[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fE3E34MYKLnEK5FefBOyaDEdjY05PYyxvTN1QDVktqck":3,"$fpzYxraQV12MX-HHu76JLfxbClJ9JhtjxpNBN2VC72aI":448,"$fSTeIR1VulSKI3UZcFyKIf5SyoDRRDhG_h9-aIicaH_Q":453},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":49,"crawl_stats":37,"alternatives":57,"analysis":136,"fingerprints":425},"wp-notes-widget","WP Notes Widget","1.0.6","Steve Puddick","https:\u002F\u002Fprofiles.wordpress.org\u002Fstevepuddick\u002F","\u003Cp>\u003Cstrong>WP Notes Widget PRO is now available\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>WP Notes Widget PRO offers the following additional features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Note Categories\u003C\u002Fli>\n\u003Cli>Shortcodes\u003C\u002Fli>\n\u003Cli>Insert notes in posts, pages, and other post types (not just widget areas)\u003C\u002Fli>\n\u003Cli>Order notes in ascending or descending order\u003C\u002Fli>\n\u003Cli>Ability to remove all Web Rockstar branding and callouts in WordPress admin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwebrockstar.net\u002Fdownloads\u002Fwp-notes-widget-pro?utm_source=wp-notes-widget-directory&utm_medium=plugin-description\" rel=\"nofollow ugc\">Get WP Notes Widget PRO\u003C\u002Fa>\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FxvLaBN7mT1A?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=1&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>\u003C\u002Fh3>\n\u003Cp>Posts and pages have their own characteristics and uses, but sometimes there is a need to display important, very short, time sensitive information which don’t really fit into a post or page. WP Notes Widget fills this gap. The visual design is similar to real sticky notes which adds to the effective communication of the message.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FDCPUt5PqN7s?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Cstrong>With WP Notes Widget you can\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>attach an image, audio, or video to a note\u003C\u002Fli>\n\u003Cli>attach a link to either an uploaded file, a link from your website, or a link to another website\u003C\u002Fli>\n\u003Cli>integrate with your twitter account to automatically tweet your notes \u003C\u002Fli>\n\u003Cli>select the font style, font size, font color, and background color of notes\u003C\u002Fli>\n\u003Cli>select which notes appear on a specific widget\u003C\u002Fli>\n\u003Cli>post date notes to appear at a certain date\u002Ftime \u003C\u002Fli>\n\u003Cli>set notes to expire at a certain date\u002Ftime (with additional, free plugin)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Enhancements\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>To further enhance the functionality of WP Notes Widget you can install these great plugins:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpost-expirator\u002F\" rel=\"ugc\">Post Expirator\u003C\u002Fa> by Aaron Axelsen\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpost-types-order\u002F\" rel=\"ugc\">Post Types Order\u003C\u002Fa> by Nsp Code\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also take advantage of some built in WordPress functionality which you may not have explored yet:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>‘post dating’ notes so that they only appear once a certain date and time has been reached\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>WP Notes Widget has also been designed to work with \u003Ca href=\"http:\u002F\u002Fwpml.org\u002F\" rel=\"nofollow ugc\">WPML\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Newsletter\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Sign up for the Web Rockstar newsletter to receive occassional updates and news on new plugins and udpates:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Feepurl.com\u002FcdLoML\" rel=\"nofollow ugc\">Newsletter Sign Up\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Videos\u003C\u002Fh3>\n\u003Cp>Take a look at these tutorial videos to learn more about how WP Notes Widget works:\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FDCPUt5PqN7s?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003Cbr \u002F>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIMzgCK4Swo8?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n","Display important, short, time sensitive text and media in a 'sticky note' style. Auto Tweet your notes.",800,37600,92,12,"2023-01-14T14:06:00.000Z","6.1.10","3.5","",[20,21,22,23,24],"news","notes","notification","sidebar","widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.6.zip",64,1,"2025-05-16 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":37,"patch_diff_files":46,"patch_trac_url":37,"research_status":37,"research_verified":47,"research_rounds_completed":48,"research_plan":37,"research_summary":37,"research_vulnerable_code":37,"research_fix_diff":37,"research_exploit_outline":37,"research_model_used":37,"research_started_at":37,"research_completed_at":37,"research_error":37,"poc_status":37,"poc_video_id":37,"poc_summary":37,"poc_steps":37,"poc_tested_at":37,"poc_wp_version":37,"poc_php_version":37,"poc_playwright_script":37,"poc_exploit_code":37,"poc_has_trace":47,"poc_model_used":37,"poc_verification_depth":37},"CVE-2025-48121","wp-notes-widget-authenticated-contributor-stored-cross-site-scripting","WP Notes Widget \u003C= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting","The WP Notes Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.0.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-05-21 20:56:28",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe0698d00-6098-4c5b-9487-2fb8d4e5176f?source=api-prod",[],false,0,{"slug":50,"display_name":7,"profile_url":8,"plugin_count":51,"total_installs":52,"avg_security_score":53,"avg_patch_time_days":54,"trust_score":55,"computed_at":56},"stevepuddick",6,1090,87,30,85,"2026-05-19T23:28:45.305Z",[58,79,92,106,126],{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":68,"num_ratings":69,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":18,"tags":73,"homepage":77,"download_link":78,"security_score":55,"vuln_count":48,"unpatched_count":48,"last_vuln_date":37,"fetched_at":29},"post-feature-widget","Featured Post Widget","4.2.1","tepelstreel","https:\u002F\u002Fprofiles.wordpress.org\u002Ftepelstreel\u002F","\u003Cp>The Featured Post Widget is a fully customizable widget, that displays a single post. You can decide, whether or not the post thumbnail is displayed, whether the post title is above or beneath the thumbnail and a couple of more things. And of course, you can style the widget individually.\u003C\u002Fp>\n","With the Featured Post Widget you can put a certain post in the focus and style it differently.",300,66346,80,5,"2016-02-28T09:35:00.000Z","4.5.33","2.9",[74,75,76,23,24],"feature","newspaper","post","http:\u002F\u002Fwasistlos.waldemarstoffel.com\u002Fplugins-fur-wordpress\u002Ffeatured-post-widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-feature-widget.4.2.1.zip",{"slug":80,"name":81,"version":82,"author":62,"author_profile":63,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":51,"last_updated":88,"tested_up_to":71,"requires_at_least":72,"requires_php":18,"tags":89,"homepage":90,"download_link":91,"security_score":55,"vuln_count":48,"unpatched_count":48,"last_vuln_date":37,"fetched_at":29},"advanced-featured-post-widget","Advanced Featured Post Widget","3.5.2","\u003Cp>The Advanced Featured Post Widget does, what the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fpost-feature-widget\" rel=\"ugc\">Featured Post Widget\u003C\u002Fa> is doing also; it’s a customizable multi-widget, that displays a single post in the widget area. You can decide, whether or not the post thumbnail is displayed, whether the post title is above or beneath the thumbnail and a couple of more things. And of course, you can style the widget individually.\u003C\u002Fp>\n\u003Cp>So far that is the same as my Featured Post Widget does also. Not every theme has the possibility to hide certain sidebars on different pages. That’s where the advanced of our plugin comes in. In the AFPW you can determine, where exactly the widget is showing and in the settings you can customize the links of your widget(s).\u003C\u002Fp>\n","With the Advanced Featured Post Widget you can put a certain post (or post type) in the focus and style it differently.",100,42640,86,"2016-04-09T08:55:00.000Z",[74,75,76,23,24],"http:\u002F\u002Fwasistlos.waldemarstoffel.com\u002Fplugins-fur-wordpress\u002Fadvanced-featured-post-widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-featured-post-widget.3.5.2.zip",{"slug":93,"name":94,"version":95,"author":62,"author_profile":63,"description":96,"short_description":97,"active_installs":85,"downloaded":98,"rating":99,"num_ratings":69,"last_updated":100,"tested_up_to":71,"requires_at_least":72,"requires_php":18,"tags":101,"homepage":104,"download_link":105,"security_score":55,"vuln_count":48,"unpatched_count":48,"last_vuln_date":37,"fetched_at":29},"category-feature","Featured Category Widget","2.5","\u003Cp>The Featured Category Widget is mainly designed because there were people for whom the Featured Post Widget was not enough. They wanted to put a category of their blog in the highlight.\u003Cbr \u002F>\nIf there is a post thumbnail, it will be displayed above the headline of the post. If there is no thumbnail, the first picture of the post is taken. You can set the size for the thumbnail or just take the standard from your options. Decide yourself, whether you want to show the excerpt, saved with your post or just the first three sentences or the first twenty words of the post. Style the widget individually, ready.\u003C\u002Fp>\n\u003Cp>The Featured Category was tested up to WP 4.5. It should work with versions down to 2.9 but was never tested on those.\u003C\u002Fp>\n","The Featured Category Widget is basically a Featured Post Widget for a category.",29693,84,"2016-02-26T10:18:00.000Z",[102,103,75,23,24],"category","column","http:\u002F\u002Fwasistlos.waldemarstoffel.com\u002Fplugins-fur-wordpress\u002Ffeatured-category-widget","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcategory-feature.2.5.zip",{"slug":107,"name":108,"version":109,"author":110,"author_profile":111,"description":112,"short_description":113,"active_installs":114,"downloaded":115,"rating":48,"num_ratings":48,"last_updated":116,"tested_up_to":117,"requires_at_least":72,"requires_php":18,"tags":118,"homepage":122,"download_link":123,"security_score":124,"vuln_count":27,"unpatched_count":27,"last_vuln_date":125,"fetched_at":29},"newsletter-subscription-widget-for-sendblaster","Newsletter subscription optin module","1.2.9","nonletter","https:\u002F\u002Fprofiles.wordpress.org\u002Fnonletter\u002F","\u003Cp>This plugin enables you to create simple forms for subscription to your newsletter. It includes a sidebar widget with customizable fields (up to 16) to gather from your users all the information you need for your email marketing campaigns. Users can also use the form to unsubscribe.\u003C\u002Fp>\n\u003Cp>From the options pages you can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>choose whether you require a double opt-in (users must follow a link in an email message, in order to complete subscription)\u003C\u002Fli>\n\u003Cli>specify name and number of text fields in the form\u003C\u002Fli>\n\u003Cli>customize text messages and labels\u003C\u002Fli>\n\u003Cli>manage subscribed email addresses\u003C\u002Fli>\n\u003Cli>donwload PDF file with list of subscribers\u003C\u002Fli>\n\u003Cli>download CSV file with list of subscribers\u003C\u002Fli>\n\u003Cli>choose whether you want to download all subscribers or only new subscribers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Related features\u003C\u002Fh4>\n\u003Cp>(Un)subscription requests can be directly processed by \u003Ca href=\"https:\u002F\u002Fwww.sendblaster.com\" title=\"bulk email software\" rel=\"nofollow ugc\">SendBlaster bulk email software\u003C\u002Fa> :\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.sendblaster.com\u002Ffree-bulk-emailer-download\u002F\" title=\"bulk email software download\" rel=\"nofollow ugc\">download SendBlaster here\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Plugin Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Subscribe new members\u003C\u002Fli>\n\u003Cli>Unsubscribe existing members\u003C\u002Fli>\n\u003Cli>Stores subscribed email addresses (as a useful backup against mail delivery failures)\u003C\u002Fli>\n\u003Cli>Purges old email addresses\u003C\u002Fli>\n\u003Cli>Customizable sidebar appearance\u003C\u002Fli>\n\u003Cli>Customizable texts and labels\u003C\u002Fli>\n\u003Cli>Adds to your form up to 5 custom fields\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Plugin Options\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>E-mail address for managing subscriptions\u003C\u002Fli>\n\u003Cli>Message to subscriber – subject\u003C\u002Fli>\n\u003Cli>Message to subscriber – content\u003C\u002Fli>\n\u003Cli>Double Opt-in\u003C\u002Fli>\n\u003Cli>Link Love (enable and disable)\u003C\u002Fli>\n\u003Cli>Front side messages\u003C\u002Fli>\n\u003Cli>Front side appearance and custom fields\u003C\u002Fli>\n\u003Cli>Temporary db of newly subscribed members\u003C\u002Fli>\n\u003Cli>Automatic temporary db cleanup\u003C\u002Fli>\n\u003C\u002Ful>\n","Plugin for managing subscriptions to a mailing list. It provides a simple form for subscription to your mailing list through single or double opt-in.",60,10486,"2021-09-13T16:53:00.000Z","5.8.13",[119,120,121,23,24],"bulk-email","email","newsletter","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fnewsletter-subscription-widget-for-sendblaster\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletter-subscription-widget-for-sendblaster.zip",63,"2025-08-25 00:00:00",{"slug":127,"name":128,"version":17,"author":62,"author_profile":63,"description":129,"short_description":130,"active_installs":54,"downloaded":131,"rating":85,"num_ratings":27,"last_updated":132,"tested_up_to":71,"requires_at_least":72,"requires_php":18,"tags":133,"homepage":134,"download_link":135,"security_score":55,"vuln_count":48,"unpatched_count":48,"last_vuln_date":37,"fetched_at":29},"advanced-category-column","Advanced Category Column","\u003Cp>The Advanced Category Column is mainly designed to give your blog a bit more of a newspaper behavior. E.g. The plugin shows the latest posts from all categories with an offset of three posts on your homepage.\u003C\u002Fp>\n\u003Cp>If there is a post thumbnail, it will be displayed above the headline of the post. No further text will appear. If there is no thumbnail, only the headline and the excerpt of the post will be shown. When the plugin can detect neither the thumbnail nor the excerpt of a post, it will display just the first couple of sentences (or words) of a post.\u003C\u002Fp>\n\u003Cp>So far that is the same as my Category Column Plugin does also. Not every theme has the possibility to hide certain sidebars on different pages. That’s where the advanced of our plugin comes in. In the ACC you can determine, where exactly the widget is showing and in the settings you can customize the links of your widget(s).\u003C\u002Fp>\n","The Advanced Category Column is a very customizable multi-widget for your sidebar.",15960,"2016-02-26T08:58:00.000Z",[102,103,75,23,24],"http:\u002F\u002Fwasistlos.waldemarstoffel.com\u002Fplugins-fur-wordpress\u002Fadvanced-category-column-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-category-column.3.5.zip",{"attackSurface":137,"codeSignals":217,"taintFlows":414,"riskAssessment":415,"analyzedAt":424},{"hooks":138,"ajaxHandlers":213,"restRoutes":214,"shortcodes":215,"cronEvents":216,"entryPointCount":48,"unprotectedCount":48},[139,146,149,152,158,161,166,169,172,174,177,179,182,184,186,189,192,194,197,199,202,205,208,211],{"type":140,"name":141,"callback":142,"priority":143,"file":144,"line":145},"filter","redirect_post_location","add_notice_twitter_success",99,"admin\\class-wp-notes-admin.php",449,{"type":140,"name":141,"callback":147,"priority":143,"file":144,"line":148},"add_notice_twitter_error",452,{"type":140,"name":141,"callback":150,"priority":143,"file":144,"line":151},"add_notice_twitter_down",455,{"type":153,"name":154,"callback":155,"file":156,"line":157},"action","save_post","flush_widget_cache","includes\\class-wp-notes-widget.php",53,{"type":153,"name":159,"callback":155,"file":156,"line":160},"deleted_post",54,{"type":153,"name":162,"callback":163,"file":164,"line":165},"plugins_loaded","anonymous","includes\\class-wp-notes.php",151,{"type":153,"name":167,"callback":163,"file":164,"line":168},"widgets_init",166,{"type":153,"name":170,"callback":163,"file":164,"line":171},"admin_enqueue_scripts",182,{"type":153,"name":170,"callback":163,"file":164,"line":173},183,{"type":153,"name":175,"callback":163,"file":164,"line":176},"add_meta_boxes",184,{"type":153,"name":154,"callback":163,"file":164,"line":178},185,{"type":153,"name":180,"callback":163,"file":164,"line":181},"init",186,{"type":153,"name":180,"callback":163,"file":164,"line":183},187,{"type":153,"name":180,"callback":163,"file":164,"line":185},188,{"type":153,"name":187,"callback":163,"file":164,"line":188},"admin_notices",189,{"type":153,"name":190,"callback":163,"file":164,"line":191},"admin_init",190,{"type":153,"name":187,"callback":163,"file":164,"line":193},191,{"type":153,"name":195,"callback":163,"file":164,"line":196},"admin_menu",192,{"type":153,"name":190,"callback":163,"file":164,"line":198},193,{"type":140,"name":200,"callback":163,"file":164,"line":201},"post_updated_messages",194,{"type":140,"name":203,"callback":163,"file":164,"line":204},"media_buttons",196,{"type":140,"name":206,"callback":163,"file":164,"line":207},"admin_footer",198,{"type":153,"name":209,"callback":163,"file":164,"line":210},"wp_enqueue_scripts",213,{"type":153,"name":209,"callback":163,"file":164,"line":212},214,[],[],[],[],{"dangerousFunctions":218,"sqlUsage":224,"outputEscaping":226,"fileOperations":412,"externalRequests":386,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":413},[219],{"fn":220,"file":221,"line":222,"context":223},"unserialize","includes\\wp-notes-widget-data.php",201,"$post_adjustment_list = unserialize($instance['post_adjustment_list']);",{"prepared":48,"raw":48,"locations":225},[],{"escaped":160,"rawEcho":227,"locations":228},114,[229,232,234,236,238,241,243,244,246,248,249,251,253,255,257,259,262,264,266,268,270,272,274,275,277,278,279,281,283,285,286,288,290,291,293,294,295,297,299,300,302,303,304,306,307,309,311,313,315,317,318,320,322,323,325,327,328,330,332,333,335,336,337,338,339,340,341,343,344,345,347,349,350,351,353,354,355,357,359,361,363,364,365,367,368,370,372,373,375,376,377,379,380,382,384,387,388,389,390,391,392,395,396,398,399,400,402,404,405,406,407,409,410,411],{"file":230,"line":51,"context":231},"admin\\admin-post-twitter-view.php","raw output",{"file":230,"line":233,"context":231},7,{"file":230,"line":235,"context":231},24,{"file":230,"line":237,"context":231},37,{"file":239,"line":240,"context":231},"admin\\admin-post-view.php",8,{"file":239,"line":242,"context":231},47,{"file":239,"line":242,"context":231},{"file":239,"line":245,"context":231},59,{"file":239,"line":247,"context":231},70,{"file":239,"line":87,"context":231},{"file":239,"line":250,"context":231},97,{"file":239,"line":252,"context":231},118,{"file":239,"line":254,"context":231},140,{"file":239,"line":256,"context":231},147,{"file":239,"line":258,"context":231},148,{"file":260,"line":261,"context":231},"admin\\admin-settings-page-setup.php",26,{"file":260,"line":263,"context":231},83,{"file":260,"line":265,"context":231},107,{"file":260,"line":267,"context":231},131,{"file":260,"line":269,"context":231},155,{"file":260,"line":271,"context":231},520,{"file":260,"line":273,"context":231},521,{"file":260,"line":273,"context":231},{"file":260,"line":276,"context":231},522,{"file":260,"line":276,"context":231},{"file":260,"line":276,"context":231},{"file":260,"line":280,"context":231},665,{"file":282,"line":240,"context":231},"admin\\admin-widget-view.php",{"file":282,"line":284,"context":231},9,{"file":282,"line":284,"context":231},{"file":282,"line":287,"context":231},13,{"file":282,"line":289,"context":231},15,{"file":282,"line":289,"context":231},{"file":282,"line":292,"context":231},28,{"file":282,"line":54,"context":231},{"file":282,"line":54,"context":231},{"file":282,"line":296,"context":231},43,{"file":282,"line":298,"context":231},45,{"file":282,"line":298,"context":231},{"file":282,"line":301,"context":231},57,{"file":282,"line":245,"context":231},{"file":282,"line":245,"context":231},{"file":282,"line":305,"context":231},96,{"file":282,"line":85,"context":231},{"file":282,"line":308,"context":231},104,{"file":282,"line":310,"context":231},108,{"file":282,"line":312,"context":231},112,{"file":282,"line":314,"context":231},135,{"file":282,"line":316,"context":231},162,{"file":282,"line":316,"context":231},{"file":282,"line":319,"context":231},163,{"file":282,"line":321,"context":231},168,{"file":282,"line":321,"context":231},{"file":282,"line":324,"context":231},169,{"file":282,"line":326,"context":231},174,{"file":282,"line":326,"context":231},{"file":282,"line":329,"context":231},175,{"file":282,"line":331,"context":231},180,{"file":282,"line":331,"context":231},{"file":282,"line":334,"context":231},181,{"file":282,"line":181,"context":231},{"file":282,"line":181,"context":231},{"file":282,"line":183,"context":231},{"file":282,"line":196,"context":231},{"file":282,"line":196,"context":231},{"file":282,"line":198,"context":231},{"file":282,"line":342,"context":231},197,{"file":282,"line":342,"context":231},{"file":282,"line":207,"context":231},{"file":282,"line":346,"context":231},234,{"file":282,"line":348,"context":231},235,{"file":282,"line":348,"context":231},{"file":282,"line":348,"context":231},{"file":282,"line":352,"context":231},236,{"file":282,"line":352,"context":231},{"file":282,"line":352,"context":231},{"file":144,"line":356,"context":231},238,{"file":144,"line":358,"context":231},284,{"file":360,"line":287,"context":231},"admin\\partials\\admin-post-shortcode-editor-modal.php",{"file":360,"line":362,"context":231},117,{"file":360,"line":165,"context":231},{"file":360,"line":165,"context":231},{"file":360,"line":366,"context":231},152,{"file":360,"line":366,"context":231},{"file":360,"line":369,"context":231},245,{"file":360,"line":371,"context":231},246,{"file":360,"line":371,"context":231},{"file":360,"line":374,"context":231},247,{"file":360,"line":374,"context":231},{"file":360,"line":374,"context":231},{"file":360,"line":378,"context":231},265,{"file":156,"line":319,"context":231},{"file":156,"line":381,"context":231},205,{"file":383,"line":240,"context":231},"public\\partials\\public-widget-empty-list-item-partial.php",{"file":385,"line":386,"context":231},"public\\partials\\public-widget-header-partial.php",3,{"file":385,"line":386,"context":231},{"file":385,"line":386,"context":231},{"file":385,"line":386,"context":231},{"file":385,"line":69,"context":231},{"file":385,"line":233,"context":231},{"file":393,"line":394,"context":231},"public\\partials\\public-widget-note-list-item-partial.php",2,{"file":393,"line":69,"context":231},{"file":393,"line":397,"context":231},14,{"file":393,"line":397,"context":231},{"file":393,"line":397,"context":231},{"file":393,"line":401,"context":231},23,{"file":393,"line":403,"context":231},33,{"file":393,"line":298,"context":231},{"file":393,"line":242,"context":231},{"file":393,"line":242,"context":231},{"file":393,"line":408,"context":231},49,{"file":393,"line":408,"context":231},{"file":393,"line":157,"context":231},{"file":393,"line":157,"context":231},4,[],[],{"summary":416,"deductions":417},"The wp-notes-widget plugin exhibits a mixed security posture.  While the static analysis indicates a seemingly small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without authentication or permission checks, several code signals raise concerns.  The presence of the `unserialize` function is a significant red flag, as it can lead to remote code execution if used with untrusted input.  Furthermore, a substantial portion of output (68%) is not properly escaped, increasing the risk of cross-site scripting vulnerabilities, particularly when combined with potentially unserialized data.\n\nThe vulnerability history reveals a past medium severity Cross-Site Scripting (XSS) vulnerability that remains unpatched. This, coupled with the unescaped output and the `unserialize` function, suggests a pattern of insufficient input sanitization and output escaping. The lack of taint analysis results showing zero unsanitized paths might be misleading, given the other indicators of potential weakness.  While the plugin demonstrates strengths in using prepared statements for SQL queries and including nonce and capability checks, the identified risks, particularly the unpatched XSS vulnerability and the dangerous `unserialize` function, significantly elevate the overall security risk.",[418,420,422],{"reason":419,"points":289},"Unpatched Medium Severity CVE",{"reason":421,"points":289},"Use of Dangerous unserialize() function",{"reason":423,"points":240},"High percentage of unescaped output","2026-03-16T19:19:09.525Z",{"wat":426,"direct":439},{"assetPaths":427,"generatorPatterns":432,"scriptPaths":433,"versionParams":434},[428,429,430,431],"\u002Fwp-content\u002Fplugins\u002Fwp-notes-widget\u002Fadmin\u002Fcss\u002Fwp-notes-admin.css","\u002Fwp-content\u002Fplugins\u002Fwp-notes-widget\u002Fadmin\u002Fjs\u002Fwp-notes-admin.js","\u002Fwp-content\u002Fplugins\u002Fwp-notes-widget\u002Fpublic\u002Fcss\u002Fwp-notes-widget.css","\u002Fwp-content\u002Fplugins\u002Fwp-notes-widget\u002Fpublic\u002Fjs\u002Fwp-notes-widget.js",[],[429,431],[435,436,437,438],"wp-notes-widget\u002Fadmin\u002Fcss\u002Fwp-notes-admin.css?ver=","wp-notes-widget\u002Fadmin\u002Fjs\u002Fwp-notes-admin.js?ver=","wp-notes-widget\u002Fpublic\u002Fcss\u002Fwp-notes-widget.css?ver=","wp-notes-widget\u002Fpublic\u002Fjs\u002Fwp-notes-widget.js?ver=",{"cssClasses":440,"htmlComments":441,"htmlAttributes":442,"restEndpoints":444,"jsGlobals":445,"shortcodeOutput":447},[4],[],[443],"data-note-id",[],[446],"wpNotesWidget",[],{"error":449,"url":450,"statusCode":451,"statusMessage":452,"message":452},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-notes-widget\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":289,"versions":454},[455,461,469,477,485,493,501,509,517,525,533,541,549,557,565],{"version":6,"download_url":25,"svn_tag_url":456,"released_at":37,"has_diff":47,"diff_files_changed":457,"diff_lines":37,"trac_diff_url":458,"vulnerabilities":459,"is_current":449},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.5&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.6",[460],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":462,"download_url":463,"svn_tag_url":464,"released_at":37,"has_diff":47,"diff_files_changed":465,"diff_lines":37,"trac_diff_url":466,"vulnerabilities":467,"is_current":47},"1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.4&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.5",[468],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":470,"download_url":471,"svn_tag_url":472,"released_at":37,"has_diff":47,"diff_files_changed":473,"diff_lines":37,"trac_diff_url":474,"vulnerabilities":475,"is_current":47},"1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.3&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.4",[476],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":478,"download_url":479,"svn_tag_url":480,"released_at":37,"has_diff":47,"diff_files_changed":481,"diff_lines":37,"trac_diff_url":482,"vulnerabilities":483,"is_current":47},"1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.2&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.3",[484],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":486,"download_url":487,"svn_tag_url":488,"released_at":37,"has_diff":47,"diff_files_changed":489,"diff_lines":37,"trac_diff_url":490,"vulnerabilities":491,"is_current":47},"1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.1&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.2",[492],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":494,"download_url":495,"svn_tag_url":496,"released_at":37,"has_diff":47,"diff_files_changed":497,"diff_lines":37,"trac_diff_url":498,"vulnerabilities":499,"is_current":47},"1.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F1.0.0&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.1",[500],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":502,"download_url":503,"svn_tag_url":504,"released_at":37,"has_diff":47,"diff_files_changed":505,"diff_lines":37,"trac_diff_url":506,"vulnerabilities":507,"is_current":47},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F1.0.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.5.2.1&new_path=%2Fwp-notes-widget%2Ftags%2F1.0.0",[508],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":510,"download_url":511,"svn_tag_url":512,"released_at":37,"has_diff":47,"diff_files_changed":513,"diff_lines":37,"trac_diff_url":514,"vulnerabilities":515,"is_current":47},"0.5.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.5.2.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.5.2.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.5.2&new_path=%2Fwp-notes-widget%2Ftags%2F0.5.2.1",[516],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":518,"download_url":519,"svn_tag_url":520,"released_at":37,"has_diff":47,"diff_files_changed":521,"diff_lines":37,"trac_diff_url":522,"vulnerabilities":523,"is_current":47},"0.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.5.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.5.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.5.1&new_path=%2Fwp-notes-widget%2Ftags%2F0.5.2",[524],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":526,"download_url":527,"svn_tag_url":528,"released_at":37,"has_diff":47,"diff_files_changed":529,"diff_lines":37,"trac_diff_url":530,"vulnerabilities":531,"is_current":47},"0.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.5.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.5.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.5.0&new_path=%2Fwp-notes-widget%2Ftags%2F0.5.1",[532],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":534,"download_url":535,"svn_tag_url":536,"released_at":37,"has_diff":47,"diff_files_changed":537,"diff_lines":37,"trac_diff_url":538,"vulnerabilities":539,"is_current":47},"0.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.5.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.5.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.3.1&new_path=%2Fwp-notes-widget%2Ftags%2F0.5.0",[540],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":542,"download_url":543,"svn_tag_url":544,"released_at":37,"has_diff":47,"diff_files_changed":545,"diff_lines":37,"trac_diff_url":546,"vulnerabilities":547,"is_current":47},"0.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.3.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.3.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.3.0&new_path=%2Fwp-notes-widget%2Ftags%2F0.3.1",[548],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":550,"download_url":551,"svn_tag_url":552,"released_at":37,"has_diff":47,"diff_files_changed":553,"diff_lines":37,"trac_diff_url":554,"vulnerabilities":555,"is_current":47},"0.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.3.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.3.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.2.1&new_path=%2Fwp-notes-widget%2Ftags%2F0.3.0",[556],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":558,"download_url":559,"svn_tag_url":560,"released_at":37,"has_diff":47,"diff_files_changed":561,"diff_lines":37,"trac_diff_url":562,"vulnerabilities":563,"is_current":47},"0.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.2.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.2.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-notes-widget%2Ftags%2F0.2.0&new_path=%2Fwp-notes-widget%2Ftags%2F0.2.1",[564],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37},{"version":566,"download_url":567,"svn_tag_url":568,"released_at":37,"has_diff":47,"diff_files_changed":569,"diff_lines":37,"trac_diff_url":37,"vulnerabilities":570,"is_current":47},"0.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-notes-widget.0.2.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-notes-widget\u002Ftags\u002F0.2.0\u002F",[],[571],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37}]