[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGLX387o8UT6huITU_6kCp0z4q01FxmGprJsrv3v0SiM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":5,"active_installs":10,"downloaded":11,"rating":12,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":33,"analysis":34,"fingerprints":104},"wp-real-ip-based-access-control","WP Real IP-based Access Control","1.3.1","hitoy","https:\u002F\u002Fprofiles.wordpress.org\u002Fhitoy\u002F","\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.hitoy.org\u002Fwp-real-ip-based-access-control.html\" rel=\"nofollow ugc\">WP Real IP-based Access Control\u003C\u002Fa> is a Plugin Specifically Designed for Website use CDN service, with this WP Real IP-based Access Control, all of your comments users’s ip address are their original IP address instead of your CDN notes IP.\u003C\u002Fp>\n\u003Cp>With This Plugin you can not only View your site visitors’s real IP, But also you can Control the access based on IP.\u003C\u002Fp>\n\u003Cp>You have three ways to control permissions:\u003Cbr \u002F>\n    1. Completely closed.\u003Cbr \u002F>\n    2. Prohibit Access.\u003Cbr \u002F>\n    3. Prohibit Comments.\u003C\u002Fp>\n\u003Cp>If you decide to open the access control feature, you need to fill the ip address to the Text field in the setting->WP Real IP-based ACL.\u003C\u002Fp>\n",10,1655,100,1,"2014-09-04T09:03:00.000Z","4.0.38","3.0.1","",[19,20,21],"cdn-site-show-user-ip","comments-real-ip-display","ip-based-access-control","http:\u002F\u002Fwww.hitoy.org\u002Fwp-real-ip-based-access-control.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-real-ip-based-access-control.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":13,"total_installs":10,"avg_security_score":24,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},30,84,"2026-04-04T14:17:22.280Z",[],{"attackSurface":35,"codeSignals":59,"taintFlows":69,"riskAssessment":96,"analyzedAt":103},{"hooks":36,"ajaxHandlers":55,"restRoutes":56,"shortcodes":57,"cronEvents":58,"entryPointCount":25,"unprotectedCount":25},[37,43,48,51],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","admin_menu","display_acl_menu","get-real-ip-admin.php",53,{"type":38,"name":44,"callback":45,"file":46,"line":47},"init","_get_real_ip","get-real-ip.php",101,{"type":38,"name":44,"callback":49,"file":46,"line":50},"forbidv",110,{"type":38,"name":52,"callback":53,"file":46,"line":54},"preprocess_comment","forbidc",112,[],[],[],[],{"dangerousFunctions":60,"sqlUsage":61,"outputEscaping":63,"fileOperations":25,"externalRequests":25,"nonceChecks":25,"capabilityChecks":25,"bundledLibraries":68},[],{"prepared":25,"raw":25,"locations":62},[],{"escaped":25,"rawEcho":13,"locations":64},[65],{"file":41,"line":66,"context":67},47,"raw output",[],[70],{"entryPoint":71,"graph":72,"unsanitizedCount":94,"severity":95},"\u003Cget-real-ip-admin> (get-real-ip-admin.php:0)",{"nodes":73,"edges":90},[74,79,84,88],{"id":75,"type":76,"label":77,"file":41,"line":78},"n0","source","$_POST['acl_ctrl_mode']",4,{"id":80,"type":81,"label":82,"file":41,"line":78,"wp_function":83},"n1","sink","update_option() [Settings Manipulation]","update_option",{"id":85,"type":76,"label":86,"file":41,"line":87},"n2","$_POST['acl_ctrl_addr']",6,{"id":89,"type":81,"label":82,"file":41,"line":87,"wp_function":83},"n3",[91,93],{"from":75,"to":80,"sanitized":92},false,{"from":85,"to":89,"sanitized":92},2,"low",{"summary":97,"deductions":98},"The static analysis of wp-real-ip-based-access-control v1.3.1 reveals a plugin with a remarkably small attack surface. There are no identified AJAX handlers, REST API routes, shortcodes, or cron events, meaning there are no direct entry points for attackers to exploit. Furthermore, the plugin shows positive signs regarding data handling, with 100% of its SQL queries utilizing prepared statements, mitigating the risk of SQL injection vulnerabilities. The absence of dangerous function usage, file operations, and external HTTP requests also contributes to a generally secure code base.\n\nHowever, a significant concern arises from the output escaping. While there is only one identified output, it is not properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is reflected in this output without sanitization. The taint analysis highlights a flow with an unsanitized path, which, although not flagged as critical or high severity in this specific analysis, warrants attention as it suggests data may not be handled as securely as it could be. The vulnerability history is clean, with no recorded CVEs, which is a strong positive indicator, suggesting past development has been secure or vulnerabilities have been promptly addressed.\n\nIn conclusion, wp-real-ip-based-access-control v1.3.1 demonstrates strong security practices by minimizing its attack surface and employing prepared statements for database interactions. The lack of historical vulnerabilities is also a testament to its security. The primary weaknesses are the lack of output escaping on identified outputs and a taint flow with an unsanitized path, which, while not leading to critical issues in this instance, represent potential security gaps that should be addressed.",[99,101],{"reason":100,"points":87},"Unescaped output detected",{"reason":102,"points":78},"Flow with unsanitized path detected","2026-03-17T01:22:27.822Z",{"wat":105,"direct":111},{"assetPaths":106,"generatorPatterns":107,"scriptPaths":108,"versionParams":109},[],[],[],[110],"wp-real-ip-based-access-control\u002Fget-real-ip.php?ver=",{"cssClasses":112,"htmlComments":113,"htmlAttributes":114,"restEndpoints":115,"jsGlobals":116,"shortcodeOutput":117},[],[],[],[],[],[]]