[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBsd2FwY_g47LWDh7yFgf5_Y79PXtQVQExy8MuDgLuJc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":17,"download_link":20,"security_score":21,"vuln_count":13,"unpatched_count":13,"last_vuln_date":22,"fetched_at":23,"vulnerabilities":24,"developer":25,"crawl_stats":22,"alternatives":32,"analysis":33,"fingerprints":373},"webuser-all-in-one","WebUser All in one","1.2.5","Sem Wong","https:\u002F\u002Fprofiles.wordpress.org\u002Fsem-wong\u002F","\u003Cp>Webuser All-in-One plugin adds functionality offered by Webuser. It allows Admin accounts to modify specific rights per user, it adds the Google Login API\u003Cbr \u002F>\nand adds the Custom Header Module developed by Webuser.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Webuser User Rights Module: Allows the Admin account to modify specific rights that each user possesses.\u003C\u002Fli>\n\u003Cli>Google Login API: Add Google Login to your website, allowing users to log into the Admin Panel through Google Login.\u003C\u002Fli>\n\u003Cli>Webuser Custom Headers: Allows users to add Custom Header Images in a set container on a specific page. This uses the Next-Gen Gallery plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Webuser User Rights Module: Allows for custom rights on every user.\u003C\u002Fli>\n\u003Cli>Google Login API: Allows for Google Login in WP-ADMIN (Follow instructions)\u003C\u002Fli>\n\u003Cli>Webuser Custom Headers: Allows users to choose images in the header, multiple images show a slider\u003C\u002Fli>\n\u003C\u002Ful>\n","A plugin developed by Webuser B.V. for Webuser customers.",10,1327,0,"2016-12-13T13:48:00.000Z","4.1.42","3.0.1","",[19],"webuser","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebuser-all-in-one.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":21,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"sem-wong",2,40,30,84,"2026-04-05T14:46:27.962Z",[],{"attackSurface":34,"codeSignals":137,"taintFlows":281,"riskAssessment":361,"analyzedAt":372},{"hooks":35,"ajaxHandlers":129,"restRoutes":130,"shortcodes":131,"cronEvents":136,"entryPointCount":74,"unprotectedCount":13},[36,42,45,49,53,57,61,67,71,76,80,83,87,90,94,98,102,106,109,111,114,117,121,125],{"type":37,"name":38,"callback":39,"file":40,"line":41},"action","admin_notices","ga_admin_auth_message","core\\core_google_apps_login.php",440,{"type":37,"name":43,"callback":39,"file":40,"line":44},"network_admin_notices",442,{"type":37,"name":46,"callback":47,"file":40,"line":48},"show_user_profile","ga_personal_options",450,{"type":37,"name":50,"callback":51,"file":40,"line":52},"plugins_loaded","ga_plugins_loaded",822,{"type":37,"name":54,"callback":55,"file":40,"line":56},"login_enqueue_scripts","ga_login_styles",824,{"type":37,"name":58,"callback":59,"file":40,"line":60},"login_form","ga_login_form",825,{"type":62,"name":63,"callback":64,"priority":65,"file":40,"line":66},"filter","authenticate","ga_authenticate",5,826,{"type":62,"name":68,"callback":69,"priority":65,"file":40,"line":70},"login_redirect","ga_login_redirect",828,{"type":37,"name":72,"callback":73,"priority":74,"file":40,"line":75},"init","ga_init",1,829,{"type":37,"name":77,"callback":78,"priority":65,"file":40,"line":79},"admin_init","ga_admin_init",831,{"type":62,"name":81,"callback":81,"file":40,"line":82},"gal_get_clientid",835,{"type":62,"name":84,"callback":85,"priority":11,"file":40,"line":86},"network_admin_plugin_action_links","ga_plugin_action_links",838,{"type":62,"name":88,"callback":85,"priority":11,"file":40,"line":89},"plugin_action_links",842,{"type":62,"name":91,"callback":91,"priority":11,"file":92,"line":93},"map_meta_cap","WebUser All in one.php",39,{"type":37,"name":95,"callback":96,"file":92,"line":97},"admin_menu","webuser_menu",205,{"type":37,"name":99,"callback":100,"file":92,"line":101},"network_admin_menu","webuser_admin_menu",206,{"type":37,"name":103,"callback":104,"file":92,"line":105},"wp_dashboard_setup","custom_dashboard_widget",234,{"type":37,"name":38,"callback":107,"file":92,"line":108},"ga_user_screen_upgrade_message",343,{"type":37,"name":43,"callback":107,"file":92,"line":110},345,{"type":37,"name":54,"callback":112,"file":92,"line":113},"my_login_logo",395,{"type":37,"name":54,"callback":115,"file":92,"line":116},"my_login_stylesheet",401,{"type":37,"name":118,"callback":119,"file":92,"line":120},"add_meta_boxes","header_add_box",424,{"type":37,"name":122,"callback":123,"file":92,"line":124},"save_post","header_save_data",567,{"type":37,"name":126,"callback":127,"file":92,"line":128},"admin_head","cw_change_dashboard_column_width",618,[],[],[132],{"tag":133,"callback":134,"file":92,"line":135},"webuser_header","create_webuser_header",620,[],{"dangerousFunctions":138,"sqlUsage":144,"outputEscaping":146,"fileOperations":279,"externalRequests":74,"nonceChecks":27,"capabilityChecks":74,"bundledLibraries":280},[139],{"fn":140,"file":141,"line":142,"context":143},"unserialize","core\\Google\\Cache\\File.php",59,"$data =  unserialize($data);",{"prepared":13,"raw":13,"locations":145},[],{"escaped":147,"rawEcho":148,"locations":149},25,63,[150,154,156,158,160,162,164,166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,202,204,206,208,210,213,215,218,220,222,224,226,228,230,232,234,236,237,239,241,243,245,247,249,251,253,255,257,259,261,263,265,267,269,271,273,275,277],{"file":151,"line":152,"context":153},"admin_options.php",94,"raw output",{"file":151,"line":155,"context":153},104,{"file":151,"line":157,"context":153},120,{"file":151,"line":159,"context":153},124,{"file":151,"line":161,"context":153},135,{"file":151,"line":163,"context":153},141,{"file":151,"line":165,"context":153},152,{"file":151,"line":167,"context":153},154,{"file":40,"line":169,"context":153},174,{"file":40,"line":171,"context":153},183,{"file":40,"line":173,"context":153},201,{"file":40,"line":175,"context":153},425,{"file":40,"line":177,"context":153},462,{"file":40,"line":179,"context":153},463,{"file":40,"line":181,"context":153},510,{"file":40,"line":183,"context":153},526,{"file":40,"line":185,"context":153},579,{"file":40,"line":187,"context":153},581,{"file":40,"line":189,"context":153},593,{"file":40,"line":191,"context":153},598,{"file":40,"line":193,"context":153},599,{"file":40,"line":195,"context":153},604,{"file":40,"line":197,"context":153},605,{"file":40,"line":199,"context":153},631,{"file":40,"line":201,"context":153},638,{"file":40,"line":203,"context":153},646,{"file":40,"line":205,"context":153},657,{"file":40,"line":207,"context":153},661,{"file":40,"line":209,"context":153},663,{"file":211,"line":212,"context":153},"custom-header\\get_gallery_data.php",22,{"file":211,"line":214,"context":153},42,{"file":216,"line":217,"context":153},"options.php",91,{"file":216,"line":219,"context":153},101,{"file":216,"line":221,"context":153},117,{"file":216,"line":223,"context":153},121,{"file":216,"line":225,"context":153},132,{"file":216,"line":227,"context":153},138,{"file":216,"line":229,"context":153},149,{"file":216,"line":231,"context":153},151,{"file":216,"line":233,"context":153},181,{"file":216,"line":235,"context":153},182,{"file":216,"line":171,"context":153},{"file":216,"line":238,"context":153},184,{"file":92,"line":240,"context":153},236,{"file":92,"line":242,"context":153},390,{"file":92,"line":244,"context":153},444,{"file":92,"line":246,"context":153},446,{"file":92,"line":248,"context":153},449,{"file":92,"line":250,"context":153},461,{"file":92,"line":252,"context":153},476,{"file":92,"line":254,"context":153},493,{"file":92,"line":256,"context":153},652,{"file":92,"line":258,"context":153},664,{"file":92,"line":260,"context":153},666,{"file":92,"line":262,"context":153},675,{"file":92,"line":264,"context":153},692,{"file":92,"line":266,"context":153},737,{"file":92,"line":268,"context":153},763,{"file":92,"line":270,"context":153},765,{"file":92,"line":272,"context":153},767,{"file":92,"line":274,"context":153},777,{"file":92,"line":276,"context":153},780,{"file":92,"line":278,"context":153},782,8,[],[282,300,312,321,330,351],{"entryPoint":283,"graph":284,"unsanitizedCount":74,"severity":299},"ga_options_do_network_errors (core\\core_google_apps_login.php:561)",{"nodes":285,"edges":296},[286,291],{"id":287,"type":288,"label":289,"file":40,"line":290},"n0","source","$_REQUEST",575,{"id":292,"type":293,"label":294,"file":40,"line":187,"wp_function":295},"n1","sink","echo() [XSS]","echo",[297],{"from":287,"to":292,"sanitized":298},false,"medium",{"entryPoint":301,"graph":302,"unsanitizedCount":310,"severity":311},"\u003Cadmin_options> (admin_options.php:0)",{"nodes":303,"edges":308},[304,307],{"id":287,"type":288,"label":305,"file":151,"line":306},"$_POST (x3)",99,{"id":292,"type":293,"label":294,"file":151,"line":155,"wp_function":295},[309],{"from":287,"to":292,"sanitized":298},3,"low",{"entryPoint":313,"graph":314,"unsanitizedCount":13,"severity":311},"\u003Ccore_google_apps_login> (core\\core_google_apps_login.php:0)",{"nodes":315,"edges":318},[316,317],{"id":287,"type":288,"label":289,"file":40,"line":290},{"id":292,"type":293,"label":294,"file":40,"line":187,"wp_function":295},[319],{"from":287,"to":292,"sanitized":320},true,{"entryPoint":322,"graph":323,"unsanitizedCount":74,"severity":311},"\u003Cget_gallery_data> (custom-header\\get_gallery_data.php:0)",{"nodes":324,"edges":328},[325,327],{"id":287,"type":288,"label":326,"file":211,"line":65},"$_POST",{"id":292,"type":293,"label":294,"file":211,"line":214,"wp_function":295},[329],{"from":287,"to":292,"sanitized":298},{"entryPoint":331,"graph":332,"unsanitizedCount":350,"severity":311},"\u003Coptions> (options.php:0)",{"nodes":333,"edges":347},[334,337,341,345],{"id":287,"type":288,"label":335,"file":216,"line":336},"$_POST (x6)",68,{"id":292,"type":293,"label":338,"file":216,"line":339,"wp_function":340},"update_option() [Settings Manipulation]",79,"update_option",{"id":342,"type":288,"label":343,"file":216,"line":344},"n2","$_POST (x7)",96,{"id":346,"type":293,"label":294,"file":216,"line":219,"wp_function":295},"n3",[348,349],{"from":287,"to":292,"sanitized":298},{"from":342,"to":346,"sanitized":298},13,{"entryPoint":352,"graph":353,"unsanitizedCount":279,"severity":311},"\u003CWebUser All in one> (WebUser All in one.php:0)",{"nodes":354,"edges":359},[355,358],{"id":287,"type":288,"label":356,"file":92,"line":357},"$_POST (x8)",588,{"id":292,"type":293,"label":294,"file":92,"line":256,"wp_function":295},[360],{"from":287,"to":292,"sanitized":298},{"summary":362,"deductions":363},"The webuser-all-in-one plugin v1.2.5 exhibits a mixed security posture.  On the positive side, it has no known vulnerabilities (CVEs) and demonstrates good practices in its handling of SQL queries, exclusively using prepared statements.  Furthermore, all identified entry points (AJAX, REST API, shortcodes, cron) appear to have some form of authentication or permission checks in place, which is a strong security measure.  However, significant concerns arise from the static code analysis.  The presence of the `unserialize` function is a critical risk, as it can lead to Remote Code Execution if used with untrusted serialized data.  The taint analysis reveals that a majority of analyzed flows (5 out of 6) have unsanitized paths, indicating a potential for data to be processed without proper validation, even if no 'critical' or 'high' severity issues were flagged in the taint analysis itself.  The low percentage of properly escaped output (28%) is also a considerable weakness, suggesting a high probability of Cross-Site Scripting (XSS) vulnerabilities.  The plugin's vulnerability history being completely clear is a positive sign, but it does not negate the risks identified in the current codebase.\n\nIn conclusion, while the plugin benefits from a clean vulnerability record and a seemingly secured attack surface, the identified use of `unserialize` and the prevalence of unsanitized paths in taint analysis, coupled with inadequate output escaping, present substantial security risks.  These code-level weaknesses require immediate attention to mitigate potential exploitation, particularly for XSS and potential RCE via unserialization.",[364,367,369],{"reason":365,"points":366},"Dangerous function unserialize found",15,{"reason":368,"points":11},"Low percentage of properly escaped output",{"reason":370,"points":371},"Most flows with unsanitized paths",12,"2026-03-17T00:28:46.920Z",{"wat":374,"direct":383},{"assetPaths":375,"generatorPatterns":378,"scriptPaths":379,"versionParams":380},[376,377],"\u002Fwp-content\u002Fplugins\u002Fwebuser-all-in-one\u002Fcore\u002Fcss\u002Fgoogle.css","\u002Fwp-content\u002Fplugins\u002Fwebuser-all-in-one\u002Fcore\u002Fjs\u002Fgoogle.js",[],[],[381,382],"webuser-all-in-one\u002Fstyle.css?ver=","webuser-all-in-one\u002Fscript.js?ver=",{"cssClasses":384,"htmlComments":385,"htmlAttributes":395,"restEndpoints":396,"jsGlobals":397,"shortcodeOutput":398},[],[386,387,388,389,390,391,392,393,394],"\u003C!-- Webuser capabilities BEGIN -->","\u003C!-- Webuser capabilities EINDE -->","\u003C!-- Webuser database installation BEGIN -->","\u003C!-- Webuser database installation EINDE -->","\u003C!-- Webuser optionsMenu BEGIN -->","\u003C!-- Webuser optionsMenu EINDE -->","\u003C!-- Webuser dashboardWidget BEGIN -->","\u003C!-- Webuser dashboardWidget EINDE -->","\u003C!-- This part adds Google Authentication -->",[],[],[],[]]