[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsOXFhPBTw6-vcz_jkgNnTHsA5Q-ceqmkXoVNb7GgKrk":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":13,"vuln_count":26,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":47,"crawl_stats":36,"alternatives":53,"analysis":150,"fingerprints":443},"webmention","Webmention","5.6.2","Matthias Pfefferle","https:\u002F\u002Fprofiles.wordpress.org\u002Fpfefferle\u002F","\u003Cp>When you link to a website you can send it a Webmention to notify it and then that website may display your post as a comment, like, or other response, and presto, you’re having a conversation from one site to another!\u003C\u002Fp>\n\u003Cp>A \u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebmention\u002F\" rel=\"nofollow ugc\">Webmention\u003C\u002Fa> is a notification that one URL links to another. Sending a Webmention is not limited to blog posts, and can be used for additional kinds of content and responses as well.\u003C\u002Fp>\n\u003Cp>For example, a response can be an RSVP to an event, an indication that someone “likes” another post, a “bookmark” of another post, and many others. Webmention enables these interactions to happen across different websites, enabling a distributed social web.\u003C\u002Fp>\n\u003Cp>The Webmention plugin supports the Webmention protocol, giving you support for sending and receiving Webmentions. It offers a simple built in presentation.\u003C\u002Fp>\n","Enable conversation across the web.",900,59493,100,8,"2026-01-01T12:43:00.000Z","6.9.4","6.2","7.2",[20,21,22,23,4],"indieweb","linkback","pingback","trackback","https:\u002F\u002Fgithub.com\u002Fpfefferle\u002Fwordpress-webmention","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebmention.5.6.2.zip",1,0,"2023-03-08 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":46},"WF-3d12d692-231b-4e15-a119-80fd74566af4-webmention","webmention-reflected-cross-site-scripting-via-replytocom","Webmention \u003C= 4.0.8 - Reflected Cross-Site Scripting via 'replytocom'","The Webmention plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘replytocom’ parameter in versions up to, and including, 4.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=4.0.8","4.0.9","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3d12d692-231b-4e15-a119-80fd74566af4?source=api-prod",321,{"slug":48,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":49,"avg_security_score":50,"avg_patch_time_days":46,"trust_score":51,"computed_at":52},"pfefferle",3470,98,78,"2026-04-04T04:20:17.644Z",[54,73,91,110,128],{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":62,"downloaded":63,"rating":64,"num_ratings":65,"last_updated":66,"tested_up_to":16,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":71,"download_link":72,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":29},"no-self-ping","No Self Ping","1.2.1","Michael Adams (mdawaffe)","https:\u002F\u002Fprofiles.wordpress.org\u002Fmdawaffe\u002F","\u003Cp>Some people really like that WordPress sends pings from your own site to your own site when you write posts; it gives them a trail of related posts.\u003C\u002Fp>\n\u003Cp>Some people do not like this behavior; it clutters up their comments.\u003C\u002Fp>\n\u003Cp>This plugin disables intra-blog pinging.\u003C\u002Fp>\n\u003Cp>Once activated, there’s nothing for you to do. However, head to Settings -> Discussion and you’ll find a field in which you can, if you wish, specify more domains that won’t be pinged. Why? Well, maybe you often refer to other sites that you maintain or, particularly, you run a multi-site and don’t want each blog pinging the other – specify a list here and you’re sorted.\u003C\u002Fp>\n\u003Cp>This plugin was originally developed by the awesome \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmdawaffe\u002F\" rel=\"nofollow ugc\">Michael D. Adams\u003C\u002Fa> and the iconography is courtesy of the very talented \u003Ca href=\"https:\u002F\u002Fwww.fiverr.com\u002Fjankirathore\" rel=\"nofollow ugc\">Janki Rathod\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Please visit the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdartiss\u002Fno-self-ping\" title=\"Github\" rel=\"nofollow ugc\">Github page\u003C\u002Fa> for the latest code development, planned enhancements and known issues\u003C\u002Fstrong>\u003C\u002Fp>\n","Keeps WordPress from sending pings to your own site.",10000,333104,86,15,"2026-02-08T15:41:00.000Z","4.6","7.4",[70,22,23],"ping","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fno-self-ping","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fno-self-ping.1.2.1.zip",{"slug":20,"name":74,"version":75,"author":74,"author_profile":76,"description":77,"short_description":78,"active_installs":79,"downloaded":80,"rating":13,"num_ratings":81,"last_updated":82,"tested_up_to":16,"requires_at_least":83,"requires_php":68,"tags":84,"homepage":87,"download_link":88,"security_score":89,"vuln_count":26,"unpatched_count":27,"last_vuln_date":90,"fetched_at":29},"IndieWeb","5.0.0","https:\u002F\u002Fprofiles.wordpress.org\u002Findieweb\u002F","\u003Cp>The IndieWeb Plugin for WordPress helps you establish your IndieWeb identity by extending the user profile to provide \u003Ca href=\"https:\u002F\u002Findieweb.org\u002Frel-me\" rel=\"nofollow ugc\">rel-me\u003C\u002Fa> and\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Findieweb.org\u002Fh-card\" rel=\"nofollow ugc\">h-card\u003C\u002Fa> fields and optionally adding widgets to display this. It also includes a bundled installer for a core set of IndieWeb-related plugins. It’s\u003Cbr \u002F>\nmeant to be a one-stop shop to help WordPress users quickly and easily join the growing \u003Ca href=\"https:\u002F\u002Findieweb.org\" rel=\"nofollow ugc\">IndieWeb\u003C\u002Fa> movement (see below).\u003C\u002Fp>\n\u003Cp>Some of these plugins allow you to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>send and receive comments, likes, reposts, and other kinds of post responses using your own site\u003C\u002Fli>\n\u003Cli>allow comments on others’ sites to show up as comments on your posts\u003C\u002Fli>\n\u003Cli>help make IndieWeb comments and mentions look better on your site\u003C\u002Fli>\n\u003Cli>allow support for webmentions\u003C\u002Fli>\n\u003Cli>add location support to your posts\u003C\u002Fli>\n\u003Cli>more easily syndicate your content to other sites to take advantage of network effects and other communities while still owning all of your original content\u003C\u002Fli>\n\u003Cli>link to syndicated versions of a post so that comments on your content in silos like Facebook, Twitter, Instagram can come back to your original post as comments there\u003C\u002Fli>\n\u003Cli>set up a MicroPub Server to use other posting interfaces. (You could potentially use services like Instagram, Foursquare, and others to post to your WordPress site.)\u003C\u002Fli>\n\u003Cli>Use your site to log into other services with \u003Ca href=\"https:\u002F\u002Findieweb.org\u002Findieauth\" rel=\"nofollow ugc\">IndieAuth\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>The IndieWeb\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>The \u003Ca href=\"https:\u002F\u002Findieweb.org\u002F\" rel=\"nofollow ugc\">IndieWeb\u003C\u002Fa> is a people-focused alternative to the ‘corporate web’ that allows you to be the hub of your own web presence.\u003C\u002Fstrong> It’s been written about in \u003Ca href=\"http:\u002F\u002Fwww.wired.com\u002F2013\u002F08\u002Findie-web\u002F\" rel=\"nofollow ugc\">Wired\u003C\u002Fa>, \u003Ca href=\"http:\u002F\u002Fwww.theatlantic.com\u002Ftechnology\u002Farchive\u002F2014\u002F08\u002Fthe-new-editors-of-the-internet\u002F378983\u002F\" rel=\"nofollow ugc\">The Atlantic\u003C\u002Fa>, \u003Ca href=\"http:\u002F\u002Fwww.slate.com\u002Fblogs\u002Ffuture_tense\u002F2014\u002F04\u002F25\u002Findiewebcamps_create_tools_for_a_new_internet.html\" rel=\"nofollow ugc\">Slate\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fgigaom.com\u002F2014\u002F09\u002F03\u002Fdont-like-facebook-owning-and-controlling-your-content-use-tools-that-support-the-open-web\u002F\" rel=\"nofollow ugc\">Gigaom\u003C\u002Fa> amongst others.\u003C\u002Fp>\n\u003Ch3>The IndieWeb, like WordPress, feels that your content is yours\u003C\u002Fh3>\n\u003Cp>When you post something on the web, it should belong to you, not a corporation. Too many companies have gone out of business and lost all of their users’ data. By joining the IndieWeb, your content stays yours and in your control.\u003C\u002Fp>\n\u003Ch3>The IndieWeb is here to help you be better connected\u003C\u002Fh3>\n\u003Cp>Your articles and status messages can be syndicated to all services, not just one, allowing you to engage with everyone in your social network\u002Fsocial graph. Even replies and likes on other services can come back to your site so they’re all in one place.\u003C\u002Fp>\n\u003Cp>Interested in connecting your WordPress site to the \u003Ca href=\"https:\u002F\u002Findieweb.org\u002F\" rel=\"nofollow ugc\">IndieWeb\u003C\u002Fa>? Let us help you get started.\u003C\u002Fp>\n","IndieWeb for WordPress!",600,30949,6,"2025-12-19T21:31:00.000Z","4.7",[85,20,86,4],"indieauth","posse","https:\u002F\u002Fgithub.com\u002Findieweb\u002Fwordpress-indieweb","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Findieweb.5.0.0.zip",99,"2026-01-08 17:50:29",{"slug":92,"name":93,"version":94,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":99,"downloaded":100,"rating":101,"num_ratings":81,"last_updated":102,"tested_up_to":16,"requires_at_least":103,"requires_php":104,"tags":105,"homepage":108,"download_link":109,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":29},"hide-trackbacks","Hide Trackbacks","1.1.7","Sander van Dragt","https:\u002F\u002Fprofiles.wordpress.org\u002Fpacifika\u002F","\u003Cp>Introducing \u003Cem>Hide Trackbacks\u003C\u002Fem> – keep the benefits of track- and pingbacks (know when someone writes about posts) while keeping the comments clean and uncluttered.\u003C\u002Fp>\n\u003Cp>After enabling the plugin, trackbacks and pingbacks are no longer shown on your posts and the comment count is updated correctly to reflect this. They remain accessible via the admin panel.\u003C\u002Fp>\n\u003Cp>Original code created by  \u003Ca href=\"http:\u002F\u002Fwww.honeytechblog.com\u002Fhow-to-remove-tracbacks-and-pings-from-wordpress-posts\u002F\" rel=\"nofollow ugc\">Honey Singh\u003C\u002Fa> (used with permission of the author).\u003C\u002Fp>\n","Prevents trackbacks and pingbacks from showing up as comments on posts.",400,17591,94,"2025-12-07T10:00:00.000Z","5.8","7.0",[106,22,107,23],"comments","spam","http:\u002F\u002Fwp.me\u002Fp1vXha-4u","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhide-trackbacks.1.1.7.zip",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":118,"downloaded":119,"rating":27,"num_ratings":27,"last_updated":120,"tested_up_to":16,"requires_at_least":121,"requires_php":104,"tags":122,"homepage":126,"download_link":127,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":29},"really-simple-disable-comments","Really Simple Disable Comments","0.2.1","NEXTFLY® Web Design","https:\u002F\u002Fprofiles.wordpress.org\u002Fnextfly\u002F","\u003Cp>Really Simple Disable Comments is a lightweight plugin that completely disables WordPress comments functionality with a single activation. No configuration needed!\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disables comments on all post types\u003C\u002Fli>\n\u003Cli>Removes comment-related UI elements\u003C\u002Fli>\n\u003Cli>Disables trackbacks and pingbacks\u003C\u002Fli>\n\u003Cli>Removes comment-related admin menu items and dashboard widgets\u003C\u002Fli>\n\u003Cli>Hides comment counts from dashboard “At a Glance” widget\u003C\u002Fli>\n\u003Cli>Hides “Recent Comments” section from dashboard Activity widget\u003C\u002Fli>\n\u003Cli>Disables all comment-related Gutenberg blocks\u003C\u002Fli>\n\u003Cli>Clean and efficient code with no settings required\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>What Gets Disabled?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Comment forms and displays\u003C\u002Fli>\n\u003Cli>Admin menu items and dashboard widgets\u003C\u002Fli>\n\u003Cli>Comment-related Gutenberg blocks\u003C\u002Fli>\n\u003Cli>Trackbacks and pingbacks\u003C\u002Fli>\n\u003Cli>Comment-related UI elements in themes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Developer Friendly\u003C\u002Fh4>\n\u003Cp>The plugin includes various filters and actions for developers to customize its behavior:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>rsdc_post_type\u003C\u002Fcode> – Filter the post type before removing comment support\u003C\u002Fli>\n\u003Cli>\u003Ccode>rsdc_comments_status\u003C\u002Fcode> – Filter the comments status\u003C\u002Fli>\n\u003Cli>\u003Ccode>rsdc_hide_existing_comments\u003C\u002Fcode> – Filter the hidden comments array\u003C\u002Fli>\n\u003Cli>\u003Ccode>rsdc_hide_ui_styles\u003C\u002Fcode> – Filter the CSS used to hide comment UI elements\u003C\u002Fli>\n\u003Cli>\u003Ccode>rsdc_block_editor_settings\u003C\u002Fcode> – Filter the block editor settings\u003C\u002Fli>\n\u003Cli>\u003Ccode>rsdc_allowed_blocks\u003C\u002Fcode> – Filter the allowed Gutenberg blocks\u003C\u002Fli>\n\u003C\u002Ful>\n","Effortlessly disable all comments and trackback functionality across your entire WordPress site by activating this plugin.",200,2437,"2025-12-09T15:20:00.000Z","5.0",[106,123,124,125],"disable-comments","disable-pingbacks","disable-trackbacks","https:\u002F\u002Fgithub.com\u002Fnextfly\u002Freally-simple-disable-comments","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freally-simple-disable-comments.0.2.1.zip",{"slug":129,"name":130,"version":131,"author":132,"author_profile":133,"description":134,"short_description":135,"active_installs":13,"downloaded":136,"rating":13,"num_ratings":137,"last_updated":138,"tested_up_to":139,"requires_at_least":17,"requires_php":140,"tags":141,"homepage":145,"download_link":146,"security_score":147,"vuln_count":148,"unpatched_count":27,"last_vuln_date":149,"fetched_at":29},"indieblocks","IndieBlocks","0.13.3","Jan Boddez","https:\u002F\u002Fprofiles.wordpress.org\u002Fjanboddez\u002F","\u003Cp>Use blocks, and, optionally, “short-form” post types to easily “IndieWebify” your WordPress site.\u003C\u002Fp>\n\u003Cp>IndieBlocks registers several blocks (Bookmark, Like, Reply, and Repost, as well as the older Context block) that take a URL and output corresponding \u003Cem>microformatted\u003C\u002Fem> HTML.\u003C\u002Fp>\n\u003Cp>In combination with a microformats-compatible theme, these help ensure microformats clients are able to determine a post’s type.\u003C\u002Fp>\n\u003Cp>It also comes with “short-form” (Note and Like) custom post types, and a (somewhat experimental) option to add microformats to (all!) \u003Cem>block-based\u003C\u002Fem> themes.\u003C\u002Fp>\n\u003Cp>These microformats, in combination with the Webmention protocol, allow for rich \u003Cem>cross-site\u003C\u002Fem> conversations. IndieBlocks comes with its own Webmention implementation, but a separate plugin can be used, too.\u003C\u002Fp>\n\u003Cp>IndieBlocks also registers several “theme” blocks (Facepile, Location, Syndication, and Link Preview), to be used in “block theme” templates.\u003C\u002Fp>\n","Use blocks, and, optionally, \"short-form\" post types to easily \"IndieWebify\" your WordPress site.",6440,3,"2025-06-14T07:34:00.000Z","6.8.5","",[142,20,143,144,4],"blocks","microblog","notes","https:\u002F\u002Findieblocks.xyz\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Findieblocks.0.13.3.zip",97,2,"2025-06-12 13:09:56",{"attackSurface":151,"codeSignals":343,"taintFlows":430,"riskAssessment":431,"analyzedAt":442},{"hooks":152,"ajaxHandlers":321,"restRoutes":322,"shortcodes":333,"cronEvents":334,"entryPointCount":148,"unprotectedCount":148},[153,160,163,169,172,177,181,185,188,193,197,200,205,208,212,214,218,222,225,227,229,234,237,240,244,247,251,255,259,262,266,270,274,278,281,285,288,291,294,297,298,302,306,309,310,314,317],{"type":154,"name":155,"callback":156,"priority":157,"file":158,"line":159},"action","comment_post","store_avatar",20,"includes\\class-avatar-store.php",16,{"type":154,"name":161,"callback":156,"priority":157,"file":158,"line":162},"edit_comment",17,{"type":164,"name":165,"callback":166,"priority":167,"file":168,"line":65},"filter","pre_get_avatar_data","avatar_stored_in_comment",30,"includes\\class-avatar.php",{"type":164,"name":170,"callback":170,"priority":89,"file":168,"line":171},"get_avatar_comment_types",19,{"type":164,"name":173,"callback":174,"priority":175,"file":176,"line":162},"wp_list_comments_args","filter_comment_args",5,"includes\\class-comment-walker.php",{"type":154,"name":178,"callback":179,"file":176,"line":180},"pre_get_comments","comment_query",21,{"type":154,"name":182,"callback":183,"file":176,"line":184},"comment_form_before","show_separated_reactions",24,{"type":154,"name":186,"callback":183,"file":176,"line":187},"comment_form_comments_closed",25,{"type":164,"name":189,"callback":190,"priority":191,"file":176,"line":192},"comment_text","filter_comment_text",40,112,{"type":164,"name":194,"callback":195,"file":196,"line":162},"query_vars","query_var","includes\\class-comment.php",{"type":164,"name":198,"callback":199,"file":196,"line":157},"template_include","comment_template_include",{"type":164,"name":201,"callback":202,"priority":203,"file":196,"line":204},"get_comment_link","remote_comment_link",11,22,{"type":164,"name":206,"callback":207,"priority":203,"file":196,"line":187},"get_default_comment_status","webmention_get_default_comment_status",{"type":154,"name":209,"callback":210,"priority":203,"file":196,"line":211},"comment_form_after","webmention_comment_form",27,{"type":154,"name":186,"callback":210,"file":196,"line":213},28,{"type":154,"name":215,"callback":216,"priority":89,"file":217,"line":162},"wp_head","html_header","includes\\class-discovery.php",{"type":154,"name":219,"callback":220,"file":217,"line":221},"template_redirect","http_header",18,{"type":164,"name":223,"callback":224,"file":217,"line":171},"host_meta","jrd_links",{"type":164,"name":226,"callback":224,"file":217,"line":157},"webfinger_user_data",{"type":164,"name":228,"callback":224,"file":217,"line":180},"webfinger_post_data",{"type":164,"name":230,"callback":231,"priority":232,"file":217,"line":233},"nodeinfo_data","nodeinfo",10,23,{"type":164,"name":235,"callback":236,"priority":232,"file":217,"line":184},"nodeinfo2_data","nodeinfo2",{"type":154,"name":219,"callback":238,"priority":89,"file":239,"line":162},"handle_410","includes\\class-http-gone.php",{"type":154,"name":241,"callback":242,"file":243,"line":187},"rest_api_init","register_routes","includes\\class-receiver.php",{"type":164,"name":245,"callback":246,"priority":203,"file":243,"line":211},"rest_pre_serve_request","serve_request",{"type":164,"name":248,"callback":249,"priority":157,"file":243,"line":250},"duplicate_comment_id","disable_wp_check_dupes",29,{"type":164,"name":252,"callback":253,"priority":203,"file":243,"line":254},"webmention_comment_data","webmention_verify",32,{"type":164,"name":252,"callback":256,"priority":257,"file":243,"line":258},"check_dupes",12,33,{"type":164,"name":252,"callback":260,"priority":180,"file":243,"line":261},"default_commentdata",36,{"type":164,"name":263,"callback":264,"priority":203,"file":243,"line":265},"pre_comment_approved","auto_approve",38,{"type":154,"name":267,"callback":268,"file":243,"line":269},"webmention_data_error","delete",41,{"type":154,"name":271,"callback":272,"file":243,"line":273},"webmention_process_schedule","process",44,{"type":164,"name":275,"callback":276,"file":243,"line":277},"pre_comment_content","wp_filter_post_kses",447,{"type":164,"name":275,"callback":279,"file":243,"line":280},"wp_filter_kses",449,{"type":154,"name":282,"callback":283,"priority":232,"file":243,"line":284},"check_comment_flood","check_comment_flood_db",480,{"type":154,"name":286,"callback":286,"priority":232,"file":287,"line":157},"send_webmention","includes\\class-sender.php",{"type":154,"name":289,"callback":290,"priority":175,"file":287,"line":233},"do_pings","do_webmentions",{"type":154,"name":292,"callback":293,"priority":26,"file":287,"line":258},"wp_trash_post","trash_post",{"type":154,"name":295,"callback":295,"priority":26,"file":287,"line":296},"untrash_post",34,{"type":154,"name":155,"callback":155,"file":287,"line":261},{"type":154,"name":299,"callback":300,"file":287,"line":301},"webmention_delete","send_webmentions",39,{"type":164,"name":303,"callback":304,"file":287,"line":305},"pre_get_posts","ksuce_exclude_categories",383,{"type":154,"name":307,"callback":307,"file":308,"line":171},"admin_menu","includes\\class-tools.php",{"type":154,"name":241,"callback":242,"file":308,"line":157},{"type":154,"name":311,"callback":312,"file":313,"line":171},"init","maybe_upgrade","includes\\class-upgrade.php",{"type":164,"name":252,"callback":315,"priority":232,"file":316,"line":171},"verify_vouch","includes\\class-vouch.php",{"type":164,"name":318,"callback":319,"priority":232,"file":320,"line":162},"http_request_args","Webmention\\allow_localhost","includes\\debug.php",[],[323,330],{"namespace":324,"route":325,"methods":326,"callback":328,"permissionCallback":36,"file":243,"line":329},"webmention\u002F1.0","\u002Fendpoint",[327],"GET","anonymous",172,{"namespace":324,"route":331,"methods":332,"callback":328,"permissionCallback":36,"file":308,"line":269},"\u002Fparse",[327],[],[335,337,339,341],{"hook":271,"callback":271,"file":243,"line":336},343,{"hook":289,"callback":289,"file":287,"line":338},95,{"hook":299,"callback":299,"file":287,"line":340},132,{"hook":289,"callback":289,"file":287,"line":342},356,{"dangerousFunctions":344,"sqlUsage":345,"outputEscaping":352,"fileOperations":27,"externalRequests":175,"nonceChecks":27,"capabilityChecks":148,"bundledLibraries":429},[],{"prepared":14,"raw":148,"locations":346},[347,350],{"file":313,"line":348,"context":349},181,"$wpdb->query() with variable interpolation",{"file":313,"line":351,"context":349},186,{"escaped":211,"rawEcho":265,"locations":353},[354,358,360,362,364,366,367,369,371,373,375,377,380,383,385,387,389,390,392,394,396,397,399,402,405,407,410,412,414,415,417,419,420,421,422,423,424,427],{"file":355,"line":356,"context":357},"includes\\class-cli.php",297,"raw output",{"file":176,"line":359,"context":357},173,{"file":176,"line":361,"context":357},176,{"file":176,"line":363,"context":357},178,{"file":176,"line":365,"context":357},179,{"file":176,"line":348,"context":357},{"file":176,"line":368,"context":357},184,{"file":176,"line":370,"context":357},224,{"file":176,"line":372,"context":357},225,{"file":176,"line":374,"context":357},230,{"file":176,"line":376,"context":357},273,{"file":378,"line":379,"context":357},"includes\\wp-admin\\class-admin.php",90,{"file":381,"line":382,"context":357},"includes\\wp-admin\\class-settings-fields.php",109,{"file":381,"line":384,"context":357},116,{"file":381,"line":386,"context":357},163,{"file":381,"line":388,"context":357},164,{"file":381,"line":388,"context":357},{"file":381,"line":391,"context":357},165,{"file":381,"line":393,"context":357},204,{"file":381,"line":395,"context":357},229,{"file":381,"line":395,"context":357},{"file":381,"line":398,"context":357},289,{"file":400,"line":401,"context":357},"templates\\api-message.php",119,{"file":403,"line":404,"context":357},"templates\\comment-form.php",7,{"file":403,"line":406,"context":357},9,{"file":408,"line":409,"context":357},"templates\\comment.php",48,{"file":408,"line":411,"context":357},61,{"file":408,"line":413,"context":357},72,{"file":408,"line":413,"context":357},{"file":416,"line":180,"context":357},"templates\\comments.php",{"file":418,"line":137,"context":357},"templates\\edit-comment-form.php",{"file":418,"line":404,"context":357},{"file":418,"line":203,"context":357},{"file":418,"line":65,"context":357},{"file":418,"line":171,"context":357},{"file":418,"line":233,"context":357},{"file":425,"line":426,"context":357},"templates\\endpoint-form.php",121,{"file":425,"line":428,"context":357},126,[],[],{"summary":432,"deductions":433},"The 'webmention' plugin version 5.6.2 presents a mixed security posture. While it demonstrates good practices such as avoiding dangerous functions, file operations, and generally utilizing prepared statements for SQL, there are significant areas of concern. The plugin has 2 REST API routes exposed without permission callbacks, creating a notable attack surface that is unprotected. Additionally, only 42% of output is properly escaped, leaving a substantial portion vulnerable to cross-site scripting (XSS) attacks. The plugin's vulnerability history shows 1 medium severity CVE for Improper Neutralization of Input During Web Page Generation, which aligns with the output escaping concerns. This indicates a recurring potential for XSS vulnerabilities.\n\nOverall, the plugin's security is hampered by the lack of robust authorization checks on its REST API endpoints and insufficient output escaping. While the absence of critical taint flows and a lack of critical or high severity unpatched CVEs are positive signs, the identified weaknesses present exploitable entry points. Users should exercise caution due to the unescaped output and unprotected REST API routes, especially given the past XSS vulnerability.",[434,436,438,440],{"reason":435,"points":232},"REST API routes without permission callbacks",{"reason":437,"points":14},"Low percentage of properly escaped output",{"reason":439,"points":175},"No nonce checks on entry points",{"reason":441,"points":65},"Past medium severity CVE (XSS)","2026-03-16T19:13:51.517Z",{"wat":444,"direct":457},{"assetPaths":445,"generatorPatterns":449,"scriptPaths":450,"versionParams":452},[446,447,448],"\u002Fwp-content\u002Fplugins\u002Fwebmention\u002Fbuild\u002Feditor-plugin\u002Fplugin.js","\u002Fwp-content\u002Fplugins\u002Fwebmention\u002Fcss\u002Fwebmention-admin.css","\u002Fwp-content\u002Fplugins\u002Fwebmention\u002Fcss\u002Fwebmention-public.css",[],[451],"\u002Fwp-content\u002Fplugins\u002Fwebmention\u002Fjs\u002Fwebmention.js",[453,454,455,456],"webmention\u002Fcss\u002Fwebmention-admin.css?ver=","webmention\u002Fcss\u002Fwebmention-public.css?ver=","webmention\u002Fjs\u002Fwebmention.js?ver=","webmention\u002Fbuild\u002Feditor-plugin\u002Fplugin.js?ver=",{"cssClasses":458,"htmlComments":461,"htmlAttributes":462,"restEndpoints":465,"jsGlobals":467,"shortcodeOutput":468},[4,459,460],"webmention-post","webmention-comment",[],[463,464],"data-webmention-target","data-webmention-id",[466],"\u002Fwp-json\u002Fwebmention\u002F1.0\u002F",[5],[]]