[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foJktyA3ZV_pCmtgofkYr0hq6uz9P0fYm1ZMqZ1taj9g":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":51,"analysis":160,"fingerprints":408},"user-session-synchronizer","User Session Synchronizer","1.4.0","rafasashi","https:\u002F\u002Fprofiles.wordpress.org\u002Frafasashi\u002F","\u003Cp>User Session Synchronizer allows you to keep the user logged in from one wordpress to another by synchronizing user data and cookie session based on a verified email.\u003Cbr \u002F>\nThe user email is encrypted based on the current user ip and a secret key shared by the synchronized wordpress installations.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Synchronize session between installations\u003C\u002Fli>\n\u003Cli>Verify user email through new registration\u003C\u002Fli>\n\u003Cli>Verify user email through manual admin action\u003C\u002Fli>\n\u003Cli>Verify user email through email verification code\u003C\u002Fli>\n\u003Cli>Prevent user form changing email\u003C\u002Fli>\n\u003Cli>Display historical sessions\u003C\u002Fli>\n\u003Cli>Auto add new subscriber if user doesn’t exist\u003C\u002Fli>\n\u003Cli>Destroy session everywhere on logging out\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Upcoming\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Multiple secret keys & networks\u003C\u002Fli>\n\u003Cli>Enable ajax cross-domain requests\u003C\u002Fli>\n\u003C\u002Ful>\n","Keep the user logged in from one wordpress to another by synchronizing user data and cookie session",100,8183,98,13,"2023-06-29T05:45:00.000Z","6.2.9","4.3","",[20,21,22,23],"cookie","session","synchronizer","user","https:\u002F\u002Fcode.recuweb.com\u002Fget\u002Fuser-session-synchronizer\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-session-synchronizer.1.4.0.zip",63,1,"2025-04-09 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-32612","user-session-synchronizer-cross-site-request-forgery-to-stored-cross-site-scripting","User Session Synchronizer \u003C= 1.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting","The User Session Synchronizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.4.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-04-15 14:00:16",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2c79caf2-1639-4ae3-b39b-2838db6febb0?source=api-prod",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":46,"total_installs":47,"avg_security_score":48,"avg_patch_time_days":27,"trust_score":49,"computed_at":50},3,1180,82,87,"2026-04-05T01:32:56.733Z",[52,71,96,118,142],{"slug":53,"name":54,"version":55,"author":56,"author_profile":57,"description":58,"short_description":59,"active_installs":60,"downloaded":61,"rating":11,"num_ratings":46,"last_updated":62,"tested_up_to":63,"requires_at_least":64,"requires_php":18,"tags":65,"homepage":67,"download_link":68,"security_score":69,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"easy-timeout-session","Easy Timeout Session","1.1","jokiruiz","https:\u002F\u002Fprofiles.wordpress.org\u002Fjokioki\u002F","\u003Cp>The Easy Timeout Session WordPress plugin allows you to change the session\u003Cbr \u002F>\nduration for the WordPress user.\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>Open Timeout Session Page\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Specify the session length (you can specify in seconds, hours or days)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Do you use worpdress admin with an iPad? Don´t worry, this plugin is fully\u003Cbr \u002F>\nadapted for tablets and smartphones.\u003C\u002Fp>\n\u003Cp>\u003Cem>Thank you for downloading! your feedback is well appreciated!\u003C\u002Fem>\u003C\u002Fp>\n","The Easy Timeout Session WordPress plugin allows you to change the session duration for the WordPress user.",200,6836,"2015-11-02T12:36:00.000Z","4.3.34","3.0.1",[66],"timeout-session-cookie-user-wordpress-login-logout","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Feasy-timeout-session\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-timeout-session.zip",85,0,{"slug":72,"name":73,"version":74,"author":75,"author_profile":76,"description":77,"short_description":78,"active_installs":79,"downloaded":80,"rating":13,"num_ratings":81,"last_updated":82,"tested_up_to":83,"requires_at_least":84,"requires_php":85,"tags":86,"homepage":92,"download_link":93,"security_score":94,"vuln_count":27,"unpatched_count":70,"last_vuln_date":95,"fetched_at":29},"loggedin","Loggedin – Limit Concurrent Sessions","2.0.4","Joel James","https:\u002F\u002Fprofiles.wordpress.org\u002Fjoelcj91\u002F","\u003Cp>Loggedin is a lightweight WordPress plugin that lets you easily limit the number of simultaneous active sessions a user can have. This is a crucial feature for membership sites, online courses, and other platforms where you need to prevent users from sharing their accounts.\u003C\u002Fp>\n\u003Ch3>🎁 Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Set Global Limits\u003C\u002Fstrong>: Define a maximum number of concurrent logins for all users.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible Login Behavior\u003C\u002Fstrong>: Choose to either block new logins when the limit is reached or automatically log out the oldest session to allow a new one.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent Account Sharing\u003C\u002Fstrong>: By limiting sessions, you can effectively stop users from sharing their login credentials with others.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Control\u003C\u002Fstrong>: Easily force log out a user from the admin dashboard, giving you full control over active sessions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer-Friendly\u003C\u002Fstrong>: The plugin is built with a hook-based architecture, making it highly customizable and extensible for developers.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📦 Addons\u003C\u002Fh3>\n\u003Cp>Enhance LoggedIn’s functionality with these simple yet powerful \u003Ca href=\"https:\u002F\u002Fduckdev.com\u002Faddons\u002Floggedin\u002F\" rel=\"nofollow ugc\">add-ons\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fduckdev.com\u002Faddon\u002Flimit-per-user\u002F\" rel=\"nofollow ugc\">Limit Per User\u003C\u002Fa>\u003C\u002Fstrong>: For more granular control, the Limit Per User addon allows you to set specific login limits for individual users, overriding the global settings. This is perfect for offering different tiers of access or special privileges.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fduckdev.com\u002Faddon\u002Freal-time-logout\u002F\" rel=\"nofollow ugc\">Real-time Logout\u003C\u002Fa>\u003C\u002Fstrong>: This add-on ensures a truly seamless experience by checking for logouts in real time. When a user’s session is terminated in the background due to a login limit, the add-on will automatically refresh their page, instantly restricting access.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🐛 Bug Reports\u003C\u002Fh3>\n\u003Cp>Found a bug? We welcome your bug reports! Please report any issues directly on the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FJoel-James\u002Floggedin\u002Fissues\" rel=\"nofollow ugc\">Loggedin GitHub repository\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cem>Please note: GitHub is for bug reports and development-related issues only. For support, please use the WordPress.org support forums.\u003C\u002Fem>\u003C\u002Fp>\n","Lightweight plugin that limits an account to a specific number of concurrent logins.",8000,115897,110,"2026-01-02T06:30:00.000Z","6.9.4","5.0","7.4",[87,88,89,90,91],"limit","login","logout","sessions","user-login","https:\u002F\u002Fduckdev.com\u002Fproducts\u002Floggedin-limit-active-logins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Floggedin.2.0.4.zip",99,"2024-09-30 19:43:37",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":106,"num_ratings":107,"last_updated":108,"tested_up_to":109,"requires_at_least":110,"requires_php":18,"tags":111,"homepage":114,"download_link":115,"security_score":116,"vuln_count":27,"unpatched_count":70,"last_vuln_date":117,"fetched_at":29},"remember-me-controls","Remember Me Controls","2.1","Scott Reilly","https:\u002F\u002Fprofiles.wordpress.org\u002Fcoffee2code\u002F","\u003Cp>Take control of the “Remember Me” login feature for WordPress by having it enabled by default, customize how long users are remembered, or disable this built-in feature by default.\u003C\u002Fp>\n\u003Cp>For those unfamiliar, “Remember Me” is a checkbox present when logging into WordPress. If checked, WordPress will remember the login session for 14 days. If unchecked, the login session will be remembered for only 2 days. Once a login session expires, WordPress will require you to log in again if you wish to continue using the admin section of the site.\u003C\u002Fp>\n\u003Cp>This plugin provides three primary controls over the behavior of the “Remember Me” feature:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Automatically check “Remember Me” : The ability to have the “Remember Me” checkbox automatically checked when the login form is loaded (it isn’t checked by default).\u003C\u002Fli>\n\u003Cli>Customize the duration of the “Remember Me” : The ability to customize how long WordPress will remember a login session when “Remember Me” is checked, either forever or a customizable number of hours.\u003C\u002Fli>\n\u003Cli>Disable “Remember Me” : The ability to completely disable the feature, preventing the checkbox from appearing and restricting all login sessions to 2 days.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>NOTE: WordPress remembers who you are based on cookies stored in your web browser. If you use a different web browser, clear your cookies, use a browser on a different machine, or uninstall\u002Freinstall (and possibly even just restarting) your browser then you will have to log in again since WordPress will not be able to locate the cookies needed to identify you.\u003C\u002Fp>\n\u003Ch4>Compatibility\u003C\u002Fh4>\n\u003Cp>Other than the plugins listed below, compatibility has not been tested or attempted for any other third-party plugins that provide their own login widgets or login handling.\u003C\u002Fp>\n\u003Cp>Special handling has been added to provide compatibility with the following plugins:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">BuddyPress\u003C\u002Fa> (in particular, its “Log in” widget)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsidebar-login\u002F\" rel=\"ugc\">Sidebar Login\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Flogin-sidebar-widget\u002F\" rel=\"ugc\">Login Widget With Shortcode\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Links: \u003Ca href=\"https:\u002F\u002Fcoffee2code.com\u002Fwp-plugins\u002Fremember-me-controls\u002F\" rel=\"nofollow ugc\">Plugin Homepage\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fremember-me-controls\u002F\" rel=\"ugc\">Plugin Directory Page\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcoffee2code\u002Fremember-me-controls\u002F\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fcoffee2code.com\" rel=\"nofollow ugc\">Author Homepage\u003C\u002Fa>\u003C\u002Fp>\n","Have \"Remember Me\" checked by default on the login page and configure how long a login is remembered. Or disable the feature altogether.",4000,51395,86,7,"2024-09-04T19:20:00.000Z","6.6.5","5.5",[20,88,112,113,21],"remember","remember-me","https:\u002F\u002Fcoffee2code.com\u002Fwp-plugins\u002Fremember-me-controls\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fremember-me-controls.2.1.zip",91,"2024-09-05 00:00:00",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":11,"num_ratings":128,"last_updated":129,"tested_up_to":130,"requires_at_least":131,"requires_php":18,"tags":132,"homepage":137,"download_link":138,"security_score":139,"vuln_count":140,"unpatched_count":140,"last_vuln_date":141,"fetched_at":29},"cookie-warning","Cookie Warning","1.3","Dourou","https:\u002F\u002Fprofiles.wordpress.org\u002Fdourou\u002F","\u003Cp>To comply with the May 2011 EU cookie law whose enforcement will start in May 2012 for UK website owners, this plugin welcomes your first time visitors with\u003Cbr \u002F>\na custom message asking for their consent using cookies on your website and redirects them out of your site if they disagree. It is a solution that strictly\u003Cbr \u002F>\ncomplies with the law.\u003C\u002Fp>\n\u003Cp>You can customize the message displayed as well as the text of the ‘I agree’ button and of the ‘I disagree’ link.\u003C\u002Fp>\n\u003Cp>This plugin was written with the EU cookie law in mind but can be used for any terms and conditions you need your visitors to approve before\u003Cbr \u002F>\nviewing your site.\u003C\u002Fp>\n\u003Ch3>User guide\u003C\u002Fh3>\n\u003Ch4>To customize the message displayed\u003C\u002Fh4>\n\u003Cp>Go to \u003Ccode>Settings > Cookie Warning\u003C\u002Fcode>. On that page, you will be able to change: the message displayed, the redirect link – when visitors do not accept the cookies,\u003Cbr \u002F>\nthe wording of the ‘Accept’ button and ‘Do not accept’ link.\u003C\u002Fp>\n","Asks users' consent for using cookies or redirects them out of your site.",800,42838,5,"2013-08-09T10:40:00.000Z","3.6.1","3.3.2",[119,133,134,135,136],"eu-cookie-law","terms-and-conditions","uk-cookie-law","user-privacy","http:\u002F\u002Fmajweb.co.uk\u002Fservices\u002Fcookie-warning","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookie-warning.1.3.zip",42,2,"2025-08-18 00:00:00",{"slug":143,"name":144,"version":145,"author":146,"author_profile":147,"description":148,"short_description":149,"active_installs":150,"downloaded":151,"rating":152,"num_ratings":107,"last_updated":153,"tested_up_to":154,"requires_at_least":155,"requires_php":18,"tags":156,"homepage":18,"download_link":159,"security_score":69,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"user-session-control","User Session Control","0.3.1","Frankie Jarrett","https:\u002F\u002Fprofiles.wordpress.org\u002Ffjarrett\u002F","\u003Cp>\u003Cstrong>Did you find this plugin helpful? Please consider \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fview\u002Fplugin-reviews\u002Fuser-session-control\" rel=\"ugc\">leaving a 5-star review\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>WordPress 4.1 “Dinah” introduced the awesome power of user session management.\u003C\u002Fp>\n\u003Cp>However, you are limited to only being able to destroy your own sessions, and you cannot destroy them individually.\u003C\u002Fp>\n\u003Cp>This plugin allows Administrators to view and manage all sessions by all users on an individual basis.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Displays a custom “God view” screen of all active user sessions\u003C\u002Fli>\n\u003Cli>Sort sessions by user, role, creation date, expiry date or IP address\u003C\u002Fli>\n\u003Cli>Quickly and easily destroy sessions you think may be a security risk\u003C\u002Fli>\n\u003Cli>Respects the timezone, date format and time format saved under General Settings\u003C\u002Fli>\n\u003Cli>View all user sessions from all blogs on your network via the Network Admin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Languages supported:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>Deutsch\u003C\u002Fli>\n\u003Cli>Español\u003C\u002Fli>\n\u003Cli>Français\u003C\u002Fli>\n\u003Cli>Português\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Development of this plugin is done \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffjarrett\u002Fuser-session-control\" rel=\"nofollow ugc\">on GitHub\u003C\u002Fa>. Pull requests welcome. Please see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffjarrett\u002Fuser-session-control\u002Fissues\" rel=\"nofollow ugc\">issues reported\u003C\u002Fa> there before going to the plugin forum.\u003C\u002Fstrong>\u003C\u002Fp>\n","View and manage all active user sessions in a custom admin screen.",700,10133,94,"2016-12-23T19:25:00.000Z","4.7.32","4.1",[88,157,90,158],"security","users","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-session-control.0.3.1.zip",{"attackSurface":161,"codeSignals":255,"taintFlows":298,"riskAssessment":397,"analyzedAt":407},{"hooks":162,"ajaxHandlers":248,"restRoutes":249,"shortcodes":250,"cronEvents":254,"entryPointCount":27,"unprotectedCount":70},[163,170,174,179,183,187,192,195,198,203,206,209,212,215,218,222,225,229,233,236,240,243],{"type":164,"name":165,"callback":166,"priority":167,"file":168,"line":169},"filter","manage_users_columns","update_user_table",10,"includes\\class-user-session-synchronizer-email-verification.php",47,{"type":164,"name":171,"callback":172,"priority":167,"file":168,"line":173},"manage_users_custom_column","modify_user_table_row",48,{"type":175,"name":176,"callback":177,"priority":167,"file":168,"line":178},"action","user_register","after_user_register",50,{"type":175,"name":180,"callback":181,"file":168,"line":182},"admin_head","verify_user",51,{"type":175,"name":184,"callback":185,"file":168,"line":186},"init","verify_registered_user",53,{"type":175,"name":184,"callback":188,"priority":189,"file":190,"line":191},"init_settings",11,"includes\\class-user-session-synchronizer-settings.php",45,{"type":175,"name":193,"callback":194,"file":190,"line":173},"admin_init","register_settings",{"type":175,"name":196,"callback":197,"file":190,"line":182},"admin_menu","add_menu_items",{"type":175,"name":199,"callback":200,"priority":167,"file":201,"line":202},"wp_enqueue_scripts","enqueue_styles","includes\\class-user-session-synchronizer.php",142,{"type":175,"name":199,"callback":204,"priority":167,"file":201,"line":205},"enqueue_scripts",143,{"type":175,"name":207,"callback":207,"priority":167,"file":201,"line":208},"admin_enqueue_scripts",146,{"type":175,"name":207,"callback":210,"priority":167,"file":201,"line":211},"admin_enqueue_styles",147,{"type":175,"name":184,"callback":213,"priority":70,"file":201,"line":214},"synchronize_session",156,{"type":175,"name":184,"callback":216,"priority":70,"file":201,"line":217},"load_localisation",160,{"type":175,"name":219,"callback":220,"priority":167,"file":201,"line":221},"user_profile_update_errors","prevent_email_change",163,{"type":175,"name":193,"callback":223,"file":201,"line":224},"disable_user_profile_fields",164,{"type":175,"name":226,"callback":227,"file":201,"line":228},"admin_footer","disable_user_profile_fields_js",214,{"type":175,"name":230,"callback":231,"file":201,"line":232},"send_headers","add_cors_header",258,{"type":175,"name":230,"callback":234,"file":201,"line":235},"add_content_security_policy",259,{"type":175,"name":237,"callback":238,"file":201,"line":239},"admin_footer_text","get_domains",468,{"type":175,"name":241,"callback":238,"file":201,"line":242},"wp_footer",472,{"type":164,"name":244,"callback":245,"priority":167,"file":246,"line":247},"plugin_row_meta","user_session_synchronizer_row_meta","user-session-synchronizer.php",39,[],[],[251],{"tag":252,"callback":253,"file":168,"line":191},"ussyncemailverificationcode","get_email_verification_link",[],{"dangerousFunctions":256,"sqlUsage":257,"outputEscaping":263,"fileOperations":70,"externalRequests":27,"nonceChecks":46,"capabilityChecks":46,"bundledLibraries":297},[],{"prepared":27,"raw":27,"locations":258},[259],{"file":260,"line":261,"context":262},"includes\\class-user-session-synchronizer-session-control.php",298,"$wpdb->get_results() with variable interpolation",{"escaped":264,"rawEcho":265,"locations":266},74,14,[267,270,272,274,276,278,280,282,283,285,287,289,292,294],{"file":168,"line":268,"context":269},240,"raw output",{"file":260,"line":271,"context":269},165,{"file":260,"line":273,"context":269},167,{"file":260,"line":275,"context":269},173,{"file":260,"line":277,"context":269},231,{"file":260,"line":279,"context":269},269,{"file":260,"line":281,"context":269},277,{"file":190,"line":261,"context":269},{"file":190,"line":284,"context":269},366,{"file":201,"line":286,"context":269},432,{"file":201,"line":288,"context":269},571,{"file":290,"line":291,"context":269},"includes\\views\\email-setting.php",72,{"file":290,"line":293,"context":269},76,{"file":295,"line":296,"context":269},"includes\\views\\email-verification.php",46,[],[299,316,327,335,354,365,373,382],{"entryPoint":300,"graph":301,"unsanitizedCount":27,"severity":38},"settings_page (includes\\class-user-session-synchronizer-settings.php:305)",{"nodes":302,"edges":313},[303,308],{"id":304,"type":305,"label":306,"file":190,"line":307},"n0","source","$_GET",313,{"id":309,"type":310,"label":311,"file":190,"line":284,"wp_function":312},"n1","sink","echo() [XSS]","echo",[314],{"from":304,"to":309,"sanitized":315},false,{"entryPoint":317,"graph":318,"unsanitizedCount":70,"severity":326},"verify_user (includes\\class-user-session-synchronizer-email-verification.php:214)",{"nodes":319,"edges":323},[320,322],{"id":304,"type":305,"label":306,"file":168,"line":321},226,{"id":309,"type":310,"label":311,"file":168,"line":268,"wp_function":312},[324],{"from":304,"to":309,"sanitized":325},true,"low",{"entryPoint":328,"graph":329,"unsanitizedCount":70,"severity":326},"\u003Cclass-user-session-synchronizer-email-verification> (includes\\class-user-session-synchronizer-email-verification.php:0)",{"nodes":330,"edges":333},[331,332],{"id":304,"type":305,"label":306,"file":168,"line":321},{"id":309,"type":310,"label":311,"file":168,"line":268,"wp_function":312},[334],{"from":304,"to":309,"sanitized":325},{"entryPoint":336,"graph":337,"unsanitizedCount":70,"severity":326},"session_control (includes\\class-user-session-synchronizer-session-control.php:45)",{"nodes":338,"edges":351},[339,342,344,348],{"id":304,"type":305,"label":340,"file":260,"line":341},"$_GET (x3)",70,{"id":309,"type":310,"label":311,"file":260,"line":343,"wp_function":312},149,{"id":345,"type":305,"label":346,"file":260,"line":347},"n2","$_SERVER (x3)",213,{"id":349,"type":310,"label":311,"file":260,"line":350,"wp_function":312},"n3",233,[352,353],{"from":304,"to":309,"sanitized":325},{"from":345,"to":349,"sanitized":325},{"entryPoint":355,"graph":356,"unsanitizedCount":70,"severity":326},"\u003Cclass-user-session-synchronizer-session-control> (includes\\class-user-session-synchronizer-session-control.php:0)",{"nodes":357,"edges":362},[358,359,360,361],{"id":304,"type":305,"label":340,"file":260,"line":341},{"id":309,"type":310,"label":311,"file":260,"line":343,"wp_function":312},{"id":345,"type":305,"label":346,"file":260,"line":347},{"id":349,"type":310,"label":311,"file":260,"line":350,"wp_function":312},[363,364],{"from":304,"to":309,"sanitized":325},{"from":345,"to":349,"sanitized":325},{"entryPoint":366,"graph":367,"unsanitizedCount":27,"severity":326},"\u003Cclass-user-session-synchronizer-settings> (includes\\class-user-session-synchronizer-settings.php:0)",{"nodes":368,"edges":371},[369,370],{"id":304,"type":305,"label":306,"file":190,"line":307},{"id":309,"type":310,"label":311,"file":190,"line":284,"wp_function":312},[372],{"from":304,"to":309,"sanitized":315},{"entryPoint":374,"graph":375,"unsanitizedCount":70,"severity":326},"synchronize_session (includes\\class-user-session-synchronizer.php:238)",{"nodes":376,"edges":380},[377,379],{"id":304,"type":305,"label":306,"file":201,"line":378},301,{"id":309,"type":310,"label":311,"file":201,"line":286,"wp_function":312},[381],{"from":304,"to":309,"sanitized":325},{"entryPoint":383,"graph":384,"unsanitizedCount":70,"severity":326},"\u003Cclass-user-session-synchronizer> (includes\\class-user-session-synchronizer.php:0)",{"nodes":385,"edges":394},[386,388,389,390],{"id":304,"type":305,"label":387,"file":201,"line":378},"$_GET (x2)",{"id":309,"type":310,"label":311,"file":201,"line":286,"wp_function":312},{"id":345,"type":305,"label":306,"file":201,"line":378},{"id":349,"type":310,"label":391,"file":201,"line":392,"wp_function":393},"wp_remote_get() [SSRF]",555,"wp_remote_get",[395,396],{"from":304,"to":309,"sanitized":325},{"from":345,"to":349,"sanitized":325},{"summary":398,"deductions":399},"The 'user-session-synchronizer' plugin v1.4.0 exhibits a mixed security posture. On the positive side, the static analysis reveals a low attack surface with no identified AJAX handlers or REST API routes without authentication checks. The code also demonstrates good practices by utilizing nonces and capability checks for all identified entry points, and a high percentage of output is properly escaped, with no dangerous functions or file operations detected.  However, significant concerns arise from the vulnerability history and taint analysis. The presence of a currently unpatched medium severity CVE is a critical issue that requires immediate attention. Furthermore, the taint analysis indicates two flows with unsanitized paths, which, while not classified as critical or high severity in this report, represent potential pathways for exploitation if input is not properly validated. The SQL query usage is also a minor concern, with 50% of queries not using prepared statements, which could lead to SQL injection vulnerabilities in those specific instances.",[400,403,405],{"reason":401,"points":402},"Currently unpatched medium severity CVE",15,{"reason":404,"points":167},"Flows with unsanitized paths",{"reason":406,"points":128},"SQL queries not using prepared statements","2026-03-16T20:38:07.744Z",{"wat":409,"direct":419},{"assetPaths":410,"generatorPatterns":413,"scriptPaths":414,"versionParams":415},[411,412],"\u002Fwp-content\u002Fplugins\u002Fuser-session-synchronizer\u002Fincludes\u002Fjs\u002Fsettings.js","\u002Fwp-content\u002Fplugins\u002Fuser-session-synchronizer\u002Fassets\u002Fjs\u002Fsettings.js",[],[411,412],[416,417,418],"user-session-synchronizer\u002Fstyle.css?ver=","user-session-synchronizer\u002Fjs\u002Fsettings.js?ver=","user-session-synchronizer\u002Fassets\u002Fjs\u002Fsettings.js?ver=",{"cssClasses":420,"htmlComments":421,"htmlAttributes":422,"restEndpoints":435,"jsGlobals":436,"shortcodeOutput":438},[],[],[423,424,425,426,427,428,429,430,431,432,433,434],"data-page-title","data-menu-title","data-menu-slug","data-submenu-title","data-submenu-slug","data-option-id","data-option-type","data-option-label","data-option-description","data-option-default","data-option-placeholder","data-option-options",[],[437],"User_Session_Synchronizer",[]]