,149,151,153,155,156,158,160,162,164,166,168],{"file":130,"line":147,"context":148},73,"$wpdb->get_results() with variable interpolation",{"file":130,"line":150,"context":148},151,{"file":152,"line":11,"context":148},"includes\\page.settings.php",{"file":152,"line":154,"context":148},37,{"file":152,"line":101,"context":148},{"file":152,"line":157,"context":148},75,{"file":134,"line":159,"context":148},21,{"file":91,"line":161,"context":148},598,{"file":91,"line":163,"context":148},688,{"file":91,"line":165,"context":148},711,{"file":91,"line":167,"context":148},734,{"file":91,"line":169,"context":148},789,{"escaped":171,"rawEcho":76,"locations":172},24,[173,176,178,180,182,184,186,188,190,192,194,196,198,200,202,204,206,208,210,212,213,214,216,218,220,222,224,226,228,230,232,234,236,238],{"file":130,"line":174,"context":175},17,"raw output",{"file":130,"line":177,"context":175},44,{"file":130,"line":179,"context":175},77,{"file":130,"line":181,"context":175},79,{"file":130,"line":183,"context":175},81,{"file":130,"line":185,"context":175},84,{"file":130,"line":187,"context":175},94,{"file":130,"line":189,"context":175},102,{"file":130,"line":191,"context":175},104,{"file":130,"line":193,"context":175},114,{"file":130,"line":195,"context":175},119,{"file":130,"line":197,"context":175},129,{"file":130,"line":199,"context":175},143,{"file":130,"line":201,"context":175},147,{"file":130,"line":203,"context":175},158,{"file":130,"line":205,"context":175},163,{"file":130,"line":207,"context":175},168,{"file":152,"line":209,"context":175},116,{"file":152,"line":211,"context":175},137,{"file":152,"line":201,"context":175},{"file":152,"line":201,"context":175},{"file":152,"line":215,"context":175},149,{"file":152,"line":217,"context":175},160,{"file":152,"line":219,"context":175},166,{"file":152,"line":221,"context":175},177,{"file":152,"line":223,"context":175},181,{"file":152,"line":225,"context":175},209,{"file":152,"line":227,"context":175},210,{"file":152,"line":229,"context":175},223,{"file":134,"line":231,"context":175},38,{"file":134,"line":233,"context":175},48,{"file":134,"line":235,"context":175},56,{"file":134,"line":237,"context":175},72,{"file":239,"line":240,"context":175},"ToolStack-WP-Utilities.class.php",281,7,2,[],[245,271],{"entryPoint":246,"graph":247,"unsanitizedCount":25,"severity":270},"\u003Cpage.dashboard> (includes\\page.dashboard.php:0)",{"nodes":248,"edges":266},[249,254,259,262],{"id":250,"type":251,"label":252,"file":130,"line":253},"n0","source","$_GET",65,{"id":255,"type":256,"label":257,"file":130,"line":147,"wp_function":258},"n1","sink","get_results() [SQLi]","get_results",{"id":260,"type":251,"label":261,"file":130,"line":253},"n2","$_GET (x4)",{"id":263,"type":256,"label":264,"file":130,"line":181,"wp_function":265},"n3","echo() [XSS]","echo",[267,269],{"from":250,"to":255,"sanitized":268},true,{"from":260,"to":263,"sanitized":268},"low",{"entryPoint":272,"graph":273,"unsanitizedCount":25,"severity":270},"\u003Cpage.settings> (includes\\page.settings.php:0)",{"nodes":274,"edges":278},[275,277],{"id":250,"type":251,"label":252,"file":152,"line":276},23,{"id":255,"type":256,"label":264,"file":152,"line":201,"wp_function":265},[279],{"from":250,"to":255,"sanitized":268},{"summary":281,"deductions":282},"The plugin 'sully' v4.4 exhibits a mixed security posture.  While the static analysis reports a very small attack surface with no apparent unprotected entry points (AJAX, REST API, shortcodes, cron), several concerning code signals exist.  The presence of the `unserialize` function, a known vector for deserialization vulnerabilities if input is not strictly controlled, is a significant red flag. Furthermore, a substantial portion of SQL queries (12%) are not using prepared statements, increasing the risk of SQL injection, and nearly 60% of output is not properly escaped, posing a Cross-Site Scripting (XSS) risk. The vulnerability history indicates a pattern of past medium severity issues, primarily XSS and CSRF, with the most recent recorded on June 22, 2024. The fact that there are currently no unpatched CVEs is positive, but the recurring types of vulnerabilities suggest potential ongoing weaknesses in input validation and output sanitization, despite some positive indicators like nonce and capability checks.",[283,286,288,291],{"reason":284,"points":285},"Dangerous function `unserialize` found",15,{"reason":287,"points":90},"SQL queries not using prepared statements",{"reason":289,"points":290},"Output not properly escaped",8,{"reason":292,"points":144},"Past medium severity vulnerabilities (4 total)","2026-03-16T22:26:14.287Z",{"wat":295,"direct":302},{"assetPaths":296,"generatorPatterns":299,"scriptPaths":300,"versionParams":301},[297,298],"\u002Fwp-content\u002Fplugins\u002Fsully\u002Fincludes\u002Fcss\u002Fsully-dashboard.css","\u002Fwp-content\u002Fplugins\u002Fsully\u002Fincludes\u002Fjs\u002Fsully-dashboard.js",[],[],[],{"cssClasses":303,"htmlComments":305,"htmlAttributes":306,"restEndpoints":308,"jsGlobals":309,"shortcodeOutput":310},[304],"sully-dashboard-widget",[],[307],"id=\"sully-dashboard-widget\"",[],[],[]]