[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkb2rJ86R3YAeys3LJSc50rT9NMITk5L-YZWtO70Z5hE":3,"$fwMrc5-FnGA9Mep1Db2NaCz6EsXfUm5N6AFr3FcgGTU8":394,"$flsuL0WM0rDhW5TUo4VLpXMbtTO4FZCxUAZFXvneQTYU":399},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":31,"crawl_stats":27,"alternatives":37,"analysis":140,"fingerprints":376},"wordless-extender","Wordless Extender","1.2.1","welaika","https:\u002F\u002Fprofiles.wordpress.org\u002Fwelaika\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwelaika\u002Fwordless\" rel=\"nofollow ugc\">Wordless\u003C\u002Fa> is the WP themes framework developed and used by \u003Ca href=\"http:\u002F\u002Fdev.welaika.com\" rel=\"nofollow ugc\">weLaika\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>As we wrote in the Wordless README:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>« Wordless is not meant to be a bloated, all-included tool.\nThis is why we recommend adding some other plugins\nto get the most out of your beautiful WP developer life »\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cem>Wordless Extender\u003C\u002Fem> (WLE from now on) is a starting point for every Wordless theme.\u003Cbr \u002F>\nLet’s take a look in depth.\u003C\u002Fp>\n\u003Ch3>Plugin Manager\u003C\u002Fh3>\n\u003Cp>Never change a winning team! These are our \u003Cem>starred\u003C\u002Fem> plugins; with these we cover the 90% of our developing needs.\u003Cbr \u002F>\nYou’ll have a control panel inside WLE to list, enable, disable and upgrade plugins from the collection; never search that useful plugin crawling the WP.org repo and have team kickstart projects with always the same plugin set.\u003C\u002Fp>\n\u003Ch3>Config Constants\u003C\u002Fh3>\n\u003Cp>Manage WP constants (stored in your wp-config.php) directly within the WP backend.\u003C\u002Fp>\n\u003Cp>We got inspired by WordPress \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FEditing_wp-config.php\" rel=\"nofollow ugc\">guidelines\u003C\u002Fa> and we crafted this little control panel. It is intended for advanced users: we are not interested in making things easy, but we’d like to remember important\u002Fcomplex\u002Fabstruse settings and have them always just one click away.\u003C\u002Fp>\n\u003Cp>Everytime you’ll update these configs \u003Ccode>wp-config.php\u003C\u002Fcode> file will be backed-up in \u003Ccode>wp-config.php.orig\u003C\u002Fcode>. Keep in mind.\u003C\u002Fp>\n\u003Ch3>Security fixes\u003C\u002Fh3>\n\u003Cp>This is the most important section: improving security.\u003Cbr \u002F>\nMost of the tricks are directly from \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FHardening_WordPress\" rel=\"nofollow ugc\">Hardening WordPress\u003C\u002Fa> guide; others are tricks discovered on battlefield.\u003C\u002Fp>\n\u003Cp>You have to know what you are doing. Follow the comments in the panel if you are confused. Remind that when you’ll let the plugin rewrite your \u003Ccode>.htaccess\u003C\u002Fcode> file, it will take a backup copy of the last version in \u003Ccode>.htaccess.orig\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>If you are asking about the things are we doing with your \u003Ccode>.htaccess\u003C\u002Fcode> go read the template in \u003Ccode>resources\u002Fhtaccess.tpl\u003C\u002Fcode>.\u003Cbr \u002F>\nEssentially we’ll block access to various files and locations.\u003Cbr \u002F>\nWe are always at work to improve this section, so if you have some tips open an issue or send a pull request.\u003C\u002Fp>\n\u003Ch3>Wordless integration\u003C\u002Fh3>\n\u003Cp>WLE menu in the WP backend, will be integrated with the Wordless 0.4+ backend menu, creating \u003Cem>one place to rule them all!\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch3>Need more tools?\u003C\u002Fh3>\n\u003Cp>Visit \u003Ca href=\"http:\u002F\u002Fwptools.it\" rel=\"nofollow ugc\">WordPress Tools\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Licence\u003C\u002Fh3>\n\u003Cp>(The MIT License)\u003C\u002Fp>\n\u003Cp>Copyright © 2014-2015 weLaika\u003C\u002Fp>\n\u003Cp>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ‘Software’), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and\u002For sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\u003C\u002Fp>\n\u003Cp>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\u003C\u002Fp>\n\u003Cp>THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\u003C\u002Fp>\n","Wordless Extender is a starting point for everyone: list of commonly used plugins, wp-config.php \u002F .htaccess configuration and security improvements.",10,1815,0,"2017-09-28T13:36:00.000Z","4.7.33","4.0","",[19,20,21,22,23],"configuration","htaccess","security","wordless","wp-config","https:\u002F\u002Fgithub.com\u002Fwelaika\u002Fwordless-extender","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.2.1.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":26,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},3,130,30,84,"2026-05-20T08:23:23.328Z",[38,57,79,97,119],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":40,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":52,"tags":53,"homepage":17,"download_link":56,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"wp-configuration-and-status","WP Configuration and Status","0.0.3","klickonit","https:\u002F\u002Fprofiles.wordpress.org\u002Fklickonit\u002F","\u003Cp>WP Configuration and Status is a simple plugin which, once enabled, will allow easy access to key configuration parameters within your WordPress installation.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Shows the contents of php.info\u003C\u002Fli>\n\u003Cli>Shows the contents of .htaccess\u003C\u002Fli>\n\u003Cli>Shows the contents of wp-config.php\u003C\u002Fli>\n\u003C\u002Ful>\n",40,2618,80,1,"2017-12-05T03:17:00.000Z","4.9.29","3.8","5.4",[19,20,54,55,23],"php-info","php-ini","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-configuration-and-status.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":67,"num_ratings":68,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":72,"tags":73,"homepage":77,"download_link":78,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"zotya-htaccess-protect","htaccess protect","0.7.0","zoltanlaczko","https:\u002F\u002Fprofiles.wordpress.org\u002Fzoltanlaczko\u002F","\u003Cp>Using the password protection will give you extra security layer of protection from brute force hacking attacks. Additionally, it’s also an easy way to password protect your entire site, without needing to create separate WordPress users for each visitor.\u003C\u002Fp>\n\u003Cp>When you enable the password protection, the user won’t be able to see anything – not even see the protected page – until he\u002Fshe inserts the username\u002Fpassword. You can password protect the whole website, including the administrator pages; you can password protect the administrator pages; or you can password protect the WordPress login page.\u003C\u002Fp>\n\u003Cp>The plugin options include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enabling\u002Fdisabling the password protection to wp-login.php, WordPress admin pages.\u003C\u002Fli>\n\u003Cli>Modifying the existing users: you can change any .htaccess user’s password and remove the users.\u003C\u002Fli>\n\u003Cli>Create\u002Fmodify an unlimited number of .htaccess users;\u003C\u002Fli>\n\u003Cli>Protect your whole site, making it accessible to only those who have the .htaccess user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is originally was based on \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhtaccess-site-access-control\u002F\" rel=\"ugc\">.htaccess Site Access Control\u003C\u002Fa>. That plugin was working fine but it was abandoned for years and not compatible with the latest WordPress. Most part of the plugin were refactored and translated.\u003C\u002Fp>\n","htaccess protect - Protect your wordpress login or admin pages with password.",900,10815,74,6,"2022-01-23T19:01:00.000Z","5.9.13","5.0","5.6",[20,74,75,76,21],"htpasswd","protect","protection","https:\u002F\u002Fgithub.com\u002Fzoltanlaczko\u002Fwp-htaccess-protect\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzotya-htaccess-protect.0.7.0.zip",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":87,"downloaded":88,"rating":47,"num_ratings":32,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":17,"tags":92,"homepage":95,"download_link":96,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"htaccess-site-access-control",".htaccess Site Access Control","1.0","Miina Sikk","https:\u002F\u002Fprofiles.wordpress.org\u002Fmiinasikk\u002F","\u003Cp>Using the password protection will give you extra security layer of protection from brute force hacking attacks. Additionally, it’s also an easy way to password protect your entire site, without needing to create separate WordPress users for each visitor.\u003C\u002Fp>\n\u003Cp>When you enable the password protection, the user won’t be able to see anything – not even see the protected page – until he\u002Fshe inserts the username\u002Fpassword. You can password protect the whole website, including the administrator pages; you can password protect the administrator pages; or you can password protect the WordPress login page.\u003C\u002Fp>\n\u003Cp>Free plugin options include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enabling\u002Fdisabling the password protection to wp-login.php, WordPress admin pages. Note that you’ll be asked to re-type the .htaccess username\u002Fpassword you created before enabling any of the settings – to ensure that you wouldn’t enable the password protection without even knowing the password yourself!\u003C\u002Fli>\n\u003Cli>Modifying the existing users: you can change any .htaccess user’s password and remove the users.\u003C\u002Fli>\n\u003Cli>Adding one .htaccess user.   \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Premium plugin options:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Create\u002Fmodify an unlimited number of .htaccess users;\u003C\u002Fli>\n\u003Cli>Protect your whole site, making it accessible to only those who have the .htaccess user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you have any other suggestions, please let us know! You can contact us via http:\u002F\u002Fwww.wpsos.io\u002Fwordpress-plugin-htaccess-site-access-control\u002F\u003C\u002Fp>\n\u003Cp>For more information and support, check out: http:\u002F\u002Fwww.wpsos.io\u002Fwordpress-plugin-htaccess-site-access-control\u002F\u003C\u002Fp>\n","Using the password protection will give you extra security layer of protection from brute force hacking attacks. Additionally, it's also an easy  &hellip;",800,9528,"2016-05-11T14:32:00.000Z","4.4.34","3.0.1",[20,74,93,21,94],"securing","wpsos","http:\u002F\u002Fwww.wpsos.io\u002Fwordpress-plugin-htaccess-site-access-control\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhtaccess-site-access-control.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":107,"num_ratings":108,"last_updated":109,"tested_up_to":110,"requires_at_least":111,"requires_php":17,"tags":112,"homepage":117,"download_link":118,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"wp-safely-disable-directory-browsing","WP safely disable directory browsing","0.1","Maurisource","https:\u002F\u002Fprofiles.wordpress.org\u002Fmaurisource\u002F","\u003Cp>This essential .htaccess rules plugin allow you to improve security of your wordpress blog.\u003C\u002Fp>\n\u003Cp>More info:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>More info on \u003Ca href=\"http:\u002F\u002Fwww.maurisource.com\u002Fblog\u002Fwp-safely-disable-directory-browsing\u002F\" rel=\"nofollow ugc\">WP safely disable directory browsing\u003C\u002Fa>, with info on how to configure it.\u003C\u002Fli>\n\u003Cli>Special Thanks to \u003Ca href=\"http:\u002F\u002Fwww.maurisource.com\u002F\" rel=\"nofollow ugc\">Agence web Montreal\u003C\u002Fa> for support.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Changelog\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>0.1\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>first release\u003C\u002Fli>\n\u003C\u002Ful>\n","This essential .htaccess rules plugin allow you to improve security of your wordpress blog.",300,5960,82,8,"2012-10-05T18:03:00.000Z","2.9.2","2.6",[113,20,114,115,116],"directory-browsing","web-performance-optimization","wordpress-security","wp-content","http:\u002F\u002Fwww.maurisource.com\u002Fblog\u002Fwp-safely-disable-directory-browsing\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-safely-disable-directory-browsing.zip",{"slug":120,"name":121,"version":122,"author":123,"author_profile":124,"description":125,"short_description":126,"active_installs":127,"downloaded":128,"rating":129,"num_ratings":130,"last_updated":131,"tested_up_to":132,"requires_at_least":133,"requires_php":17,"tags":134,"homepage":137,"download_link":138,"security_score":139,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"sar-one-click-security","SAR One Click Security","1.3","Samuel Aguilera","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamuelaguilera\u002F","\u003Cp>There’s a lot of WordPress security plugins with many many options and pages to setup. And that is fine if you know what to do.\u003Cbr \u002F>\nBut most of the times, you don’t need so much or simply you’re not sure about what to set or not.\u003C\u002Fp>\n\u003Cp>This plugin adds some extra security to your WordPress with only one click. \u003Cstrong>No options page, just activate it!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Like many other security plugins SAR One Click Security adds well known .htaccess rules, but only the ones probed to be safe to use in almost any type of site (including WooCommerce stores), to protect your WordPress from common attacks. This allows you to have a safer WordPress without worries about what protection you should be using.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Turn off ServerSignature directive, that may leak information about your web server.\u003C\u002Fli>\n\u003Cli>Turn off directory listing, avoiding bad configured hostings to leak your files.\u003C\u002Fli>\n\u003Cli>Blocks public access (from web) to following files that may leak information about your WordPress install: .htaccess, license.txt, readme.html, wp-config.php, wp-config-sample.php, install.php\u003C\u002Fli>\n\u003Cli>Blocks access to wp-login.php to dummy bots trying to register in WordPress sites that have registration disabled.\u003C\u002Fli>\n\u003Cli>Blocks requests looking for timthumb.php, reducing server load caused by bots trying to find it. (*)\u003C\u002Fli>\n\u003Cli>Blocks TRACE and TRACK request methods, preventing XST attacks.\u003C\u002Fli>\n\u003Cli>Blocks direct posting to wp-comments-post.php (most spammers do this) and access with blank User Agent, reducing spam comments a lot and also server load.\u003C\u002Fli>\n\u003Cli>Blocks direct access to PHP files in wp-content directory (this includes subdirectories like plugins or themes). Protecting you from a huge number of 0day exploits.\u003C\u002Fli>\n\u003Cli>Blocks direct POST to wp-login.php and access with blank User Agent, preventing most brute-force attacks and reducing server load.\u003C\u002Fli>\n\u003Cli>Blocks access to .txt files under any plugin\u002Ftheme directory to prevent scans for installed plugins\u002Fthemes.\u003C\u002Fli>\n\u003Cli>Blocks any query string trying to get a copy of the wp-config.php file.\u003C\u002Fli>\n\u003Cli>Blocks gf_page=upload query string argument, this was deprecated in Gravity Forms on May 2015, if your copy of Gravity Forms still uses it, update now!\u003C\u002Fli>\n\u003Cli>Removes version information from page headers. This includes not only the page header (html or xhtml) but also feed headers (rss, rss2, atom, rdf) and opml comments. Only the version number is removed, not the entire generator information.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(*) If your theme uses TimThumb, you can disable that blocking rule, check FAQ before installing the plugin to see how.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.9.2 or higher. (Works with WordPress network\u002Fmultisite installation).\u003C\u002Fli>\n\u003Cli>Apache 2.4.x web server\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It has been tested in many servers including large providers like HostGator, Godaddy and 1&1 with optimal results, and it will work fine in any decent hosting service (that allows you to set options from .htaccess files).\u003C\u002Fp>\n\u003Cp>Anyway, if you get any problem after activating the plugin, check FAQ for instructions on how to manually uninstall it.\u003C\u002Fp>\n\u003Cp>If you’re not sure of which server is your hosting company using or if they allow to use custom .htaccess rules, I would recommend you to contact with your host support \u003Cstrong>before\u003C\u002Fstrong> installing the plugin.\u003C\u002Fp>\n\u003Ch4>Usage\u003C\u002Fh4>\n\u003Cp>To apply above mentioned security rules simply install and activate the plugin, no options page, no user setup!\u003C\u002Fp>\n\u003Cp>If you need to remove the security rules for some reason, simply deactivate the plugin. If you want to add them again, activate the plugin again, that easy 😉\u003C\u002Fp>\n\u003Cp>And remember, \u003Cstrong>if your theme uses TimThumb, check FAQ before installing the plugin\u003C\u002Fstrong>.\u003C\u002Fp>\n","Adds some extra security to your WordPress with only one click.",200,13682,100,7,"2025-03-03T20:53:00.000Z","6.7.5","3.9.2",[135,136,20,76,21],"firewall","hardening","http:\u002F\u002Fwww.samuelaguilera.com\u002Farchivo\u002Fprotege-wordpress-facilmente.xhtml","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsar-one-click-security.1.3.zip",92,{"attackSurface":141,"codeSignals":181,"taintFlows":252,"riskAssessment":361,"analyzedAt":375},{"hooks":142,"ajaxHandlers":177,"restRoutes":178,"shortcodes":179,"cronEvents":180,"entryPointCount":13,"unprotectedCount":13},[143,148,151,156,160,163,169,174],{"type":144,"name":145,"callback":146,"file":147,"line":34},"action","admin_enqueue_scripts","wle_constants_scripts","functions.php",{"type":144,"name":145,"callback":149,"file":147,"line":150},"wle_stylesheets",38,{"type":144,"name":152,"callback":153,"priority":11,"file":154,"line":155},"admin_menu","create_menus","wordless-extender\\WordlessExtender.php",14,{"type":144,"name":157,"callback":158,"file":154,"line":159},"admin_action_update_constants","update_constants",73,{"type":144,"name":161,"callback":162,"file":154,"line":67},"admin_action_update_securities","update_securities",{"type":164,"name":165,"callback":166,"file":167,"line":168},"filter","the_generator","anonymous","wordless-extender\\WordlessExtenderSecurity.php",95,{"type":164,"name":170,"callback":171,"priority":172,"file":167,"line":173},"style_loader_src","remove_ver_scripts",102,113,{"type":164,"name":175,"callback":171,"priority":172,"file":167,"line":176},"script_loader_src",114,[],[],[],[],{"dangerousFunctions":182,"sqlUsage":186,"outputEscaping":188,"fileOperations":250,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":251},[183],{"fn":184,"file":167,"line":168,"context":185},"create_function","add_filter('the_generator', create_function('', 'return \"\";'));",{"prepared":13,"raw":13,"locations":187},[],{"escaped":48,"rawEcho":189,"locations":190},29,[191,194,197,199,201,203,205,207,209,211,213,214,217,219,220,222,224,226,228,230,231,233,234,236,238,240,242,245,248],{"file":147,"line":192,"context":193},20,"raw output",{"file":195,"line":196,"context":193},"plugins.html.php",50,{"file":195,"line":198,"context":193},51,{"file":195,"line":200,"context":193},53,{"file":195,"line":202,"context":193},57,{"file":195,"line":204,"context":193},63,{"file":195,"line":206,"context":193},69,{"file":195,"line":208,"context":193},75,{"file":195,"line":210,"context":193},81,{"file":195,"line":212,"context":193},87,{"file":195,"line":139,"context":193},{"file":215,"line":216,"context":193},"security.html.php",36,{"file":215,"line":218,"context":193},62,{"file":215,"line":204,"context":193},{"file":215,"line":221,"context":193},64,{"file":215,"line":223,"context":193},65,{"file":215,"line":225,"context":193},66,{"file":215,"line":227,"context":193},67,{"file":215,"line":229,"context":193},68,{"file":215,"line":206,"context":193},{"file":215,"line":232,"context":193},70,{"file":215,"line":210,"context":193},{"file":215,"line":235,"context":193},93,{"file":215,"line":237,"context":193},105,{"file":215,"line":239,"context":193},122,{"file":215,"line":241,"context":193},123,{"file":243,"line":244,"context":193},"wordless-extender\\WordlessExtenderConstantForm.php",45,{"file":246,"line":247,"context":193},"wordless-extender\\WordlessExtenderConstantManager.php",46,{"file":249,"line":189,"context":193},"wordless-extender.php",12,[],[253,277,287,297,309,322,332,340,353],{"entryPoint":254,"graph":255,"unsanitizedCount":48,"severity":276},"\u003Cconstants.html> (constants.html.php:0)",{"nodes":256,"edges":272},[257,263,267],{"id":258,"type":259,"label":260,"file":261,"line":262},"n0","source","$_GET['message']","constants.html.php",5,{"id":264,"type":265,"label":266,"file":261,"line":262},"n1","transform","→ wle_show_message()",{"id":268,"type":269,"label":270,"file":147,"line":192,"wp_function":271},"n2","sink","echo() [XSS]","echo",[273,275],{"from":258,"to":264,"sanitized":274},false,{"from":264,"to":268,"sanitized":274},"medium",{"entryPoint":278,"graph":279,"unsanitizedCount":48,"severity":276},"\u003Csecurity.html> (security.html.php:0)",{"nodes":280,"edges":284},[281,282,283],{"id":258,"type":259,"label":260,"file":215,"line":32},{"id":264,"type":265,"label":266,"file":215,"line":32},{"id":268,"type":269,"label":270,"file":147,"line":192,"wp_function":271},[285,286],{"from":258,"to":264,"sanitized":274},{"from":264,"to":268,"sanitized":274},{"entryPoint":288,"graph":289,"unsanitizedCount":48,"severity":276},"print_init_buttons (wordless-extender\\WordlessExtenderConstantManager.php:41)",{"nodes":290,"edges":295},[291,294],{"id":258,"type":259,"label":292,"file":246,"line":293},"$_SERVER['REQUEST_URI']",47,{"id":264,"type":269,"label":270,"file":246,"line":247,"wp_function":271},[296],{"from":258,"to":264,"sanitized":274},{"entryPoint":298,"graph":299,"unsanitizedCount":48,"severity":276},"update_constants (wordless-extender\\WordlessExtenderConstantManager.php:115)",{"nodes":300,"edges":307},[301,303],{"id":258,"type":259,"label":302,"file":246,"line":241},"$_SERVER",{"id":264,"type":269,"label":304,"file":246,"line":305,"wp_function":306},"wp_redirect() [Open Redirect]",124,"wp_redirect",[308],{"from":258,"to":264,"sanitized":274},{"entryPoint":310,"graph":311,"unsanitizedCount":321,"severity":276},"\u003CWordlessExtenderConstantManager> (wordless-extender\\WordlessExtenderConstantManager.php:0)",{"nodes":312,"edges":318},[313,314,315,316],{"id":258,"type":259,"label":292,"file":246,"line":293},{"id":264,"type":269,"label":270,"file":246,"line":247,"wp_function":271},{"id":268,"type":259,"label":302,"file":246,"line":241},{"id":317,"type":269,"label":304,"file":246,"line":305,"wp_function":306},"n3",[319,320],{"from":258,"to":264,"sanitized":274},{"from":268,"to":317,"sanitized":274},2,{"entryPoint":323,"graph":324,"unsanitizedCount":48,"severity":276},"update_securities (wordless-extender\\WordlessExtenderSecurity.php:131)",{"nodes":325,"edges":330},[326,328],{"id":258,"type":259,"label":302,"file":167,"line":327},139,{"id":264,"type":269,"label":304,"file":167,"line":329,"wp_function":306},140,[331],{"from":258,"to":264,"sanitized":274},{"entryPoint":333,"graph":334,"unsanitizedCount":48,"severity":276},"\u003CWordlessExtenderSecurity> (wordless-extender\\WordlessExtenderSecurity.php:0)",{"nodes":335,"edges":338},[336,337],{"id":258,"type":259,"label":302,"file":167,"line":327},{"id":264,"type":269,"label":304,"file":167,"line":329,"wp_function":306},[339],{"from":258,"to":264,"sanitized":274},{"entryPoint":341,"graph":342,"unsanitizedCount":48,"severity":352},"save (wordless-extender\\WordlessExtenderDB.php:5)",{"nodes":343,"edges":350},[344,347],{"id":258,"type":259,"label":345,"file":346,"line":11},"$_POST[$name]","wordless-extender\\WordlessExtenderDB.php",{"id":264,"type":269,"label":348,"file":346,"line":11,"wp_function":349},"update_option() [Settings Manipulation]","update_option",[351],{"from":258,"to":264,"sanitized":274},"low",{"entryPoint":354,"graph":355,"unsanitizedCount":48,"severity":352},"\u003CWordlessExtenderDB> (wordless-extender\\WordlessExtenderDB.php:0)",{"nodes":356,"edges":359},[357,358],{"id":258,"type":259,"label":345,"file":346,"line":11},{"id":264,"type":269,"label":348,"file":346,"line":11,"wp_function":349},[360],{"from":258,"to":264,"sanitized":274},{"summary":362,"deductions":363},"The Wordless Extender plugin v1.2.1 exhibits a mixed security posture. On one hand, it demonstrates excellent practices by using prepared statements exclusively for SQL queries and having no known CVEs or recorded vulnerabilities.  The absence of external HTTP requests and no bundled libraries further contribute to a potentially reduced attack surface in these areas.\n\nHowever, significant concerns arise from the static analysis. The presence of the `create_function` function, which is deprecated and can lead to code injection vulnerabilities if not handled with extreme care, is a notable risk.  Furthermore, only a meager 3% of output is properly escaped, indicating a high susceptibility to Cross-Site Scripting (XSS) attacks.  The taint analysis revealing that 9 out of 9 analyzed flows have unsanitized paths, even if not classified as critical or high severity, suggests potential for various injection attacks if these paths are exposed to user input.\n\nThe plugin's clean vulnerability history is a positive indicator, suggesting it may have been developed with security in mind, or has not yet been thoroughly targeted. However, the identified code signals and taint analysis findings represent genuine weaknesses that could be exploited.  The lack of nonces and capability checks, while not explicitly linked to an attack surface in this report, are standard security practices that are absent here, leaving potential gaps for unauthorized actions if an attack vector were to be found.",[364,367,369,371,373],{"reason":365,"points":366},"Dangerous function (create_function) used",15,{"reason":368,"points":108},"Low percentage of properly escaped output",{"reason":370,"points":250},"Unsanitized paths in taint analysis",{"reason":372,"points":262},"Missing nonce checks",{"reason":374,"points":262},"Missing capability checks","2026-03-17T00:49:51.221Z",{"wat":377,"direct":384},{"assetPaths":378,"generatorPatterns":381,"scriptPaths":382,"versionParams":383},[379,380],"\u002Fwp-content\u002Fplugins\u002Fwordless-extender\u002Fstylesheets\u002Fwordless-extender.css","\u002Fwp-content\u002Fplugins\u002Fwordless-extender\u002Fjavascripts\u002Fconstants.js",[],[380],[],{"cssClasses":385,"htmlComments":388,"htmlAttributes":389,"restEndpoints":391,"jsGlobals":392,"shortcodeOutput":393},[386,387,4],"wle_constants","wle_style",[],[390],"data-slug",[],[],[],{"error":395,"url":396,"statusCode":397,"statusMessage":398,"message":398},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwordless-extender\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":250,"versions":400},[401,406,413,420,427,434,441,448,455,462,469,476],{"version":6,"download_url":25,"svn_tag_url":402,"released_at":27,"has_diff":274,"diff_files_changed":403,"diff_lines":27,"trac_diff_url":404,"vulnerabilities":405,"is_current":395},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.2.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.2.0&new_path=%2Fwordless-extender%2Ftags%2F1.2.1",[],{"version":407,"download_url":408,"svn_tag_url":409,"released_at":27,"has_diff":274,"diff_files_changed":410,"diff_lines":27,"trac_diff_url":411,"vulnerabilities":412,"is_current":274},"1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.2.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.2.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.1.3&new_path=%2Fwordless-extender%2Ftags%2F1.2.0",[],{"version":414,"download_url":415,"svn_tag_url":416,"released_at":27,"has_diff":274,"diff_files_changed":417,"diff_lines":27,"trac_diff_url":418,"vulnerabilities":419,"is_current":274},"1.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.1.2&new_path=%2Fwordless-extender%2Ftags%2F1.1.3",[],{"version":421,"download_url":422,"svn_tag_url":423,"released_at":27,"has_diff":274,"diff_files_changed":424,"diff_lines":27,"trac_diff_url":425,"vulnerabilities":426,"is_current":274},"1.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.1.1&new_path=%2Fwordless-extender%2Ftags%2F1.1.2",[],{"version":428,"download_url":429,"svn_tag_url":430,"released_at":27,"has_diff":274,"diff_files_changed":431,"diff_lines":27,"trac_diff_url":432,"vulnerabilities":433,"is_current":274},"1.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.1.0&new_path=%2Fwordless-extender%2Ftags%2F1.1.1",[],{"version":435,"download_url":436,"svn_tag_url":437,"released_at":27,"has_diff":274,"diff_files_changed":438,"diff_lines":27,"trac_diff_url":439,"vulnerabilities":440,"is_current":274},"1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.1.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.8&new_path=%2Fwordless-extender%2Ftags%2F1.1.0",[],{"version":442,"download_url":443,"svn_tag_url":444,"released_at":27,"has_diff":274,"diff_files_changed":445,"diff_lines":27,"trac_diff_url":446,"vulnerabilities":447,"is_current":274},"1.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.7&new_path=%2Fwordless-extender%2Ftags%2F1.0.8",[],{"version":449,"download_url":450,"svn_tag_url":451,"released_at":27,"has_diff":274,"diff_files_changed":452,"diff_lines":27,"trac_diff_url":453,"vulnerabilities":454,"is_current":274},"1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.6&new_path=%2Fwordless-extender%2Ftags%2F1.0.7",[],{"version":456,"download_url":457,"svn_tag_url":458,"released_at":27,"has_diff":274,"diff_files_changed":459,"diff_lines":27,"trac_diff_url":460,"vulnerabilities":461,"is_current":274},"1.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.5&new_path=%2Fwordless-extender%2Ftags%2F1.0.6",[],{"version":463,"download_url":464,"svn_tag_url":465,"released_at":27,"has_diff":274,"diff_files_changed":466,"diff_lines":27,"trac_diff_url":467,"vulnerabilities":468,"is_current":274},"1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.4&new_path=%2Fwordless-extender%2Ftags%2F1.0.5",[],{"version":470,"download_url":471,"svn_tag_url":472,"released_at":27,"has_diff":274,"diff_files_changed":473,"diff_lines":27,"trac_diff_url":474,"vulnerabilities":475,"is_current":274},"1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwordless-extender%2Ftags%2F1.0.3&new_path=%2Fwordless-extender%2Ftags%2F1.0.4",[],{"version":477,"download_url":478,"svn_tag_url":479,"released_at":27,"has_diff":274,"diff_files_changed":480,"diff_lines":27,"trac_diff_url":27,"vulnerabilities":481,"is_current":274},"1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordless-extender.1.0.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwordless-extender\u002Ftags\u002F1.0.3\u002F",[],[]]