[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5_AlRo62-lu7UMAjPuDLvB8FG0sqUVwDK2z2wss3RcY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":17,"download_link":23,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":36,"analysis":37,"fingerprints":121},"woo-purchased-products","Woo Purchased Products","1.1","Mithu A Quayium","https:\u002F\u002Fprofiles.wordpress.org\u002Fmithublue\u002F","\u003Ch4>Our Official Support Forum\u003C\u002Fh4>\n\u003Cp>To get faster support , You can contact through our official forum site.\u003Cbr \u002F>\nOfficial support forum : http:\u002F\u002Fsupports.cybercraftit.com\u002Fsupports\u002Fsupport\u002Fwoo-purchased-products\u002F\u003C\u002Fp>\n\u003Ch3>1.0\u003C\u002Fh3>\n\u003Col>\n\u003Cli>[new] Plugin released\u003C\u002Fli>\n\u003C\u002Fol>\n","The plugin to help a logged in user show list of products purchased by him in his account",10,1087,0,"2017-04-07T07:52:00.000Z","4.7.32","3.0.1","",[19,20,4,21,22],"customer-admin-panel","purchased-product-list","woocommerce-purchased-product-history","woocommerce-purchased-products","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-purchased-products.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":31,"avg_security_score":32,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"mithublue",16,500,86,30,84,"2026-04-04T09:16:19.188Z",[],{"attackSurface":38,"codeSignals":89,"taintFlows":107,"riskAssessment":108,"analyzedAt":120},{"hooks":39,"ajaxHandlers":79,"restRoutes":85,"shortcodes":86,"cronEvents":87,"entryPointCount":88,"unprotectedCount":88},[40,46,50,53,57,62,66,71,75],{"type":41,"name":42,"callback":43,"file":44,"line":45},"action","load-plugins.php","vote_init","vote.php",6,{"type":41,"name":47,"callback":48,"file":44,"line":49},"admin_notices","message",15,{"type":41,"name":51,"callback":52,"file":44,"line":30},"admin_head","register",{"type":41,"name":54,"callback":55,"file":44,"line":56},"admin_footer","enqueue",17,{"type":41,"name":58,"callback":59,"file":60,"line":61},"wp_enqueue_scripts","wp_enqueue_scripts_styles","woo-purchased-products.php",49,{"type":41,"name":63,"callback":64,"file":60,"line":65},"init","add_tab_endpoint",50,{"type":67,"name":68,"callback":69,"priority":13,"file":60,"line":70},"filter","query_vars","tabs_query_vars",51,{"type":67,"name":72,"callback":73,"file":60,"line":74},"woocommerce_account_menu_items","add_menu_item",52,{"type":41,"name":76,"callback":77,"file":60,"line":78},"woocommerce_account_cpp-purchased-products_endpoint","purchased_product_item_content",53,[80],{"action":81,"nopriv":82,"callback":83,"hasNonce":82,"hasCapCheck":82,"file":44,"line":84},"wcpp_vote",false,"vote",7,[],[],[],1,{"dangerousFunctions":90,"sqlUsage":91,"outputEscaping":93,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":106},[],{"prepared":13,"raw":13,"locations":92},[],{"escaped":88,"rawEcho":94,"locations":95},5,[96,99,101,103,105],{"file":44,"line":97,"context":98},76,"raw output",{"file":60,"line":100,"context":98},112,{"file":60,"line":102,"context":98},114,{"file":60,"line":104,"context":98},116,{"file":60,"line":104,"context":98},[],[],{"summary":109,"deductions":110},"The \"woo-purchased-products\" plugin v1.1 presents a concerning security posture due to a significant lack of security controls. While the absence of dangerous functions, SQL injection vulnerabilities through prepared statements, file operations, and external HTTP requests are positive signs, the plugin suffers from critical omissions.  The most glaring issue is a single AJAX handler that lacks any authentication or capability checks, creating a direct entry point for attackers. Furthermore, the extremely low percentage of properly escaped output (17%) suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site.\n\nThe plugin's vulnerability history is clean, which might suggest a generally stable codebase. However, this is overshadowed by the fundamental security flaws identified in the static analysis. The lack of nonce checks on the AJAX handler is a significant oversight that makes it susceptible to Cross-Site Request Forgery (CSRF) attacks.  In conclusion, while the plugin avoids some common pitfalls, the unprotected AJAX handler and widespread unescaped output create substantial risks that require immediate attention. The plugin's strengths in avoiding raw SQL and dangerous functions are completely undermined by its direct, unprotected entry points and potential for XSS.",[111,113,116,118],{"reason":112,"points":11},"AJAX handler without auth checks",{"reason":114,"points":115},"Low percentage of properly escaped output",8,{"reason":117,"points":11},"Missing nonce checks on AJAX",{"reason":119,"points":11},"Missing capability checks on AJAX","2026-03-17T00:31:15.462Z",{"wat":122,"direct":131},{"assetPaths":123,"generatorPatterns":127,"scriptPaths":128,"versionParams":130},[124,125,126],"\u002Fwp-content\u002Fplugins\u002Fwoo-purchased-products\u002Fassets\u002Fcss\u002Fwrapper-bs.css","\u002Fwp-content\u002Fplugins\u002Fwoo-purchased-products\u002Fassets\u002Fcss\u002Fvote.css","\u002Fwp-content\u002Fplugins\u002Fwoo-purchased-products\u002Fassets\u002Fjs\u002Fvote.js",[],[129],"wp-content\u002Fplugins\u002Fwoo-purchased-products\u002Fassets\u002Fjs\u002Fvote.js",[],{"cssClasses":132,"htmlComments":138,"htmlAttributes":139,"restEndpoints":141,"jsGlobals":142,"shortcodeOutput":143},[133,134,135,136,137],"bs-container","container-fluid","wcpp-vote-action","wcpp-vote-button","wcpp-cancel-button",[],[140],"data-action",[],[],[]]