[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgKrpqM-KpSwNGO-W_-vic8KiCqefQm7UjKkdv1yk3qA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":56,"crawl_stats":35,"alternatives":62,"analysis":63,"fingerprints":315},"wp-post-corrector","WP Post Corrector","1.0.2","vipul Jariwala","https:\u002F\u002Fprofiles.wordpress.org\u002Fvipuljariwala-1\u002F","","\"WP Post Corrector\" is a plugin, helpful you to correct your post data. It contains mainly 3 modules. Bulk Upload (Insert Mass Post Data),  &hellip;",50,9050,74,3,"2018-05-15T14:05:00.000Z","4.9.29","4.8","5.6",[20,21,22],"blog-correct","post-correc","wp-post-correct","http:\u002F\u002Fwpwebs.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-post-corrector.zip",42,2,"2025-06-05 00:00:00","2026-03-15T15:16:48.613Z",[30,44],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":35},"CVE-2023-26003","wp-post-corrector-authenticated-administrator-sql-injection","WP Post Corrector \u003C= 1.0.2 - Authenticated (Administrator+) SQL Injection","The WP Post Corrector plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",null,"\u003C=1.0.2","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2025-06-12 13:34:51",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5e16a3e2-79db-4647-9712-03ae666feac4?source=api-prod",{"id":45,"url_slug":46,"title":47,"description":48,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":49,"cvss_vector":50,"vuln_type":51,"published_date":52,"updated_date":53,"references":54,"days_to_patch":35},"CVE-2025-22764","wp-post-corrector-reflected-cross-site-scripting","WP Post Corrector \u003C= 1.0.2 - Reflected Cross-Site Scripting","The WP Post Corrector plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-01-14 00:00:00","2025-01-22 20:44:36",[55],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4b2fa6c3-8a5d-47ad-9b6b-3ed0ba322a49?source=api-prod",{"slug":57,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":58,"avg_security_score":59,"avg_patch_time_days":60,"trust_score":13,"computed_at":61},"vipuljariwala-1",90,71,30,"2026-04-05T03:55:04.727Z",[],{"attackSurface":64,"codeSignals":88,"taintFlows":238,"riskAssessment":298,"analyzedAt":314},{"hooks":65,"ajaxHandlers":83,"restRoutes":84,"shortcodes":85,"cronEvents":86,"entryPointCount":87,"unprotectedCount":87},[66,72,76,80],{"type":67,"name":68,"callback":69,"file":70,"line":71},"action","init","ramwp_export_init","wp_export.php",22,{"type":67,"name":73,"callback":74,"file":70,"line":75},"admin_menu","ramwp_export_interface_menu_page",32,{"type":67,"name":77,"callback":78,"file":70,"line":79},"admin_init","ramwp_export_admin_init",43,{"type":67,"name":68,"callback":81,"file":70,"line":82},"ram_wp_export_post_info",144,[],[],[],[],0,{"dangerousFunctions":89,"sqlUsage":90,"outputEscaping":131,"fileOperations":91,"externalRequests":87,"nonceChecks":87,"capabilityChecks":87,"bundledLibraries":237},[],{"prepared":26,"raw":91,"locations":92},16,[93,97,100,103,106,108,111,113,115,117,119,121,123,125,127,129],{"file":94,"line":95,"context":96},"export\\admin_export.php",5,"$wpdb->get_results() with variable interpolation",{"file":94,"line":98,"context":99},11,"$wpdb->get_col() with variable interpolation",{"file":101,"line":102,"context":96},"update\\bulk_update.php",31,{"file":101,"line":104,"context":105},133,"$wpdb->get_var() with variable interpolation",{"file":101,"line":107,"context":105},163,{"file":109,"line":110,"context":96},"upload\\bulk_upload.php",33,{"file":109,"line":112,"context":105},134,{"file":109,"line":114,"context":105},164,{"file":70,"line":116,"context":96},53,{"file":70,"line":118,"context":99},59,{"file":70,"line":120,"context":96},185,{"file":70,"line":122,"context":105},286,{"file":70,"line":124,"context":105},316,{"file":70,"line":126,"context":96},458,{"file":70,"line":128,"context":105},560,{"file":70,"line":130,"context":105},590,{"escaped":87,"rawEcho":116,"locations":132},[133,136,139,142,144,146,148,149,151,152,154,156,157,159,161,163,165,167,169,171,173,175,177,179,181,182,184,186,187,189,191,193,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235],{"file":94,"line":134,"context":135},84,"raw output",{"file":137,"line":138,"context":135},"export\\form.php",15,{"file":140,"line":141,"context":135},"messages.php",4,{"file":140,"line":143,"context":135},7,{"file":140,"line":145,"context":135},10,{"file":140,"line":147,"context":135},13,{"file":140,"line":91,"context":135},{"file":140,"line":150,"context":135},19,{"file":140,"line":71,"context":135},{"file":140,"line":153,"context":135},25,{"file":140,"line":155,"context":135},29,{"file":101,"line":134,"context":135},{"file":101,"line":158,"context":135},236,{"file":101,"line":160,"context":135},242,{"file":101,"line":162,"context":135},253,{"file":101,"line":164,"context":135},264,{"file":166,"line":26,"context":135},"update\\form.php",{"file":109,"line":168,"context":135},85,{"file":109,"line":170,"context":135},237,{"file":109,"line":172,"context":135},240,{"file":109,"line":174,"context":135},248,{"file":109,"line":176,"context":135},258,{"file":109,"line":178,"context":135},268,{"file":180,"line":143,"context":135},"upload\\form.php",{"file":180,"line":145,"context":135},{"file":180,"line":183,"context":135},35,{"file":70,"line":185,"context":135},132,{"file":70,"line":170,"context":135},{"file":70,"line":188,"context":135},389,{"file":70,"line":190,"context":135},392,{"file":70,"line":192,"context":135},400,{"file":70,"line":194,"context":135},410,{"file":70,"line":196,"context":135},420,{"file":70,"line":198,"context":135},511,{"file":70,"line":200,"context":135},662,{"file":70,"line":202,"context":135},663,{"file":70,"line":204,"context":135},669,{"file":70,"line":206,"context":135},679,{"file":70,"line":208,"context":135},689,{"file":70,"line":210,"context":135},732,{"file":70,"line":212,"context":135},735,{"file":70,"line":214,"context":135},738,{"file":70,"line":216,"context":135},741,{"file":70,"line":218,"context":135},744,{"file":70,"line":220,"context":135},747,{"file":70,"line":222,"context":135},750,{"file":70,"line":224,"context":135},753,{"file":70,"line":226,"context":135},757,{"file":70,"line":228,"context":135},765,{"file":70,"line":230,"context":135},768,{"file":70,"line":232,"context":135},793,{"file":70,"line":234,"context":135},810,{"file":70,"line":236,"context":135},862,[],[239,258,267,287],{"entryPoint":240,"graph":241,"unsanitizedCount":257,"severity":37},"\u003Cbulk_update> (update\\bulk_update.php:0)",{"nodes":242,"edges":254},[243,248],{"id":244,"type":245,"label":246,"file":101,"line":247},"n0","source","$_FILES",6,{"id":249,"type":250,"label":251,"file":101,"line":252,"wp_function":253},"n1","sink","fopen() [File Access]",23,"fopen",[255],{"from":244,"to":249,"sanitized":256},false,1,{"entryPoint":259,"graph":260,"unsanitizedCount":257,"severity":37},"\u003Cbulk_upload> (upload\\bulk_upload.php:0)",{"nodes":261,"edges":265},[262,264],{"id":244,"type":245,"label":246,"file":109,"line":263},8,{"id":249,"type":250,"label":251,"file":109,"line":153,"wp_function":253},[266],{"from":244,"to":249,"sanitized":256},{"entryPoint":268,"graph":269,"unsanitizedCount":14,"severity":37},"ramwp_export_add_action (wp_export.php:147)",{"nodes":270,"edges":284},[271,274,276,280],{"id":244,"type":245,"label":272,"file":70,"line":273},"$_FILES (x2)",160,{"id":249,"type":250,"label":251,"file":70,"line":275,"wp_function":253},177,{"id":277,"type":245,"label":278,"file":70,"line":279},"n2","$_REQUEST",764,{"id":281,"type":250,"label":282,"file":70,"line":228,"wp_function":283},"n3","echo() [XSS]","echo",[285,286],{"from":244,"to":249,"sanitized":256},{"from":277,"to":281,"sanitized":256},{"entryPoint":288,"graph":289,"unsanitizedCount":14,"severity":37},"\u003Cwp_export> (wp_export.php:0)",{"nodes":290,"edges":295},[291,292,293,294],{"id":244,"type":245,"label":272,"file":70,"line":273},{"id":249,"type":250,"label":251,"file":70,"line":275,"wp_function":253},{"id":277,"type":245,"label":278,"file":70,"line":279},{"id":281,"type":250,"label":282,"file":70,"line":228,"wp_function":283},[296,297],{"from":244,"to":249,"sanitized":256},{"from":277,"to":281,"sanitized":256},{"summary":299,"deductions":300},"The \"wp-post-corrector\" plugin v1.0.2 exhibits a concerning security posture, largely due to significant weaknesses identified in its code and a history of known vulnerabilities. While the static analysis reports a small attack surface with no apparent direct entry points like AJAX, REST API, or shortcodes, this masks deeper issues. The critical concern lies in the lack of proper output escaping, with 0% of 53 identified outputs being properly sanitized. This, combined with a high proportion of SQL queries (18 total) not using prepared statements (only 11%), creates a significant risk for SQL injection and Cross-Site Scripting (XSS) vulnerabilities.\n\nThe taint analysis, though limited in scope (4 flows analyzed), reveals that all flows have unsanitized paths, indicating potential avenues for malicious input to reach sensitive functions. The absence of nonce checks and capability checks for any functionality is a major security oversight, leaving any potential future entry points vulnerable to unauthorized access and manipulation. Furthermore, the plugin has a history of 2 known medium-severity vulnerabilities, specifically SQL injection and XSS, with both remaining unpatched as of the last vulnerability disclosure in June 2025. This pattern of past and persistent vulnerabilities, coupled with the identified code weaknesses, suggests a lack of robust security practices in the plugin's development and maintenance.\n\nIn conclusion, while the plugin's current apparent attack surface is small, the underlying code quality and vulnerability history present significant risks. The lack of output escaping, the prevalence of raw SQL queries, and the history of unpatched vulnerabilities are serious red flags. The absence of basic security checks like nonces and capability checks exacerbates these risks. Users should exercise extreme caution and consider disabling or thoroughly reviewing this plugin until these critical issues are addressed.",[301,304,306,308,310,312],{"reason":302,"points":303},"2 unpatched medium severity CVEs",20,{"reason":305,"points":303},"0% output escaping",{"reason":307,"points":303},"11% SQL prepared statements (89% raw SQL)",{"reason":309,"points":145},"No nonce checks",{"reason":311,"points":145},"No capability checks",{"reason":313,"points":263},"All 4 taint flows have unsanitized paths","2026-03-16T22:01:57.567Z",{"wat":316,"direct":325},{"assetPaths":317,"generatorPatterns":320,"scriptPaths":321,"versionParams":322},[318,319],"\u002Fwp-content\u002Fplugins\u002Fwp-post-corrector\u002Fexport.css","\u002Fwp-content\u002Fplugins\u002Fwp-post-corrector\u002Fexport.js",[],[319],[323,324],"\u002Fwp-content\u002Fplugins\u002Fwp-post-corrector\u002Fexport.css?ver=","\u002Fwp-content\u002Fplugins\u002Fwp-post-corrector\u002Fexport.js?ver=",{"cssClasses":326,"htmlComments":329,"htmlAttributes":330,"restEndpoints":332,"jsGlobals":333,"shortcodeOutput":334},[327,328],"wp_post_corrector_upload_form","wp_post_corrector_bulk_upload_csv",[],[331],"name=\"bulk_upload_csv\"",[],[],[]]