[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDA5nOBgw-WGoSzs1egbMz-90gYQgw_pnfRAmMkFCRYA":3,"$fFnQdCwFu4VYqj2dMnUwnpoKGnGeOfv_N3nRoKkAhLNg":253,"$f05hC75hMAEjcyBt85PQ2C7OGsAO0adqikZu9YGVCqBE":258},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":17,"download_link":18,"security_score":19,"vuln_count":13,"unpatched_count":13,"last_vuln_date":20,"fetched_at":21,"discovery_status":22,"vulnerabilities":23,"developer":24,"crawl_stats":20,"alternatives":30,"analysis":31,"fingerprints":222},"wp-imagereplacement","Image Replacement","1.1","dalziel","https:\u002F\u002Fprofiles.wordpress.org\u002Fdalziel\u002F","\u003Cp>Use javascript to replace html tags with images to create image headlines.\u003C\u002Fp>\n","Use javascript to replace html tags with images to create image headlines.",10,4010,0,"2006-03-23T13:09:00.000Z","",[],"http:\u002F\u002Fblog.slaven.net.au\u002Fwordpress-plugins\u002Fimage-replacement-wordpress-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-imagereplacement.zip",85,null,"2026-04-06T09:54:40.288Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":25,"total_installs":26,"avg_security_score":19,"avg_patch_time_days":27,"trust_score":28,"computed_at":29},6,80,30,84,"2026-05-20T08:58:50.069Z",[],{"attackSurface":32,"codeSignals":52,"taintFlows":173,"riskAssessment":213,"analyzedAt":221},{"hooks":33,"ajaxHandlers":48,"restRoutes":49,"shortcodes":50,"cronEvents":51,"entryPointCount":13,"unprotectedCount":13},[34,40,44],{"type":35,"name":36,"callback":37,"file":38,"line":39},"action","admin_menu","add_options_page","wp-imagereplacement.php",27,{"type":35,"name":41,"callback":42,"file":38,"line":43},"wp_head","add_head_javascript",28,{"type":35,"name":45,"callback":46,"file":38,"line":47},"wp_footer","add_trigger",29,[],[],[],[],{"dangerousFunctions":53,"sqlUsage":54,"outputEscaping":56,"fileOperations":171,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":172},[],{"prepared":13,"raw":13,"locations":55},[],{"escaped":13,"rawEcho":57,"locations":58},65,[59,62,64,66,67,69,71,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,107,109,111,112,114,115,117,118,120,121,123,125,127,128,130,132,134,135,137,138,140,141,142,144,145,146,148,149,150,152,153,154,156,157,158,160,161,163,165,167,169],{"file":38,"line":60,"context":61},42,"raw output",{"file":38,"line":63,"context":61},73,{"file":38,"line":65,"context":61},79,{"file":38,"line":28,"context":61},{"file":38,"line":68,"context":61},89,{"file":38,"line":70,"context":61},92,{"file":38,"line":72,"context":61},97,{"file":38,"line":74,"context":61},106,{"file":38,"line":76,"context":61},109,{"file":38,"line":78,"context":61},258,{"file":38,"line":80,"context":61},262,{"file":38,"line":82,"context":61},268,{"file":38,"line":84,"context":61},276,{"file":38,"line":86,"context":61},281,{"file":38,"line":88,"context":61},284,{"file":38,"line":90,"context":61},287,{"file":38,"line":92,"context":61},290,{"file":38,"line":94,"context":61},293,{"file":38,"line":96,"context":61},296,{"file":38,"line":98,"context":61},298,{"file":38,"line":100,"context":61},306,{"file":38,"line":102,"context":61},309,{"file":38,"line":104,"context":61},316,{"file":38,"line":106,"context":61},317,{"file":38,"line":108,"context":61},331,{"file":38,"line":110,"context":61},335,{"file":38,"line":110,"context":61},{"file":38,"line":113,"context":61},339,{"file":38,"line":113,"context":61},{"file":38,"line":116,"context":61},343,{"file":38,"line":116,"context":61},{"file":38,"line":119,"context":61},347,{"file":38,"line":119,"context":61},{"file":38,"line":122,"context":61},350,{"file":38,"line":124,"context":61},351,{"file":38,"line":126,"context":61},359,{"file":38,"line":126,"context":61},{"file":38,"line":129,"context":61},363,{"file":38,"line":131,"context":61},365,{"file":38,"line":133,"context":61},371,{"file":38,"line":133,"context":61},{"file":38,"line":136,"context":61},375,{"file":38,"line":136,"context":61},{"file":38,"line":139,"context":61},379,{"file":38,"line":139,"context":61},{"file":38,"line":139,"context":61},{"file":38,"line":143,"context":61},383,{"file":38,"line":143,"context":61},{"file":38,"line":143,"context":61},{"file":38,"line":147,"context":61},387,{"file":38,"line":147,"context":61},{"file":38,"line":147,"context":61},{"file":38,"line":151,"context":61},391,{"file":38,"line":151,"context":61},{"file":38,"line":151,"context":61},{"file":38,"line":155,"context":61},395,{"file":38,"line":155,"context":61},{"file":38,"line":155,"context":61},{"file":38,"line":159,"context":61},399,{"file":38,"line":159,"context":61},{"file":38,"line":162,"context":61},403,{"file":38,"line":164,"context":61},406,{"file":38,"line":166,"context":61},407,{"file":38,"line":168,"context":61},417,{"file":38,"line":170,"context":61},706,9,[],[174,201],{"entryPoint":175,"graph":176,"unsanitizedCount":25,"severity":200},"options_page (wp-imagereplacement.php:220)",{"nodes":177,"edges":196},[178,183,188,192],{"id":179,"type":180,"label":181,"file":38,"line":182},"n0","source","$_POST[?]",229,{"id":184,"type":185,"label":186,"file":38,"line":182,"wp_function":187},"n1","sink","update_option() [Settings Manipulation]","update_option",{"id":189,"type":180,"label":190,"file":38,"line":191},"n2","$_GET (x5)",240,{"id":193,"type":185,"label":194,"file":38,"line":126,"wp_function":195},"n3","echo() [XSS]","echo",[197,199],{"from":179,"to":184,"sanitized":198},false,{"from":189,"to":193,"sanitized":198},"medium",{"entryPoint":202,"graph":203,"unsanitizedCount":25,"severity":212},"\u003Cwp-imagereplacement> (wp-imagereplacement.php:0)",{"nodes":204,"edges":209},[205,206,207,208],{"id":179,"type":180,"label":181,"file":38,"line":182},{"id":184,"type":185,"label":186,"file":38,"line":182,"wp_function":187},{"id":189,"type":180,"label":190,"file":38,"line":191},{"id":193,"type":185,"label":194,"file":38,"line":126,"wp_function":195},[210,211],{"from":179,"to":184,"sanitized":198},{"from":189,"to":193,"sanitized":198},"low",{"summary":214,"deductions":215},"The \"wp-imagereplacement\" v1.1 plugin exhibits a mixed security posture. On one hand, the plugin demonstrates excellent practices by avoiding known dangerous functions, utilizing prepared statements for all SQL queries, and having no recorded vulnerability history. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the attack surface. However, a major concern arises from the static analysis revealing that 100% of output has no proper escaping. This could lead to Cross-Site Scripting (XSS) vulnerabilities if user-controlled data is ever displayed without sanitization. Furthermore, the taint analysis identified two flows with unsanitized paths, indicating potential risks of directory traversal or similar path manipulation issues, even though they are not classified as critical or high severity.  While the plugin has no recorded CVEs and no critical issues from the taint analysis, the lack of output escaping is a significant weakness that needs immediate attention.",[216,219],{"reason":217,"points":218},"0% of output is properly escaped",8,{"reason":220,"points":25},"2 flows with unsanitized paths","2026-03-16T23:46:25.777Z",{"wat":223,"direct":230},{"assetPaths":224,"generatorPatterns":225,"scriptPaths":226,"versionParams":228},[],[],[227],"\u002Fwp-content\u002Fplugins\u002Fwp-imagereplacement\u002Fwp-imagereplacement.php",[229],"wp-imagereplacement\u002Fwp-imagereplacement.php?ver=",{"cssClasses":231,"htmlComments":232,"htmlAttributes":234,"restEndpoints":245,"jsGlobals":246,"shortcodeOutput":252},[],[233],"\u003C!-- Props to Dustin Diaz: http:\u002F\u002Fwww.dustindiaz.com\u002Fgetelementsbyclass\u002F -->",[235,236,237,238,239,240,241,242,243,244],"data-wp-imagereplacement-text","data-wp-imagereplacement-class","data-wp-imagereplacement-background","data-wp-imagereplacement-colour","data-wp-imagereplacement-ypad","data-wp-imagereplacement-size","data-wp-imagereplacement-padding","data-wp-imagereplacement-shadow","data-wp-imagereplacement-font","data-wp-imagereplacement-type",[],[247,248,249,250,251],"wp_imagereplacement_init","wp_imagereplacement_traverse","wp_imagereplacement_swap","wp_imagereplacement_replace","getElementsByClass",[],{"error":254,"url":255,"statusCode":256,"statusMessage":257,"message":257},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-imagereplacement\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":259,"versions":260},3,[261,267,274],{"version":6,"download_url":262,"svn_tag_url":263,"released_at":20,"has_diff":198,"diff_files_changed":264,"diff_lines":20,"trac_diff_url":265,"vulnerabilities":266,"is_current":254},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-imagereplacement.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-imagereplacement\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-imagereplacement%2Ftags%2F1.0&new_path=%2Fwp-imagereplacement%2Ftags%2F1.1",[],{"version":268,"download_url":269,"svn_tag_url":270,"released_at":20,"has_diff":198,"diff_files_changed":271,"diff_lines":20,"trac_diff_url":272,"vulnerabilities":273,"is_current":198},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-imagereplacement.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-imagereplacement\u002Ftags\u002F1.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-imagereplacement%2Ftags%2Fbeta&new_path=%2Fwp-imagereplacement%2Ftags%2F1.0",[],{"version":275,"download_url":276,"svn_tag_url":277,"released_at":20,"has_diff":198,"diff_files_changed":278,"diff_lines":20,"trac_diff_url":20,"vulnerabilities":279,"is_current":198},"beta","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-imagereplacement.beta.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-imagereplacement\u002Ftags\u002Fbeta\u002F",[],[]]