[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fU93i5l_pkq0i5utg9DNEADtCGyI2N7EGBhvPgMdEtwE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":44,"crawl_stats":35,"alternatives":51,"analysis":70,"fingerprints":187},"wp-business-hours","Plugin Name: WP Business Hours","1.4","Mejar","https:\u002F\u002Fprofiles.wordpress.org\u002Fmejar\u002F","\u003Cp>This Plugin is to show Business hours, Admin can manage the business hours Weekly, can show using widget and shortcode.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.+ or 3.9 with WordPress plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>How To Use\u003C\u002Fh3>\n\u003Cp>Use shortcode : [WPBUSINESSHOURS]\u003C\u002Fp>\n\u003Cp>Function : \u003C\u002Fp>\n\u003Cp>Widget : Business Hours\u003C\u002Fp>\n","This Plugin is to show Business hours, Admin can manage the business hours Weekly, can show using widget and shortcode.",60,3724,2,"2014-05-16T04:53:00.000Z","3.7.41","3.5","",[19,20,21,4,22],"business-hours-widget","business-plugin","business-widget","wp-business-hours-plugin","http:\u002F\u002Fwww.powerfaq.com\u002Fbusiness-hours\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-business-hours.zip",63,1,"2025-10-07 00:00:00","2026-03-15T15:16:48.613Z",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":35},"CVE-2025-62934","wp-business-hours-cross-site-request-forgery","WP Business Hours \u003C= 1.4 - Cross-Site Request Forgery","The WP Business Hours plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-10-29 14:56:04",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7bf04825-8f98-4f4f-ab09-a2e4caa9c2ee?source=api-prod",{"slug":45,"display_name":7,"profile_url":8,"plugin_count":13,"total_installs":46,"avg_security_score":47,"avg_patch_time_days":48,"trust_score":49,"computed_at":50},"mejar",70,74,30,76,"2026-04-04T22:06:12.374Z",[52],{"slug":53,"name":54,"version":55,"author":56,"author_profile":57,"description":58,"short_description":59,"active_installs":46,"downloaded":60,"rating":61,"num_ratings":13,"last_updated":62,"tested_up_to":63,"requires_at_least":64,"requires_php":17,"tags":65,"homepage":17,"download_link":67,"security_score":68,"vuln_count":69,"unpatched_count":69,"last_vuln_date":35,"fetched_at":28},"better-business-hours","Better Business Hours","1.0.3.2","NSquared","https:\u002F\u002Fprofiles.wordpress.org\u002Fcroixhaug\u002F","\u003Cp>Easily set and display your business hours. A shortcode and widget are included so you can put it anywhere on your site.\u003C\u002Fp>\n","Easily set and display your business hours. A shortcode and widget are included so you can put it anywhere on your site.",3615,100,"2022-06-14T23:17:00.000Z","6.0.11","4.4",[66,19],"business-hours","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-business-hours.zip",85,0,{"attackSurface":71,"codeSignals":91,"taintFlows":138,"riskAssessment":166,"analyzedAt":186},{"hooks":72,"ajaxHandlers":83,"restRoutes":84,"shortcodes":85,"cronEvents":90,"entryPointCount":26,"unprotectedCount":69},[73,79],{"type":74,"name":75,"callback":76,"priority":26,"file":77,"line":78},"action","admin_menu","pluginMenu","wp-business-hours.php",29,{"type":74,"name":80,"callback":81,"file":77,"line":82},"widgets_init","bhours_widget",115,[],[],[86],{"tag":87,"callback":88,"file":77,"line":89},"WPBUSINESSHOURS","show_business_hours",35,[],{"dangerousFunctions":92,"sqlUsage":99,"outputEscaping":101,"fileOperations":69,"externalRequests":69,"nonceChecks":69,"capabilityChecks":69,"bundledLibraries":137},[93,97],{"fn":94,"file":77,"line":95,"context":96},"unserialize",41,"$arr = unserialize(base64_decode(get_option('wp_business_hours')));",{"fn":94,"file":77,"line":49,"context":98},"$arr = unserialize(base64_decode($unsArr));",{"prepared":69,"raw":69,"locations":100},[],{"escaped":69,"rawEcho":102,"locations":103},18,[104,107,109,111,113,115,117,118,120,121,123,125,127,129,131,133,135,136],{"file":77,"line":105,"context":106},45,"raw output",{"file":77,"line":108,"context":106},51,{"file":77,"line":110,"context":106},52,{"file":77,"line":112,"context":106},53,{"file":77,"line":114,"context":106},90,{"file":77,"line":116,"context":106},91,{"file":77,"line":116,"context":106},{"file":77,"line":119,"context":106},92,{"file":77,"line":119,"context":106},{"file":77,"line":122,"context":106},102,{"file":77,"line":124,"context":106},132,{"file":77,"line":126,"context":106},134,{"file":77,"line":128,"context":106},135,{"file":77,"line":130,"context":106},139,{"file":77,"line":132,"context":106},151,{"file":77,"line":134,"context":106},152,{"file":77,"line":134,"context":106},{"file":77,"line":134,"context":106},[],[139,158],{"entryPoint":140,"graph":141,"unsanitizedCount":26,"severity":157},"wpbusinesHours (wp-business-hours.php:57)",{"nodes":142,"edges":154},[143,148],{"id":144,"type":145,"label":146,"file":77,"line":147},"n0","source","$_POST",65,{"id":149,"type":150,"label":151,"file":77,"line":152,"wp_function":153},"n1","sink","update_option() [Settings Manipulation]",67,"update_option",[155],{"from":144,"to":149,"sanitized":156},false,"low",{"entryPoint":159,"graph":160,"unsanitizedCount":26,"severity":157},"\u003Cwp-business-hours> (wp-business-hours.php:0)",{"nodes":161,"edges":164},[162,163],{"id":144,"type":145,"label":146,"file":77,"line":147},{"id":149,"type":150,"label":151,"file":77,"line":152,"wp_function":153},[165],{"from":144,"to":149,"sanitized":156},{"summary":167,"deductions":168},"The wp-business-hours plugin v1.4 presents a mixed security posture. While it demonstrates good practices in database querying with 100% prepared statements and avoids external HTTP requests and file operations, several critical concerns emerge from the static analysis. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if used with untrusted input, especially without proper sanitization. Compounding this, the taint analysis reveals two flows with unsanitized paths, indicating potential vulnerabilities that could be exploited.  Furthermore, the complete lack of output escaping is alarming, exposing the plugin to Cross-Site Scripting (XSS) attacks. The vulnerability history, which includes a past medium-severity CSRF vulnerability and a currently unpatched medium-severity CVE, suggests a pattern of security oversights and a need for more robust security development. While the small attack surface and absence of unprotected entry points are positive, the identified risks, particularly `unserialize` usage and lack of output escaping, elevate the overall risk profile.",[169,172,175,178,181,184],{"reason":170,"points":171},"Unpatched CVE",15,{"reason":173,"points":174},"Dangerous function: unserialize",10,{"reason":176,"points":177},"Taint flows with unsanitized paths",12,{"reason":179,"points":180},"Output escaping: 0% properly escaped",8,{"reason":182,"points":183},"Nonce checks: 0",7,{"reason":185,"points":183},"Capability checks: 0","2026-03-16T21:48:49.531Z",{"wat":188,"direct":194},{"assetPaths":189,"generatorPatterns":191,"scriptPaths":192,"versionParams":193},[190],"\u002Fwp-content\u002Fplugins\u002Fwp-business-hours\u002Fwp-business-hours.php",[],[],[],{"cssClasses":195,"htmlComments":201,"htmlAttributes":205,"restEndpoints":207,"jsGlobals":208,"shortcodeOutput":209},[196,197,198,199,200],"bHours","grey","bh_day","bh_time","alert",[202,203,204],"------ Outer div------ ","------ Inner Table------ "," ------ day and time ------  ",[206],"data-widget-id",[],[],[210,211,212,213,214,215,216],"\u003Cdiv class=\"bHours\">","\u003Ctable cellspacing=\"0\" cellpadding=\"4\" width=\"100%\">","\u003Ctr","\u003Ctd width=\"44%\" class=\"bh_day\">","\u003Ctd width=\"28%\" class=\"bh_time\">","\u003Ctd class=\"bh_time\">","\u003C\u002Ftable>\u003C\u002Fdiv>"]