[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fml_0vlRxEIA8epKWjtCsX7wqhWsLXwXc0YNlCOxADT4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":20,"security_score":21,"vuln_count":22,"unpatched_count":22,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":40,"crawl_stats":31,"alternatives":45,"analysis":46,"fingerprints":223},"tailored-tools","Tailored Tools","1.8.4","Tailored Media","https:\u002F\u002Fprofiles.wordpress.org\u002Ftailoredweb\u002F","\u003Cp>This plugin contains helper classes used to build custom forms.  It’s built by \u003Ca href=\"http:\u002F\u002Fwww.tailored.com.au\" title=\"Tailored Web Services\" rel=\"nofollow ugc\">Tailored Web Services\u003C\u002Fa> for use on our sites, but anyone is welcome to use it.\u003C\u002Fp>\n\u003Cp>This plugin comes with a basic contact form. You can write additional plugins to extend & create more forms. If you are not comfortable writing PHP code, then this plugin is probably not right for you.\u003C\u002Fp>\n\u003Cp>It also contains some other shortcode helpers for Google Maps, jQuery UI Tabs, and Page Content.\u003C\u002Fp>\n\u003Ch3>Shortcodes\u003C\u002Fh3>\n\u003Cp>This plugin also includes some shortcodes that we tend to use a lot.\u003C\u002Fp>\n\u003Ch4>[tabs]\u003C\u002Fh4>\n\u003Cp>This will apply formatting and javascript to implement \u003Ca href=\"http:\u002F\u002Fjqueryui.com\u002Fdemos\u002Ftabs\u002F\" rel=\"nofollow ugc\">jQuery UI Tabs\u003C\u002Fa>.  To use, simply wrap all of your tabbed content in [tabs] … [\u002Ftabs] shortcodes.  Each H2 element will be a new tab.  Some basic CSS is included, and you can write your own in your theme file to customise the look.\u003C\u002Fp>\n\u003Ch4>[pagecontent id=”1″]\u003C\u002Fh4>\n\u003Cp>Sometimes you need to include the same bit of content in many places on your site.  To save time, this shortcode will let you include the content from one page in many places.  Just use the shortcode, and provide the ID of the page you want to include.  Eg, [pagecontent id=”3″] will insert all content from the page with ID = 3.  You can use [pagecontent id=”3″ include_title=”no”] if you want to include the text only, and not the page title.\u003C\u002Fp>\n\u003Ch4>[googlemap address=”123 somewhere street, Kansas”]\u003C\u002Fh4>\n\u003Cp>To embed a Google Map iframe, use this shortcode.  Google will geocode your address to determine where the pin goes.  You can also specify width, height, and zoom.  You can also provide ‘class’ to set a CSS class on the iframe element.  This will embed both the iFrame and a static image.  Use CSS to determine which one is shown.  Use CSS media queries for responsive behavior here.\u003C\u002Fp>\n","Contains some helper classes to help you build custom forms.",90,3834,100,2,"2022-11-01T06:46:00.000Z","6.0.11","3.0","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftailored-tools.1.8.4.zip",64,1,"2024-11-20 00:00:00","2026-03-15T15:16:48.613Z",[26],{"id":27,"url_slug":28,"title":29,"description":30,"plugin_slug":4,"theme_slug":31,"affected_versions":32,"patched_in_version":31,"severity":33,"cvss_score":34,"cvss_vector":35,"vuln_type":36,"published_date":23,"updated_date":37,"references":38,"days_to_patch":31},"CVE-2024-52503","tailored-tools-authenticated-contributor-stored-cross-site-scripting","Tailored Tools \u003C= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Tailored Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.8.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-11-26 18:22:06",[39],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F98536f33-eb3d-4b2f-bda3-97f8cf9e5b19?source=api-prod",{"slug":41,"display_name":7,"profile_url":8,"plugin_count":22,"total_installs":11,"avg_security_score":21,"avg_patch_time_days":42,"trust_score":43,"computed_at":44},"tailoredweb",30,69,"2026-04-04T21:23:06.687Z",[],{"attackSurface":47,"codeSignals":95,"taintFlows":166,"riskAssessment":208,"analyzedAt":222},{"hooks":48,"ajaxHandlers":84,"restRoutes":85,"shortcodes":86,"cronEvents":93,"entryPointCount":14,"unprotectedCount":94},[49,54,57,62,66,70,74,79],{"type":50,"name":51,"callback":51,"file":52,"line":53},"action","add_meta_boxes","embed-js.php",14,{"type":50,"name":55,"callback":55,"file":52,"line":56},"save_post",15,{"type":58,"name":59,"callback":60,"file":61,"line":56},"filter","mce_buttons","filter_mce_buttons","mce-columns.php",{"type":58,"name":63,"callback":64,"file":61,"line":65},"mce_external_plugins","filter_mce_external_plugins",16,{"type":58,"name":67,"callback":68,"file":61,"line":69},"tailored_tools_mce_columns","mce_shortcodes",17,{"type":58,"name":71,"callback":72,"file":73,"line":65},"tailored_tools_mce_buttons","add_mce_buttons","shortcodes.php",{"type":50,"name":75,"callback":76,"file":77,"line":78},"init","tailored_tools_register_scripts","tools.php",13,{"type":50,"name":80,"callback":81,"priority":82,"file":77,"line":83},"plugins_loaded","tailored_tools_plugins_loaded",11,39,[],[],[87,90],{"tag":88,"callback":89,"file":73,"line":53},"tabs","shortcode_ui_tabs",{"tag":91,"callback":92,"file":73,"line":56},"pagecontent","shortcode_pagecontent",[],0,{"dangerousFunctions":96,"sqlUsage":97,"outputEscaping":99,"fileOperations":94,"externalRequests":94,"nonceChecks":22,"capabilityChecks":14,"bundledLibraries":159},[],{"prepared":94,"raw":94,"locations":98},[],{"escaped":14,"rawEcho":100,"locations":101},28,[102,105,108,110,112,114,116,118,120,122,124,127,129,131,133,135,137,139,141,144,146,147,149,150,151,152,155,157],{"file":52,"line":103,"context":104},36,"raw output",{"file":106,"line":107,"context":104},"form.contact.php",130,{"file":106,"line":109,"context":104},166,{"file":106,"line":111,"context":104},167,{"file":106,"line":113,"context":104},168,{"file":106,"line":115,"context":104},169,{"file":106,"line":117,"context":104},170,{"file":106,"line":119,"context":104},176,{"file":106,"line":121,"context":104},177,{"file":106,"line":123,"context":104},178,{"file":125,"line":126,"context":104},"form.dummy.php",226,{"file":125,"line":128,"context":104},262,{"file":125,"line":130,"context":104},263,{"file":125,"line":132,"context":104},264,{"file":125,"line":134,"context":104},265,{"file":125,"line":136,"context":104},266,{"file":125,"line":138,"context":104},272,{"file":125,"line":140,"context":104},273,{"file":142,"line":143,"context":104},"googlemaps.php",40,{"file":142,"line":145,"context":104},42,{"file":142,"line":145,"context":104},{"file":142,"line":148,"context":104},43,{"file":142,"line":148,"context":104},{"file":142,"line":148,"context":104},{"file":142,"line":148,"context":104},{"file":153,"line":154,"context":104},"js\\tinymce-columns.js.php",18,{"file":156,"line":154,"context":104},"js\\tinymce.js.php",{"file":73,"line":158,"context":104},99,[160,163],{"name":161,"version":31,"knownCves":162},"jQuery",[],{"name":164,"version":31,"knownCves":165},"TinyMCE",[],[167,183,191,200],{"entryPoint":168,"graph":169,"unsanitizedCount":22,"severity":33},"admin_list_logs (form.contact.php:122)",{"nodes":170,"edges":180},[171,175],{"id":172,"type":173,"label":174,"file":106,"line":107},"n0","source","$_REQUEST['page']",{"id":176,"type":177,"label":178,"file":106,"line":107,"wp_function":179},"n1","sink","echo() [XSS]","echo",[181],{"from":172,"to":176,"sanitized":182},false,{"entryPoint":184,"graph":185,"unsanitizedCount":22,"severity":33},"admin_list_logs (form.dummy.php:218)",{"nodes":186,"edges":189},[187,188],{"id":172,"type":173,"label":174,"file":125,"line":126},{"id":176,"type":177,"label":178,"file":125,"line":126,"wp_function":179},[190],{"from":172,"to":176,"sanitized":182},{"entryPoint":192,"graph":193,"unsanitizedCount":22,"severity":199},"\u003Cform.contact> (form.contact.php:0)",{"nodes":194,"edges":197},[195,196],{"id":172,"type":173,"label":174,"file":106,"line":107},{"id":176,"type":177,"label":178,"file":106,"line":107,"wp_function":179},[198],{"from":172,"to":176,"sanitized":182},"low",{"entryPoint":201,"graph":202,"unsanitizedCount":22,"severity":199},"\u003Cform.dummy> (form.dummy.php:0)",{"nodes":203,"edges":206},[204,205],{"id":172,"type":173,"label":174,"file":125,"line":126},{"id":176,"type":177,"label":178,"file":125,"line":126,"wp_function":179},[207],{"from":172,"to":176,"sanitized":182},{"summary":209,"deductions":210},"The \"tailored-tools\" plugin v1.8.4 presents a mixed security picture.  On the positive side, the plugin demonstrates good practices by having no unprotected entry points, utilizing prepared statements for all SQL queries, and including nonce and capability checks on its identified entry points.  The absence of dangerous functions, file operations, and external HTTP requests further contributes to a generally secure static analysis profile. However, significant concerns arise from the output escaping, where only a low 7% of outputs are properly escaped. This, coupled with 4 taint flows with unsanitized paths, indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, especially considering the plugin's vulnerability history.\n\nThe plugin has a history of one known CVE, which is currently unpatched and classified as medium severity, specifically related to Cross-Site Scripting. This recent vulnerability, occurring in late 2024, strongly suggests that the output escaping issues identified in the static analysis are not theoretical but have been exploited or present in past versions. The fact that this vulnerability is unpatched is a critical concern. While the attack surface is small and appears protected, the insufficient output escaping and unsanitized taint flows, combined with a recent unpatched XSS vulnerability, point to a moderate to high-risk plugin. Users should exercise caution until the unpatched vulnerability is addressed and the output escaping is significantly improved.",[211,213,216,219],{"reason":212,"points":56},"Unpatched CVE exists (Medium severity)",{"reason":214,"points":215},"Low percentage of properly escaped output (7%)",8,{"reason":217,"points":218},"Taint flows with unsanitized paths (4)",6,{"reason":220,"points":221},"Bundled library (jQuery) might be outdated",3,"2026-03-16T21:22:56.021Z",{"wat":224,"direct":239},{"assetPaths":225,"generatorPatterns":231,"scriptPaths":232,"versionParams":233},[226,227,228,229,230],"\u002Fwp-content\u002Fplugins\u002Ftailored-tools\u002Fresource\u002Fcustom.css","\u002Fwp-content\u002Fplugins\u002Ftailored-tools\u002Fjs\u002Fjquery.validate.js","\u002Fwp-content\u002Fplugins\u002Ftailored-tools\u002Fjs\u002Fjquery.timepicker.js","\u002Fwp-content\u002Fplugins\u002Ftailored-tools\u002Fjs\u002Fjquery.geocomplete.js","\u002Fwp-content\u002Fplugins\u002Ftailored-tools\u002Fjs\u002Floader.js",[],[227,228,229,230],[234,235,236,237,238],"tailored-tools\u002Fresource\u002Fcustom.css?ver=","tailored-tools\u002Fjs\u002Fjquery.validate.js?ver=","tailored-tools\u002Fjs\u002Fjquery.timepicker.js?ver=","tailored-tools\u002Fjs\u002Fjquery.geocomplete.js?ver=","tailored-tools\u002Fjs\u002Floader.js?ver=",{"cssClasses":240,"htmlComments":244,"htmlAttributes":246,"restEndpoints":248,"jsGlobals":249,"shortcodeOutput":251},[241,242,243],"ui_tabs","tab_panel","googlemap",[245],"\u003C!-- Google Map -->",[247],"data-original-title",[],[250],"google",[252,253,254],"[tabs]","[pagecontent]","[googlemap]"]