[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBQZBmB4Sock-xAGKsS5vmiVyoEwVtra3SHVW543tyio":3,"$fiRqbDoThngLvXZu2pVShuoW0Vn7NqDXBozHgQNonQkc":84,"$fRJm07deGGe5SAQBHhqkZtxbONIIaUK065dARBStxbYw":89},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":17,"download_link":18,"security_score":19,"vuln_count":13,"unpatched_count":13,"last_vuln_date":20,"fetched_at":21,"discovery_status":22,"vulnerabilities":23,"developer":24,"crawl_stats":20,"alternatives":32,"analysis":33,"fingerprints":69},"top-recent-commenters","Top\u002FRecent Commenters","1.0","Scott Reilly","https:\u002F\u002Fprofiles.wordpress.org\u002Fcoffee2code\u002F","\u003Cp>Retrieve the top commenters or most recent commenters to your site (if called outside “the loop”) or for a particular post (if called inside “the loop”).\u003C\u002Fp>\n","Retrieve the top commenters or most recent commenters to your site (if called outside \"the loop\") or for a particular post (if called inside \"the loop\").",10,2812,0,"2005-03-25T06:58:00.000Z","",[],"http:\u002F\u002Fwww.coffee2code.com\u002Fwp-plugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftop-recent-commenters.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":25,"display_name":7,"profile_url":8,"plugin_count":26,"total_installs":27,"avg_security_score":28,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"coffee2code",63,91830,88,374,71,"2026-05-19T20:15:36.884Z",[],{"attackSurface":34,"codeSignals":40,"taintFlows":61,"riskAssessment":62,"analyzedAt":68},{"hooks":35,"ajaxHandlers":36,"restRoutes":37,"shortcodes":38,"cronEvents":39,"entryPointCount":13,"unprotectedCount":13},[],[],[],[],[],{"dangerousFunctions":41,"sqlUsage":42,"outputEscaping":45,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":60},[],{"prepared":43,"raw":13,"locations":44},1,[],{"escaped":13,"rawEcho":46,"locations":47},5,[48,52,54,56,58],{"file":49,"line":50,"context":51},"get-commenters.php",101,"raw output",{"file":49,"line":53,"context":51},103,{"file":49,"line":55,"context":51},107,{"file":49,"line":57,"context":51},109,{"file":49,"line":59,"context":51},110,[],[],{"summary":63,"deductions":64},"The \"top-recent-commenters\" plugin v1.0 presents a mixed security profile. On the positive side, its static analysis reveals no dangerous functions, no file operations, and crucially, the single SQL query observed uses prepared statements, which is a strong security practice against SQL injection. The absence of external HTTP requests and the lack of bundled libraries also reduce the attack surface. However, a significant concern is the complete lack of output escaping, with 0% of the 5 observed outputs being properly escaped. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, as user-controlled data or data processed by the plugin could be rendered directly in the browser without sanitization, allowing attackers to inject malicious scripts.\n\nThe vulnerability history is currently clean, with no known CVEs. This suggests that, at least up to this point, the plugin has not had publicly disclosed security flaws. While this is a positive indicator, it does not negate the risks identified in the static analysis, particularly the lack of output escaping. The absence of any identified taint flows is also encouraging, but this might be due to the limited attack surface identified or the specific nature of the plugin's functionality.\n\nIn conclusion, while the plugin demonstrates good practices in areas like SQL query handling and avoiding risky functions, the critical failure in output escaping creates a substantial XSS risk. The clean vulnerability history is a positive, but the identified code signals necessitate immediate attention to address the unescaped output to prevent potential client-side attacks.",[65],{"reason":66,"points":67},"Unescaped output found",15,"2026-03-17T00:27:23.151Z",{"wat":70,"direct":75},{"assetPaths":71,"generatorPatterns":72,"scriptPaths":73,"versionParams":74},[],[],[],[],{"cssClasses":76,"htmlComments":77,"htmlAttributes":78,"restEndpoints":79,"jsGlobals":80,"shortcodeOutput":81},[],[],[],[],[],[82,83],"\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.joebob.org\" title=\"Visit Joe Bob's site\">Joe Bob\u003C\u002Fa> (75)\u003C\u002Fli>\n\u003Cli>No Homepage Guy (56)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.suzy.org\" title=\"Visit Suzy's site\">Suzy\u003C\u002Fa> (41)\u003C\u002Fli>\n\u003C\u002Ful>","Recent love from: \u003Ca href=\"http:\u002F\u002Fwww.joebob.org\" title=\"Visit Joe Bob's site\">Joe Bob\u003C\u002Fa>,\nNo Homepage Guy,\n\u003Ca href=\"http:\u002F\u002Fwww.suzy.org\" title=\"Visit Suzy's site\">Suzy\u003C\u002Fa>",{"error":85,"url":86,"statusCode":87,"statusMessage":88,"message":88},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Ftop-recent-commenters\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":13,"versions":90},[]]