[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPENFkyGAI55u7BxGDsmKY0qLCfIeFqGgxdRxlk39QEM":3,"$fBUsXO3lkvKNhZJjLufhtPJ0pZSJ4CyrPww3xKd-bzPc":125,"$fGZpwtl1uxRMMFUmKilWzbqB_GLZUJCWusbhtHsoniWM":130},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"discovery_status":25,"vulnerabilities":26,"developer":27,"crawl_stats":23,"alternatives":34,"analysis":35,"fingerprints":108},"wp-mercurial","WP Mercurial","1.1","invisnet","https:\u002F\u002Fprofiles.wordpress.org\u002Finvisnet\u002F","\u003Cp>Not everyone has the luxury of seperate development, staging, and live servers. \u003Cem>WP Mercurial\u003C\u002Fem> helps work around the limitations of a single server by automating many of the repetitive Mercurial tasks required when updating WordPress.\u003C\u002Fp>\n\u003Cp>Each time a plugin, a theme, or the core is updated, \u003Cem>WP Mercurial\u003C\u002Fem> will automatically run:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>    hg -A commit -m '\u003Cdescription of update>' \u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The description is based on what was updated.\u003C\u002Fp>\n\u003Cp>\u003Cem>WP Mercurial\u003C\u002Fem> never pushes automatically.\u003C\u002Fp>\n\u003Cp>There is also a dashboard widget that provides all the basic Hg commands.\u003C\u002Fp>\n","Basic Mercurial functionality from the dashboard. Automatically commit after updating core, plugins, or themes.",10,1543,0,"2012-11-18T19:53:00.000Z","3.4.2","3.4.0","",[19],"mercurial","https:\u002F\u002Fcharles.lecklider.org\u002Fwordpress\u002Fwp-mercurial","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-mercurial.1.1.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":30,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},8,75560,88,1793,71,"2026-05-20T04:12:22.240Z",[],{"attackSurface":36,"codeSignals":59,"taintFlows":101,"riskAssessment":102,"analyzedAt":107},{"hooks":37,"ajaxHandlers":55,"restRoutes":56,"shortcodes":57,"cronEvents":58,"entryPointCount":13,"unprotectedCount":13},[38,44,48,51],{"type":39,"name":40,"callback":41,"file":42,"line":43},"action","_core_updated_successfully","closure","wp-mercurial.php",31,{"type":39,"name":45,"callback":46,"file":42,"line":47},"wp_dashboard_setup","wp_mercurial_dashboard_widget",39,{"type":39,"name":49,"callback":46,"file":42,"line":50},"wp_network_dashboard_setup",40,{"type":52,"name":53,"callback":41,"priority":11,"file":42,"line":54},"filter","upgrader_post_install",42,[],[],[],[],{"dangerousFunctions":60,"sqlUsage":95,"outputEscaping":97,"fileOperations":13,"externalRequests":13,"nonceChecks":99,"capabilityChecks":99,"bundledLibraries":100},[61,65,68,71,74,77,80,83,86,89,92],{"fn":62,"file":42,"line":63,"context":64},"system",35,"system(\"hg commit -A -m 'Updated WordPress to $wp_version'\");",{"fn":62,"file":42,"line":66,"context":67},57,"system(\"hg commit -A -m '$action $what: {$child_result['destination_name']}'\");",{"fn":62,"file":42,"line":69,"context":70},102,"system('hg push');",{"fn":62,"file":42,"line":72,"context":73},106,"system('hg status');",{"fn":62,"file":42,"line":75,"context":76},110,"system('hg log');",{"fn":62,"file":42,"line":78,"context":79},113,"system('hg addremove');",{"fn":62,"file":42,"line":81,"context":82},119,"system(\"hg commit -v -m '$msg'\");",{"fn":62,"file":42,"line":84,"context":85},124,"system('hg pull');",{"fn":62,"file":42,"line":87,"context":88},128,"system('hg update');",{"fn":62,"file":42,"line":90,"context":91},132,"system('hg merge');",{"fn":62,"file":42,"line":93,"context":94},136,"system('hg verify');",{"prepared":13,"raw":13,"locations":96},[],{"escaped":13,"rawEcho":13,"locations":98},[],1,[],[],{"summary":103,"deductions":104},"The wp-mercurial v1.1 plugin exhibits a strong security posture based on the provided static analysis.  The absence of any identified attack surface (AJAX handlers, REST API routes, shortcodes, cron events) with unprotected entry points is a significant strength. The code also adheres to good practices by exclusively using prepared statements for SQL queries and properly escaping all output, and not performing file operations or external HTTP requests. The presence of a nonce check and a capability check indicates an awareness of common security controls.  Taint analysis showing zero flows with unsanitized paths further reinforces this positive assessment.  The complete lack of recorded CVEs and vulnerability history is also a very positive indicator of the plugin's security over time.\n\nWhile the static analysis reveals no immediate critical vulnerabilities, the presence of 11 'dangerous functions' (specifically 'system') warrants a closer look. Although these functions are not directly exploited due to the lack of attack surface and the presence of checks, they represent potential vectors if the plugin's architecture were to change or if an attacker could find a way to bypass existing controls. The primary concern, therefore, is the *potential* for misuse of these dangerous functions rather than a directly exploitable vulnerability in the current version.  Overall, wp-mercurial v1.1 appears to be a securely developed plugin, with the sole area for caution being the use of potentially risky system functions, which are currently mitigated by the plugin's design.",[105],{"reason":106,"points":28},"Presence of 'system' dangerous functions","2026-04-16T12:25:45.161Z",{"wat":109,"direct":116},{"assetPaths":110,"generatorPatterns":112,"scriptPaths":113,"versionParams":114},[111],"\u002Fwp-content\u002Fplugins\u002Fwp-mercurial\u002Fwp-mercurial.css",[],[],[115],"wp-mercurial\u002Fwp-mercurial.css?ver=",{"cssClasses":117,"htmlComments":118,"htmlAttributes":119,"restEndpoints":122,"jsGlobals":123,"shortcodeOutput":124},[4],[],[120,121],"id=\"wp-mercurial\"","name=\"wp-mercurial\"",[],[],[],{"error":126,"url":127,"statusCode":128,"statusMessage":129,"message":129},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-mercurial\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":99,"versions":131},[132],{"version":6,"download_url":21,"svn_tag_url":133,"released_at":23,"has_diff":134,"diff_files_changed":135,"diff_lines":23,"trac_diff_url":23,"vulnerabilities":136,"is_current":126},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-mercurial\u002Ftags\u002F1.1\u002F",false,[],[]]