[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fs_vCW_oPEtOYM18LnFUeo6d9hKC3qPLABO4toDxT8ag":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":57,"crawl_stats":37,"alternatives":61,"analysis":62,"fingerprints":249},"wp-category-dropdown","Category Dropdown by GCS Design","1.9","Chandrika Sista","https:\u002F\u002Fprofiles.wordpress.org\u002Fcguntur\u002F","\u003Cp>WP Category Dropdown plugin displays parent and child categories in a dropdown. You can select the parent category and display a dropdown for the child categories of the selected parent. If the selected parent category does not have a child category, you will be automatically directed to the category page.\u003C\u002Fp>\n\u003Cp>You can use the shortcode or the widget to display the dropdown categories.\u003C\u002Fp>\n\u003Cp>You can learn more at \u003Ca href=\"https:\u002F\u002Fwww.gcsdesign.com\u002Fwp_category_dropdown\" rel=\"nofollow ugc\">gcsdesign.com\u002Fwp_category_dropdown\u003C\u002Fa>\u003C\u002Fp>\n","Display a parent and child categories in a dropdown. Works with custom taxonomies and WooCommerce product categories.",1000,20852,100,3,"2024-10-09T23:50:00.000Z","6.6.5","5.0","7.0",[20,21,22,23],"ajax-wordpress-category","child-category-dropdown","parent-and-child-categories","wordpress-category-dropdown","http:\u002F\u002Fwww.gcsdesign.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-category-dropdown.zip",69,2,1,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",[32,46],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":29,"updated_date":43,"references":44,"days_to_patch":37},"CVE-2025-58239","wp-category-dropdown-authenticated-contributor-stored-cross-site-scripting","WP Category Dropdown \u003C= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting","The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-09-26 17:37:04",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe3ed233d-7a14-4005-8a6d-df9a154268d5?source=api-prod",{"id":47,"url_slug":48,"title":49,"description":50,"plugin_slug":4,"theme_slug":37,"affected_versions":51,"patched_in_version":6,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":52,"updated_date":53,"references":54,"days_to_patch":56},"CVE-2024-8103","wp-category-dropdown-authenticated-contributor-stored-cross-site-scripting-via-align-parameter","WP Category Dropdown \u003C= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter","The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=1.8","2024-09-23 00:00:00","2024-10-18 13:47:55",[55],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7c959f9c-8ac4-4f59-9d93-8f96e650b02d?source=api-prod",26,{"slug":58,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":56,"trust_score":59,"computed_at":60},"cguntur",72,"2026-04-04T15:33:00.677Z",[],{"attackSurface":63,"codeSignals":115,"taintFlows":194,"riskAssessment":230,"analyzedAt":248},{"hooks":64,"ajaxHandlers":84,"restRoutes":107,"shortcodes":108,"cronEvents":113,"entryPointCount":114,"unprotectedCount":74},[65,70,75,79],{"type":66,"name":67,"callback":68,"file":69,"line":14},"action","widgets_init","closure","category_widget.php",{"type":66,"name":71,"callback":72,"file":73,"line":74},"admin_enqueue_scripts","category_widget_scripts","functions.php",8,{"type":66,"name":76,"callback":77,"file":73,"line":78},"enqueue_block_editor_assets","wpcd_block_editor_css",63,{"type":66,"name":76,"callback":80,"priority":81,"file":82,"line":83},"wp_cat_dropdown_block_scripts",30,"wp-category-dropdown.php",53,[85,89,92,95,97,101,102,105],{"action":86,"nopriv":87,"callback":86,"hasNonce":87,"hasCapCheck":87,"file":69,"line":88},"wpcd_widget_exclude_categories",false,254,{"action":86,"nopriv":90,"callback":86,"hasNonce":87,"hasCapCheck":87,"file":69,"line":91},true,255,{"action":93,"nopriv":87,"callback":94,"hasNonce":87,"hasCapCheck":87,"file":73,"line":81},"wpcd_get_taxonomies_action","wpcd_get_taxonomies",{"action":93,"nopriv":90,"callback":94,"hasNonce":87,"hasCapCheck":87,"file":73,"line":96},31,{"action":98,"nopriv":87,"callback":99,"hasNonce":87,"hasCapCheck":87,"file":73,"line":100},"wpcd_get_taxonomy_terms_action","wpcd_get_taxonomy_terms",52,{"action":98,"nopriv":90,"callback":99,"hasNonce":87,"hasCapCheck":87,"file":73,"line":83},{"action":103,"nopriv":87,"callback":103,"hasNonce":87,"hasCapCheck":87,"file":82,"line":104},"wpcd_show_child_cat_dropdown",267,{"action":103,"nopriv":90,"callback":103,"hasNonce":87,"hasCapCheck":87,"file":82,"line":106},268,[],[109],{"tag":110,"callback":111,"file":82,"line":112},"wpcd_child_categories_dropdown","wpcd_child_category_dropdown",141,[],9,{"dangerousFunctions":116,"sqlUsage":117,"outputEscaping":120,"fileOperations":118,"externalRequests":118,"nonceChecks":118,"capabilityChecks":118,"bundledLibraries":193},[],{"prepared":118,"raw":118,"locations":119},0,[],{"escaped":121,"rawEcho":122,"locations":123},15,40,[124,127,129,131,133,135,137,138,139,141,143,144,145,147,149,150,151,153,155,156,158,160,161,163,165,166,168,170,171,173,175,176,178,179,181,183,185,187,189,191],{"file":69,"line":125,"context":126},19,"raw output",{"file":69,"line":128,"context":126},21,{"file":69,"line":130,"context":126},54,{"file":69,"line":132,"context":126},56,{"file":69,"line":134,"context":126},78,{"file":69,"line":136,"context":126},79,{"file":69,"line":136,"context":126},{"file":69,"line":136,"context":126},{"file":69,"line":140,"context":126},83,{"file":69,"line":142,"context":126},84,{"file":69,"line":142,"context":126},{"file":69,"line":142,"context":126},{"file":69,"line":146,"context":126},88,{"file":69,"line":148,"context":126},89,{"file":69,"line":148,"context":126},{"file":69,"line":148,"context":126},{"file":69,"line":152,"context":126},93,{"file":69,"line":154,"context":126},94,{"file":69,"line":154,"context":126},{"file":69,"line":157,"context":126},103,{"file":69,"line":159,"context":126},104,{"file":69,"line":159,"context":126},{"file":69,"line":162,"context":126},111,{"file":69,"line":164,"context":126},112,{"file":69,"line":164,"context":126},{"file":69,"line":167,"context":126},119,{"file":69,"line":169,"context":126},120,{"file":69,"line":169,"context":126},{"file":69,"line":172,"context":126},126,{"file":69,"line":174,"context":126},127,{"file":69,"line":174,"context":126},{"file":69,"line":177,"context":126},139,{"file":69,"line":177,"context":126},{"file":69,"line":180,"context":126},168,{"file":69,"line":182,"context":126},179,{"file":73,"line":184,"context":126},25,{"file":73,"line":186,"context":126},48,{"file":82,"line":188,"context":126},212,{"file":82,"line":190,"context":126},213,{"file":82,"line":192,"context":126},257,[],[195,218],{"entryPoint":196,"graph":197,"unsanitizedCount":27,"severity":39},"wpcd_show_child_cat_dropdown (wp-category-dropdown.php:143)",{"nodes":198,"edges":215},[199,204,209,213],{"id":200,"type":201,"label":202,"file":82,"line":203},"n0","source","$_GET (x2)",155,{"id":205,"type":206,"label":207,"file":82,"line":188,"wp_function":208},"n1","sink","echo() [XSS]","echo",{"id":210,"type":201,"label":211,"file":82,"line":212},"n2","$_GET",146,{"id":214,"type":206,"label":207,"file":82,"line":190,"wp_function":208},"n3",[216,217],{"from":200,"to":205,"sanitized":87},{"from":210,"to":214,"sanitized":90},{"entryPoint":219,"graph":220,"unsanitizedCount":27,"severity":229},"\u003Cwp-category-dropdown> (wp-category-dropdown.php:0)",{"nodes":221,"edges":226},[222,223,224,225],{"id":200,"type":201,"label":202,"file":82,"line":203},{"id":205,"type":206,"label":207,"file":82,"line":188,"wp_function":208},{"id":210,"type":201,"label":211,"file":82,"line":212},{"id":214,"type":206,"label":207,"file":82,"line":190,"wp_function":208},[227,228],{"from":200,"to":205,"sanitized":87},{"from":210,"to":214,"sanitized":90},"low",{"summary":231,"deductions":232},"The \"wp-category-dropdown\" v1.9 plugin presents a concerning security posture, largely due to a significant number of unprotected entry points. The static analysis reveals 8 out of 9 total entry points, specifically AJAX handlers, lack authentication checks. This creates a wide attack surface that could be exploited by unauthenticated users.  While the plugin demonstrates good practices in its use of prepared statements for SQL queries and an absence of file operations or external HTTP requests, the output escaping is poor, with only 27% of outputs properly escaped. This, combined with taint analysis showing flows with unsanitized paths, strongly suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities.\n\nThe vulnerability history further exacerbates these concerns. The plugin has two known CVEs, with one currently unpatched, both rated as medium severity and identified as Cross-Site Scripting issues. This pattern indicates a recurring problem with input sanitization and output escaping, reinforcing the risks identified in the static analysis. The recent nature of the last vulnerability (2025-09-22) is also a red flag.  In conclusion, while the plugin has some strengths in its SQL handling, the numerous unprotected AJAX endpoints, poor output escaping, and a history of XSS vulnerabilities make it a high-risk plugin that requires immediate attention and patching.",[233,236,238,240,243,246],{"reason":234,"points":235},"8 unprotected AJAX handlers",20,{"reason":237,"points":235},"27% output escaping is proper",{"reason":239,"points":121},"Unpatched CVE (medium severity)",{"reason":241,"points":242},"2 flows with unsanitized paths",10,{"reason":244,"points":245},"0 nonce checks",5,{"reason":247,"points":245},"0 capability checks","2026-03-16T18:58:49.177Z",{"wat":250,"direct":263},{"assetPaths":251,"generatorPatterns":255,"scriptPaths":256,"versionParams":259},[252,253,254],"\u002Fwp-content\u002Fplugins\u002Fwp-category-dropdown\u002Fbuild\u002Findex.asset.php","\u002Fwp-content\u002Fplugins\u002Fwp-category-dropdown\u002Fbuild\u002Findex.js","\u002Fwp-content\u002Fplugins\u002Fwp-category-dropdown\u002Fjs\u002Fscripts.js",[],[257,258],"wp-content\u002Fplugins\u002Fwp-category-dropdown\u002Fbuild\u002Findex.js","wp-content\u002Fplugins\u002Fwp-category-dropdown\u002Fjs\u002Fscripts.js",[260,261,262],"wp-category-dropdown\u002Fbuild\u002Findex.asset.php?ver=","wp-category-dropdown\u002Fbuild\u002Findex.js?ver=","wp-category-dropdown\u002Fjs\u002Fscripts.js",{"cssClasses":264,"htmlComments":268,"htmlAttributes":269,"restEndpoints":280,"jsGlobals":281,"shortcodeOutput":283},[265,266,267],"wpcd_dropdown_categories","wpcd_child_cat_loader","wpcd_child_cat_dropdown",[],[270,271,272,273,274,275,276,277,278,279],"id=\"wpcd_parent\"","id=\"child_cat_default_text\"","id=\"taxonomy\"","id=\"random_id\"","id=\"hide_empty\"","id=\"show_count\"","id=\"exclude\"","id=\"include\"","id=\"wpcd_child_cat_loader\"","id=\"child_cat_dropdown\"",[],[282],"wpcdajax",[284],"[wpcd_child_categories_dropdown]"]