[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6_gOuRDXCEMXj0dMYFZBK1gJI4TRyHO0vZ1TjOtCko0":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":44,"crawl_stats":35,"alternatives":50,"analysis":158,"fingerprints":262},"wp-users-disable","Disable User Login","1.0.2","brainvireinfo","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrainvireinfo\u002F","\u003Cp>The plug-in lists out all the existing users’ accounts and gives the ability to admin to disable specific user accounts via email address.\u003C\u002Fp>\n\u003Cp>Once installed and activated, this plug-in lists out all the user accounts available. The admin will be asked to enter the email address of the user who they want to restrict from logging in. If the disabled user tries to login, they will be logged out immediately and redirected to the login page with a message showing up as “User account disabled”.\u003C\u002Fp>\n\u003Ch4>How is it Useful?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>You can restrict another user (who has an account) from making any changes during development.\u003C\u002Fli>\n\u003Cli>You have a client who has an unpaid invoice.\u003C\u002Fli>\n\u003Cli>You want to restrict malicious users.\u003C\u002Fli>\n\u003C\u002Ful>\n","The plug-in lists out all the existing users’ accounts and gives the ability to admin to disable specific user accounts via email address.",500,11282,96,6,"2024-12-02T07:39:00.000Z","6.7.5","4.0.0","",[20,21,22],"disable-user","wp-admin-disable","wp-login-disable","http:\u002F\u002Fwww.brainvire.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-users-disable.1.0.2.zip",71,1,"2022-09-14 00:00:00","2026-03-15T15:16:48.613Z",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":35},"CVE-2022-2350","disable-user-login-missing-authorization-to-unauthenticated-settings-update","Disable User Login \u003C= 1.0.1 - Missing Authorization to Unauthenticated Settings Update","The Disable User Login plugin for WordPress is vulnerable to unauthenticated settings update due to missing authentication when updating its settings in versions up to, and including, 9.8. This makes it possible for unauthenticated attackers to update the plugin's settings. Cross-Site Request Forgery protection is also not present.",null,"\u003C=1.0.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2024-01-22 19:56:02",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcaa2bbdf-353e-49a2-b0e5-d9236848a211?source=api-prod",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":45,"total_installs":46,"avg_security_score":47,"avg_patch_time_days":45,"trust_score":48,"computed_at":49},14,6900,90,87,"2026-04-03T23:34:04.366Z",[51,77,101,122,141],{"slug":52,"name":53,"version":54,"author":55,"author_profile":56,"description":57,"short_description":58,"active_installs":59,"downloaded":60,"rating":61,"num_ratings":62,"last_updated":63,"tested_up_to":64,"requires_at_least":65,"requires_php":66,"tags":67,"homepage":73,"download_link":74,"security_score":75,"vuln_count":76,"unpatched_count":76,"last_vuln_date":35,"fetched_at":28},"disable-new-user-notifications","Disable New User Notification Emails","2.0.0","Syed Balkhi","https:\u002F\u002Fprofiles.wordpress.org\u002Fsmub\u002F","\u003Cp>This plugin disables WordPress notifications sent during the user registration process. That is all.\u003C\u002Fp>\n\u003Cp>This disables both the user registration and password reset notifications sent during the user registration process.\u003C\u002Fp>\n\u003Cp>Simple and Easy like it should be 🙂\u003C\u002Fp>\n\u003Ch4>What’s Next\u003C\u002Fh4>\n\u003Cp>If you like this plugin, then consider checking out our other projects:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Foptinmonster.com\u002F\" title=\"OptinMonster\" rel=\"friend nofollow ugc\">OptinMonster\u003C\u002Fa> – Get More Email Subscribers with the most popular conversion optimization plugin for WordPress.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpforms.com\u002F\" title=\"WPForms\" rel=\"friend nofollow ugc\">WPForms\u003C\u002Fa> – Best Drag & Drop WordPress Form plugin (over 1 million active installs).\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.monsterinsights.com\u002F\" title=\"MonsterInsights\" rel=\"friend nofollow ugc\">MonsterInsights\u003C\u002Fa> – See the Stats that Matter and Grow Your Business with Confidence. Best Google Analytics Plugin for WordPress.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.seedprod.com\u002F\" title=\"SeedProd\" rel=\"friend nofollow ugc\">SeedProd\u003C\u002Fa> – Jumpstart your website with the #1 Coming Soon & Maintenance Mode Plugin for WordPress.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-mail-smtp\u002F\" rel=\"ugc\">WP Mail SMTP\u003C\u002Fa> – Improve email deliverability for your contact form with the most popular SMTP plugin for WordPress.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Visit \u003Ca href=\"http:\u002F\u002Fwww.wpbeginner.com\u002F\" title=\"WPBeginner\" rel=\"friend nofollow ugc\">WPBeginner\u003C\u002Fa> to learn from our \u003Ca href=\"http:\u002F\u002Fwww.wpbeginner.com\u002Fcategory\u002Fwp-tutorials\u002F\" title=\"WordPress Tutorials\" rel=\"friend nofollow ugc\">WordPress Tutorials\u003C\u002Fa> and find out about other \u003Ca href=\"http:\u002F\u002Fwww.wpbeginner.com\u002Fcategory\u002Fplugins\u002F\" title=\"Best WordPress Plugins\" rel=\"friend nofollow ugc\">best WordPress plugins\u003C\u002Fa>.\u003C\u002Fp>\n","This plugin does one thing - disables user registration notification emails.",4000,75295,68,16,"2021-07-19T04:46:00.000Z","5.8.13","4.6","5.3",[68,69,70,71,72],"disable-admin-notifications","disable-notification","disable-user-emails","disable-user-notification-emails","email","https:\u002F\u002Fthomasgriffin.io","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-new-user-notifications.2.0.0.zip",85,0,{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":87,"last_updated":88,"tested_up_to":89,"requires_at_least":90,"requires_php":18,"tags":91,"homepage":97,"download_link":98,"security_score":99,"vuln_count":26,"unpatched_count":76,"last_vuln_date":100,"fetched_at":28},"user-blocker","User Blocker","2.2","solwininfotech","https:\u002F\u002Fprofiles.wordpress.org\u002Fsolwininfotech\u002F","\u003Cp>User Blocker plugin provide the ability to admin to block or unblock user accounts quickly and effortlessly. User can be blocked by Roll or username for specific day & time OR date range Or permanently. When someone tries to log in, and if that user blocked then a friendly error message is displayed on the login screen. You can unblock accounts at any time you want.\u003Cbr \u002F>\nAlso admin can view blocked user list and quickly search user and unblock account if require.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Blocker Plugin Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Block user by time (FROM-time to TO-time) for certain week days\u003C\u002Fli>\n\u003Cli>Block user by date (FROM-date to TO-date)\u003C\u002Fli>\n\u003Cli>Block user Permanently\u003C\u002Fli>\n\u003Cli>Unblock user any time\u003C\u002Fli>\n\u003Cli>Block user by UserName OR by Role\u003C\u002Fli>\n\u003Cli>Customizable message for each blocked User OR Blocked Role\u003C\u002Fli>\n\u003Cli>View blocked user list By Time, By Date and Permanently blocked users.\u003C\u002Fli>\n\u003Cli>Easy to search any blocked user by username\u002F email \u002F First name to view blocking status and modify or remove blocking\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Technical Support\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You have any suggestion with User Blocker plugin or you found a bug, please contact us at \u003Ca href=\"http:\u002F\u002Fsupport.solwininfotech.com\" rel=\"nofollow ugc\">support.solwininfotech.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Permissions:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Only administrators are allowed to use this system. People with lower access levels are neither shown the new bulk actions, nor are they allowed to change the status of accounts.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important: Plugin does not deactivate any Admin users.\u003C\u002Fstrong>\u003C\u002Fp>\n","To block users from admin side except admin users for specific day,time, and date or permanently.",3000,81478,82,"2024-08-09T14:45:00.000Z","6.6.5","5.4",[92,93,94,95,96],"block-user","deactivate-users","deny-user","disable-users","restrict-user","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fuser-blocker\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-blocker.zip",92,"2022-11-09 00:00:00",{"slug":102,"name":103,"version":104,"author":105,"author_profile":106,"description":107,"short_description":108,"active_installs":109,"downloaded":110,"rating":109,"num_ratings":111,"last_updated":112,"tested_up_to":89,"requires_at_least":113,"requires_php":114,"tags":115,"homepage":119,"download_link":120,"security_score":47,"vuln_count":26,"unpatched_count":76,"last_vuln_date":121,"fetched_at":28},"user-toolkit","User Toolkit","1.2.4","Deryck","https:\u002F\u002Fprofiles.wordpress.org\u002Fderyck\u002F","\u003Cp>User Tools adds missing features to user management, such as basic user activities, including last login, registration dates and user switch from the User administration screen. You can deactivate users without deleting them, allowing you to maintain your ownership of past user activity and content.\u003C\u002Fp>\n\u003Ch3>SECURITY\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Disabled user\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Your own user or the first created used cannot be disabled. Disabled user will not lost data or be deleted under any circumstances.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User switching\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Only users with the ability to edit other users can switch user accounts. Unless you create new roles with this capabilities, this is only Administrators on single site installations, and Super Admins on Multisite installations.\u003Cbr \u002F>\nPasswords are not (and cannot be) revealed.\u003Cbr \u002F>\nUses the cookie authentication system in WordPress for user switching.\u003Cbr \u002F>\nImplements the nonce security system in WordPress, meaning only those who intend to switch users can switch.\u003Cbr \u002F>\nFull support for user session validation where appropriate.\u003Cbr \u002F>\nFull support for administration over SSL (if applicable).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>REST API Support\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The field last_login is included as a result in endpoint wp\u002Fv2\u002Fusers\u002F.\u003Cbr \u002F>\nFiltering the endpoint wp\u002Fv2\u002Fusers\u002F using parameter last_login is also supported.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Disable user\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Visit the Users menu in WordPress and you will see a enable\u002Fdisable switch in the list of each user.\u003C\u002Fli>\n\u003Cli>Click on the “Activate” switch to disable (gray) or to enable (blue).\u003C\u002Fli>\n\u003Cli>Visit every user profile and check\u002Funcheck “Activate user login” to enable\u002Fdisabled the user.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Switch user\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Visit the Users menu in WordPress and you will see a “Switch to” link in the list of each user.\u003C\u002Fli>\n\u003Cli>Visit every user profile and click on the “Switch to {user}” to switch to the user.\u003C\u002Fli>\n\u003Cli>You will be able to switch back using the message that will appear in every admin screen.\u003C\u002Fli>\n\u003Cli>You will be able to switch back using the “Switch back to {user}” located in the User menu in the admin bar.\u003C\u002Fli>\n\u003Cli>If the user you switched to does not have access to the admin screens you will be able to switch back using the link located in the right bottom corner of the screen.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>User Columns\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Visit the Users menu in WordPress and you will see a “Last Login”, “Registered” and “ID” columns by default in the list of each user.\u003C\u002Fli>\n\u003Cli>Disable all or any column clicking “Screen Options” on the right top corner of the screen.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Retrieve Last Login info using REST API\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Get last_login field with ISO 8601 form on endpoint wp\u002Fv2\u002Fusers\u002F\u003C\u002Fli>\n\u003Cli>Filter using parameter last_login using the following options wp\u002Fv2\u002Fusers\u002F?last_login=FROM,[TO:optional] using ISO 8601 or Y-m-d format.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>PRIVACY STATEMENT\u003C\u002Fh3>\n\u003Cp>This plugin makes use of a single browser cookie in order to allow users to switch between accounts. The cookie contains only a secure reference hash and does not store any personally identifiable information (PII). The actual user data is stored securely on the server using WordPress transients.\u003C\u002Fp>\n\u003Cp>The cookie name is: \u003Cstrong>wp_usrtk_user_switch_ref\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This implementation ensures that no user data or PII is exposed in the browser cookies, making it more secure and privacy-friendly. The cookie is set with HTTP-only flag, secure flag (when HTTPS is in use), and SameSite=Strict for enhanced security. The cookie expires after 24 hours or when the user switches back to their original account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>How can I report security bugs?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. \u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fdatabase\u002Fvdp\u002Fuser-toolkit\" rel=\"nofollow ugc\">Report a security vulnerability.\u003C\u002Fa>\u003C\u002Fp>\n","The missing user tools and activity data that you need and don't have by default.",100,3459,4,"2024-10-28T13:07:00.000Z","5.9.5","7.4",[20,116,117,118],"last-login","registration-date","user-profile","https:\u002F\u002Fderyckoe.com\u002Fuser-toolkit","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-toolkit.1.2.4.zip","2024-10-25 00:00:00",{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":130,"downloaded":131,"rating":76,"num_ratings":76,"last_updated":132,"tested_up_to":133,"requires_at_least":134,"requires_php":135,"tags":136,"homepage":18,"download_link":140,"security_score":75,"vuln_count":76,"unpatched_count":76,"last_vuln_date":35,"fetched_at":28},"disabling-user-enumeration","Disable User Enumeration","1.0.0","incredibledeveloperr","https:\u002F\u002Fprofiles.wordpress.org\u002Fincredibledeveloperr\u002F","\u003Cp>User enumeration can be use for brute-force techniques to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication.\u003C\u002Fp>\n\u003Cp>An enumeration attack allows a hacker to check whether a name exists in the database. For example, to set up a brute-force attack, rather than searching through login and password pairs, all they need is a matching password for a verified user name, saving time and effort.\u003C\u002Fp>\n\u003Cp>The phrase “username harvesting” refers to a vulnerability that when exploited allows people or programs interacting with an application to determine what a valid username is vs an invalid username.\u003C\u002Fp>\n\u003Cp>**You can check your site have user enumeration by simply type https:\u002F\u002Fselectedfirms.co\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers that’s it. **\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Col>\n\u003Cli>We only disable for non logged in users.\u003C\u002Fli>\n\u003Cli>You can deactivate with single click. No extra configuration required.\u003C\u002Fli>\n\u003Cli>Something else about the plugin\u003C\u002Fli>\n\u003C\u002Fol>\n","Disable User Enumeration is a plugin designed to prevent hackers scanning your site for user names using REST API call.",30,1159,"2020-12-16T07:49:00.000Z","5.5.18","4.7","7.2",[137,138,139],"disable-user-enumeration","rest-api-user-enumeration","user-enumeration","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisabling-user-enumeration.zip",{"slug":142,"name":143,"version":144,"author":145,"author_profile":146,"description":147,"short_description":148,"active_installs":76,"downloaded":149,"rating":76,"num_ratings":76,"last_updated":150,"tested_up_to":89,"requires_at_least":151,"requires_php":135,"tags":152,"homepage":18,"download_link":157,"security_score":99,"vuln_count":76,"unpatched_count":76,"last_vuln_date":35,"fetched_at":28},"user-wise-email-disable","User Wise Email Disable","1.0","Efflux Perceive","https:\u002F\u002Fprofiles.wordpress.org\u002Fdivyeshsapariya35\u002F","\u003Cp>This plugin is useful for \u003Cstrong>disable user wise emails\u003C\u002Fstrong>. You need to \u003Cstrong>drag and drop the user\u003C\u002Fstrong> and save it then this will work automatically.\u003C\u002Fp>\n","This plugin is useful for disabling user-wise mail. You need to drag and drop the user and save it then this will work automatically.",829,"2024-10-05T07:52:00.000Z","6.0",[153,154,72,155,156],"disable-email","disable-user-wise-email","switch-off-user-wise-mail","user-email-disable","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-wise-email-disable.zip",{"attackSurface":159,"codeSignals":203,"taintFlows":225,"riskAssessment":252,"analyzedAt":261},{"hooks":160,"ajaxHandlers":187,"restRoutes":200,"shortcodes":201,"cronEvents":202,"entryPointCount":111,"unprotectedCount":76},[161,167,172,177,182],{"type":162,"name":163,"callback":164,"file":165,"line":166},"action","admin_enqueue_scripts","dwul_ajax_script","class-dwul-user-register-ajax-callback.php",26,{"type":162,"name":168,"callback":169,"priority":170,"file":165,"line":171},"wp_login","dwul_disable_user_call_back",10,27,{"type":173,"name":174,"callback":175,"file":165,"line":176},"filter","login_message","dwul_disable_user_login_message",28,{"type":162,"name":178,"callback":179,"file":180,"line":181},"admin_menu","dwul_add_plugin_setting_page","class-dwul-user-register-block.php",21,{"type":173,"name":183,"callback":184,"priority":170,"file":185,"line":186},"plugin_action_links","dwul_admin_settings","init-field.php",46,[188,193,195,198],{"action":189,"nopriv":190,"callback":189,"hasNonce":191,"hasCapCheck":190,"file":165,"line":192},"dwul_action_callback",false,true,22,{"action":189,"nopriv":191,"callback":189,"hasNonce":191,"hasCapCheck":190,"file":165,"line":194},23,{"action":196,"nopriv":190,"callback":196,"hasNonce":191,"hasCapCheck":190,"file":165,"line":197},"dwul_enable_user_email",24,{"action":196,"nopriv":191,"callback":196,"hasNonce":191,"hasCapCheck":190,"file":165,"line":199},25,[],[],[],{"dangerousFunctions":204,"sqlUsage":205,"outputEscaping":218,"fileOperations":76,"externalRequests":76,"nonceChecks":220,"capabilityChecks":76,"bundledLibraries":221},[],{"prepared":206,"raw":111,"locations":207},3,[208,211,213,215],{"file":165,"line":209,"context":210},49,"$wpdb->get_col() with variable interpolation",{"file":165,"line":212,"context":210},50,{"file":165,"line":214,"context":210},152,{"file":180,"line":216,"context":217},123,"$wpdb->get_results() with variable interpolation",{"escaped":209,"rawEcho":76,"locations":219},[],2,[222],{"name":223,"version":35,"knownCves":224},"Select2",[],[226,244],{"entryPoint":227,"graph":228,"unsanitizedCount":76,"severity":243},"dwul_enable_user_email (class-dwul-user-register-ajax-callback.php:197)",{"nodes":229,"edges":241},[230,235],{"id":231,"type":232,"label":233,"file":165,"line":234},"n0","source","$_REQUEST",209,{"id":236,"type":237,"label":238,"file":165,"line":239,"wp_function":240},"n1","sink","query() [SQLi]",210,"query",[242],{"from":231,"to":236,"sanitized":191},"low",{"entryPoint":245,"graph":246,"unsanitizedCount":76,"severity":243},"\u003Cclass-dwul-user-register-ajax-callback> (class-dwul-user-register-ajax-callback.php:0)",{"nodes":247,"edges":250},[248,249],{"id":231,"type":232,"label":233,"file":165,"line":234},{"id":236,"type":237,"label":238,"file":165,"line":239,"wp_function":240},[251],{"from":231,"to":236,"sanitized":191},{"summary":253,"deductions":254},"The \"wp-users-disable\" v1.0.2 plugin exhibits a mixed security posture. On the positive side, static analysis reveals a strong adherence to secure coding practices regarding output escaping, with 100% of outputs being properly escaped. Additionally, the absence of dangerous functions, file operations, and external HTTP requests is commendable. The plugin also shows some awareness of security by including nonce checks and bundling a commonly used library like Select2.\n\nHowever, significant concerns arise from the vulnerability history. The presence of one unpatched medium severity CVE, specifically related to Missing Authorization, is a critical red flag. This indicates a past flaw that has not been remediated, leaving users exposed to known attack vectors. Furthermore, while the static analysis shows no direct unprotected AJAX handlers or REST API routes, the lack of capability checks on the AJAX handlers is a potential weakness. This suggests that although nonces might be present, the authorization logic itself might be insufficient, potentially allowing lower-privileged users to perform actions they shouldn't if the nonces are compromised or bypassed.\n\nIn conclusion, the plugin has some good security fundamentals in place, particularly in output handling. However, the unpatched medium severity vulnerability and the absence of capability checks on AJAX handlers are substantial weaknesses that overshadow these strengths. The history of Missing Authorization vulnerabilities is particularly worrying and requires immediate attention to ensure user data and site integrity.",[255,258],{"reason":256,"points":257},"Unpatched medium severity CVE",15,{"reason":259,"points":260},"Missing capability checks on AJAX handlers",8,"2026-03-17T05:36:58.549Z",{"wat":263,"direct":276},{"assetPaths":264,"generatorPatterns":269,"scriptPaths":270,"versionParams":271},[265,266,267,268],"\u002Fwp-content\u002Fplugins\u002Fwp-users-disable\u002Fassets\u002Fcss\u002Fadmin-user-disable.css","\u002Fwp-content\u002Fplugins\u002Fwp-users-disable\u002Fassets\u002Fcss\u002Fselect2.min.css","\u002Fwp-content\u002Fplugins\u002Fwp-users-disable\u002Fassets\u002Fjs\u002Fselect2.min.js","\u002Fwp-content\u002Fplugins\u002Fwp-users-disable\u002Fassets\u002Fjs\u002Fadmin-user-disable.js",[],[268],[272,273,274,275],"wp-users-disable\u002Fassets\u002Fcss\u002Fadmin-user-disable.css?ver=","wp-users-disable\u002Fassets\u002Fcss\u002Fselect2.min.css?ver=","wp-users-disable\u002Fassets\u002Fjs\u002Fselect2.min.js?ver=","wp-users-disable\u002Fassets\u002Fjs\u002Fadmin-user-disable.js?ver=",{"cssClasses":277,"htmlComments":278,"htmlAttributes":279,"restEndpoints":280,"jsGlobals":281,"shortcodeOutput":283},[],[],[],[],[282],"backend_custom_object",[]]