[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6rButZKcUwB3rbWGXdsbgTI9ldwvhHjGaZPRjrrkRTo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":49,"crawl_stats":38,"alternatives":57,"analysis":155,"fingerprints":231},"unconfirmed","Unconfirmed","1.3.7","Boone Gorges","https:\u002F\u002Fprofiles.wordpress.org\u002Fboonebgorges\u002F","\u003Cp>If you run a WordPress or BuddyPress installation, you probably know that some of the biggest administrative headaches come from the activation process. Activation emails may be caught by spam filters, deleted unwillingly, or simply not understood. Yet WordPress itself has no UI for viewing and managing unactivated members.\u003C\u002Fp>\n\u003Cp>Unconfirmed creates a Dashboard panel under the Users menu (Network Admin > Users on Multisite) that shows a list of unactivated user registrations. For each registration, you have the option of resending the original activation email, or manually activating the user.\u003C\u002Fp>\n\u003Cp>Note that the plugin works for the following configurations:\u003Cbr \u002F>\n1. Multisite, with or without BuddyPress\u003Cbr \u002F>\n2. Single site, with BuddyPress used for user registration\u003C\u002Fp>\n\u003Cp>There is currently no support for single-site WP registration without BuddyPress.\u003C\u002Fp>\n","Allows WordPress admins to manage unactivated users, by activating them manually, deleting their pending registrations, or resending the activation em …",2000,246166,90,47,"2023-12-04T19:58:00.000Z","6.4.8","3.1","",[20,21,22,23,24],"activate","activation","email","multisite","network","http:\u002F\u002Fgithub.com\u002Fboonebgorges\u002Funconfirmed","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funconfirmed.1.3.7.zip",84,1,0,"2014-04-11 00:00:00","2026-03-15T15:16:48.613Z",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":40,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48},"CVE-2014-100018","unconfirmed-reflected-cross-site-scripting","Unconfirmed \u003C 1.2.5 - Reflected Cross-Site Scripting","Cross-site scripting (XSS) vulnerability in the Unconfirmed plugin before 1.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter in the unconfirmed page to wp-admin\u002Fnetwork\u002Fusers.php.",null,"\u003C1.2.5","1.2.5","high",7.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:L","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F62128061-1ecc-484c-a054-4925f9ac6105?source=api-prod",3574,{"slug":50,"display_name":7,"profile_url":8,"plugin_count":51,"total_installs":52,"avg_security_score":53,"avg_patch_time_days":54,"trust_score":55,"computed_at":56},"boonebgorges",27,11620,88,1864,71,"2026-04-04T00:54:49.875Z",[58,77,97,117,135],{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":68,"num_ratings":69,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":18,"tags":73,"homepage":74,"download_link":75,"security_score":76,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"network-mass-email","Network Mass Email","1.5","Kenny Zaron","https:\u002F\u002Fprofiles.wordpress.org\u002Fkzaron\u002F","\u003Cp>This plugin allows for network administrators on WordPress multisite environments to send an email to users that\u003Cbr \u002F>\nthey select based on the users’ roles in individual sites. For example, checking only “editors” will go through\u003Cbr \u002F>\neach active site and add anyone with the role of “editor” to your list of emails to send to.\u003C\u002Fp>\n\u003Cp>To use the plugin after installation & activation, find Users \u002F Mass Email in the network admin dashboard in your\u003Cbr \u002F>\nmultisite install. Then, select the user types you wish to email and click on the button for “Load the List”. This\u003Cbr \u002F>\nwill load the list of users to email. Then you may compose your email in the boxes provided and click the send\u003Cbr \u002F>\nbutton at the bottom of the screen. If all goes well you will be presented with a confirmation page indicating\u003Cbr \u002F>\nthat your email was sent successfully.\u003C\u002Fp>\n\u003Cp>This plugin is NOT intended for administrators to be sending unsolicited spam to their users. In fact, it was\u003Cbr \u002F>\ncreated with more formal environments in mind. One example would be a University setting where administrators\u003Cbr \u002F>\nof the network may need to notify students and faculty of potential downtime. With the plugin’s implementation\u003Cbr \u002F>\nI would imagine it would be a highly inefficient way of sending spam anyway.\u003C\u002Fp>\n","Allows network admins to send a manually created notification email to all registered users based on user role.",10,4674,86,4,"2013-01-23T16:39:00.000Z","3.5.2","3.3",[22,23,24],"http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fnetwork-mass-email\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnetwork-mass-email.1.5.zip",85,{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":29,"num_ratings":29,"last_updated":87,"tested_up_to":88,"requires_at_least":89,"requires_php":90,"tags":91,"homepage":95,"download_link":96,"security_score":76,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"metro-share-widget","Metro Share Widget","1.0.1","WPManiax","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpmaniax\u002F","\u003Cp>This plugin ads \u003Cstrong>Metro style social share widget\u003C\u002Fstrong> to your sidebar.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>5 most popular\u003C\u002Fstrong> social networks supported.\u003C\u002Fp>\n\u003Cp>Metro Share Widget is super easy to install and configure.\u003C\u002Fp>\n\u003Cp>More \u003Ca href=\"http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget\u002F\" rel=\"nofollow ugc\">screenshots and live sample\u003C\u002Fa> you can see on plugins’ home page\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Main Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Easy to install and configure\u003C\u002Fli>\n\u003Cli>Most popular social networks supported (Facebook, Twitter, Google Plus, LinkedIn, Reddit )\u003C\u002Fli>\n\u003Cli>Fully responsive\u003C\u002Fli>\n\u003Cli>Configure where to show (posts, pages, home)\u003C\u002Fli>\n\u003Cli>Metro style elegant design\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Feedback\u003C\u002Fh3>\n\u003Cp>http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget\u002F\u003C\u002Fp>\n","Add Metro style social share widget to your sidebar. 5 most popular social networks supported",100,4010,"2017-11-09T10:45:00.000Z","4.9.29","3.6","5.4",[92,93,22,94,24],"bookmark","e-mail","link","http:\u002F\u002Fwww.wpmaniax.com\u002Fmetro-share-widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmetro-share-widget.1.0.1.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":85,"downloaded":105,"rating":85,"num_ratings":106,"last_updated":107,"tested_up_to":108,"requires_at_least":109,"requires_php":18,"tags":110,"homepage":114,"download_link":115,"security_score":116,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"network-username-restrictions-override","Network Username Restrictions Override","1.3","Daniel Westermann-Clark","https:\u002F\u002Fprofiles.wordpress.org\u002Fdwc\u002F","\u003Cp>By default, WordPress network usernames cannot contain anything but lowercase letters and numbers. This plugin adds network options to let you include hyphens, underscores, or uppercase letters, if desired.\u003C\u002Fp>\n\u003Cp>Furthermore, this plugin gives you the option to allow email addresses as usernames, or to allow all-numeric usernames (e.g. “1234”).\u003C\u002Fp>\n\u003Cp>Finally, this plugin lets you override the minimum length for usernames (which defaults to four characters).\u003C\u002Fp>\n\u003Cp>To follow updates to this plugin, visit:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fdanieltwc.com\u002F\u003C\u002Fp>\n\u003Cp>For help with this version, visit:\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fdanieltwc.com\u002F2011\u002Fnetwork-username-restrictions-override-1-0\u002F\u003C\u002Fp>\n","Override restrictions on WordPress network usernames.",10464,2,"2024-04-24T14:02:00.000Z","6.5.8","3.4",[111,112,23,24,113],"admin","authentication","wpmu","https:\u002F\u002Fdanieltwc.com\u002F2011\u002Fnetwork-username-restrictions-override-1-0\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnetwork-username-restrictions-override.1.3.zip",92,{"slug":118,"name":119,"version":120,"author":121,"author_profile":122,"description":123,"short_description":124,"active_installs":85,"downloaded":125,"rating":116,"num_ratings":126,"last_updated":127,"tested_up_to":88,"requires_at_least":128,"requires_php":18,"tags":129,"homepage":18,"download_link":134,"security_score":76,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"plugin-activation-status","Plugin Activation Status","1.0.2.1","Curtiss Grymala","https:\u002F\u002Fprofiles.wordpress.org\u002Fcgrymala\u002F","\u003Cp>Plugin Activation Status makes it easier for owners of multisite and multi-network WordPress installations to perform plugin audits on their installations. The plugin generates a list of plugins that are not currently active on any sites or networks. It generates a separate list of plugins that are active somewhere within the installation, and provides details about where and how those plugins are activated.\u003C\u002Fp>\n\u003Cp>This plugin first retrieves a full list of all of the plugins that are network-activated throughout your installation. Then, it loops through all of the sites in your installation, retrieving a list of all of the active plugins on each site. Next, it runs a diff between the full list of installed plugins and the list of all active plugins.\u003C\u002Fp>\n\u003Cp>Once it retrieves all of that information, it outputs two separate lists.\u003C\u002Fp>\n\u003Cp>The first list is the list of Inactive Plugins; all plugins that are installed, but not activated anywhere within WordPress will be listed there. The second list shows all of the Active Plugins; all plugins that are installed and activated somewhere within WordPress are shown there.\u003C\u002Fp>\n\u003Cp>Within the Active Plugins list, each plugin also has a list of all of the places the plugin is active (at the top, a list of all of the places it’s network-active; at the bottom, all of the places it’s normally-activated).\u003C\u002Fp>\n\u003Cp>When the plugin generates the lists of plugins, it stores those lists as site options in the database, so the lists can be retrieved for reference without using any additional server resources. If you would like to remove those cached lists and generate new lists, you simply have to click the Continue button on the admin page.\u003C\u002Fp>\n","Scans a multisite or multi-network installation to identify all plugins that are active or not.",26167,14,"2018-04-03T19:04:00.000Z","3.8",[130,131,23,132,133],"active","multi-network","network-active","plugins","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fplugin-activation-status.1.0.2.1.zip",{"slug":136,"name":137,"version":138,"author":139,"author_profile":140,"description":141,"short_description":142,"active_installs":85,"downloaded":143,"rating":144,"num_ratings":145,"last_updated":146,"tested_up_to":147,"requires_at_least":148,"requires_php":18,"tags":149,"homepage":153,"download_link":154,"security_score":76,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"user-activation-keys","User Activation Keys","4.6","David Sader","https:\u002F\u002Fprofiles.wordpress.org\u002Fdsader\u002F","\u003Cp>A \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FCreate_A_Network\" rel=\"nofollow ugc\">Multisite\u003C\u002Fa> Network plugin.\u003C\u002Fp>\n\u003Cp>Ever signup a user account, delete it, and try to signup up the same username again?\u003C\u002Fp>\n\u003Cp>Ever try to support a new user who created a username, but entered the wrong email address and so can’t activate, and can’t signup with the same username?\u003C\u002Fp>\n\u003Cp>Ever wanted to signup a bunch of users with phony emails so users without email could start blogging right away?\u003C\u002Fp>\n\u003Cp>I have, so I made a plugin to help me.\u003C\u002Fp>\n\u003Cp>WP Network Multisite “mu-plugin” for user activation key removal or approval.\u003C\u002Fp>\n\u003Cp>See Network–>Users–>”User Activation Keys” to delete activation keys – to allow immediate (re)signup of users who otherwise get the “try again in two days” message.\u003C\u002Fp>\n\u003Cp>Also, users waiting to be activated (or can’t because the email with the generated activation link is “gone”) can be approved manually.\u003C\u002Fp>\n","A Multisite Network plugin for user activation key removal or approval.",42257,96,20,"2016-08-08T23:29:00.000Z","4.6.30","3.5",[21,24,150,151,152],"network-user-activation","signup","username","http:\u002F\u002Fdsader.snowotherway.org\u002Fwordpress-plugins\u002Fuser-activation-keys\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-activation-keys.zip",{"attackSurface":156,"codeSignals":182,"taintFlows":196,"riskAssessment":224,"analyzedAt":230},{"hooks":157,"ajaxHandlers":178,"restRoutes":179,"shortcodes":180,"cronEvents":181,"entryPointCount":29,"unprotectedCount":29},[158,164,168,172],{"type":159,"name":160,"callback":161,"file":162,"line":163},"filter","bbg_cpt_pag_add_args","add_args","includes\\class-bbg-unconfirmed.php",65,{"type":159,"name":165,"callback":166,"file":162,"line":167},"boones_sortable_columns_keys_to_remove","sortable_keys_to_remove",67,{"type":159,"name":169,"callback":170,"priority":66,"file":162,"line":171},"map_meta_cap","map_moderate_signups_cap",69,{"type":173,"name":174,"callback":175,"file":176,"line":177},"action","plugins_loaded","BBG_Unconfirmed","unconfirmed.php",31,[],[],[],[],{"dangerousFunctions":183,"sqlUsage":184,"outputEscaping":190,"fileOperations":29,"externalRequests":29,"nonceChecks":193,"capabilityChecks":194,"bundledLibraries":195},[],{"prepared":185,"raw":28,"locations":186},22,[187],{"file":162,"line":188,"context":189},681,"$wpdb->get_results() with variable interpolation",{"escaped":191,"rawEcho":29,"locations":192},37,[],6,3,[],[197,216],{"entryPoint":198,"graph":199,"unsanitizedCount":29,"severity":215},"admin_panel_main (includes\\class-bbg-unconfirmed.php:835)",{"nodes":200,"edges":212},[201,206],{"id":202,"type":203,"label":204,"file":162,"line":205},"n0","source","$_REQUEST",919,{"id":207,"type":208,"label":209,"file":162,"line":210,"wp_function":211},"n1","sink","echo() [XSS]",932,"echo",[213],{"from":202,"to":207,"sanitized":214},true,"low",{"entryPoint":217,"graph":218,"unsanitizedCount":29,"severity":215},"\u003Cclass-bbg-unconfirmed> (includes\\class-bbg-unconfirmed.php:0)",{"nodes":219,"edges":222},[220,221],{"id":202,"type":203,"label":204,"file":162,"line":205},{"id":207,"type":208,"label":209,"file":162,"line":210,"wp_function":211},[223],{"from":202,"to":207,"sanitized":214},{"summary":225,"deductions":226},"The \"unconfirmed\" plugin v1.3.7 exhibits a strong static analysis profile, with no identified entry points lacking authentication, no dangerous functions, and all SQL queries utilizing prepared statements.  Furthermore, all output is properly escaped, there are no file operations or external HTTP requests, and the plugin demonstrates a good use of nonce and capability checks. Taint analysis also shows no critical or high severity flows with unsanitized paths. This indicates a developer who has implemented many robust security practices.\n\nHowever, the plugin does have a history of one high severity vulnerability, specifically Cross-Site Scripting, recorded in 2014. While this vulnerability is marked as patched, the presence of past high-severity issues, even if resolved, warrants attention. It suggests a potential for complex vulnerabilities to arise if not continually monitored and updated. The lack of any recent vulnerabilities is positive, but the past high-severity finding is a reminder that past issues can sometimes resurface or indicate areas where the code might be more susceptible.\n\nIn conclusion, the \"unconfirmed\" plugin v1.3.7 presents a generally good security posture due to its excellent static analysis results and current lack of unpatched vulnerabilities. The developer's adherence to secure coding practices like prepared statements and output escaping is commendable. The primary concern stems from the historical high-severity XSS vulnerability, which, despite being patched, serves as a flag for potential future risks in similar code areas.  Users should remain vigilant for any future updates or security advisories related to this plugin.",[227],{"reason":228,"points":229},"High severity vulnerability in history",15,"2026-03-16T18:40:54.329Z",{"wat":232,"direct":239},{"assetPaths":233,"generatorPatterns":235,"scriptPaths":236,"versionParams":237},[234],"\u002Fwp-content\u002Fplugins\u002Funconfirmed\u002Fcss\u002Fstyle.css",[],[],[238],"unconfirmed\u002Fcss\u002Fstyle.css?ver=",{"cssClasses":240,"htmlComments":241,"htmlAttributes":242,"restEndpoints":243,"jsGlobals":244,"shortcodeOutput":245},[],[],[],[],[],[]]