[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2It-cfqbbEcFFUBua0ntphvkjWxBHsuBRGvJa7EbyOI":3,"$fcu62zaTbA_RVKI63EMTJj_ds32U8KFLKlFAs4TGrBYA":137,"$fYcyXoDJIBHbXnCk5ZPiBgPl7TuoQhDxdPQpv8BTIR4Y":142},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":17,"download_link":18,"security_score":19,"vuln_count":13,"unpatched_count":13,"last_vuln_date":20,"fetched_at":21,"discovery_status":22,"vulnerabilities":23,"developer":24,"crawl_stats":20,"alternatives":31,"analysis":32,"fingerprints":124},"wp-visit-counter","WP Visit Counter","1.0","Faizan Ali","https:\u002F\u002Fprofiles.wordpress.org\u002Ffaizan1041\u002F","\u003Cp>Simply displays one more column in your posts\u002Fpages for number of visits.\u003C\u002Fp>\n","Simply displays one more column in your posts\u002Fpages for number of visits.",10,1393,0,"2015-01-06T03:00:00.000Z","",[],"http:\u002F\u002Ffaizan-ali.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-visit-counter.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":25,"display_name":7,"profile_url":8,"plugin_count":26,"total_installs":27,"avg_security_score":19,"avg_patch_time_days":28,"trust_score":29,"computed_at":30},"faizan1041",2,20,30,84,"2026-05-19T23:56:16.489Z",[],{"attackSurface":33,"codeSignals":65,"taintFlows":92,"riskAssessment":111,"analyzedAt":123},{"hooks":34,"ajaxHandlers":56,"restRoutes":57,"shortcodes":58,"cronEvents":63,"entryPointCount":64,"unprotectedCount":13},[35,41,46,50,53],{"type":36,"name":37,"callback":38,"file":39,"line":40},"action","wp_footer","wp_vistcnt_count_this_page","index.php",193,{"type":42,"name":43,"callback":44,"file":39,"line":45},"filter","manage_posts_columns","wp_vistcnt_columns_head",218,{"type":36,"name":47,"callback":48,"priority":11,"file":39,"line":49},"manage_posts_custom_column","wp_vistcnt_columns_content",219,{"type":42,"name":51,"callback":44,"file":39,"line":52},"manage_pages_columns",221,{"type":36,"name":54,"callback":48,"priority":11,"file":39,"line":55},"manage_pages_custom_column",222,[],[],[59],{"tag":60,"callback":61,"file":39,"line":62},"show_ip","wp_vistcnt_get_the_user_ip",172,[],1,{"dangerousFunctions":66,"sqlUsage":67,"outputEscaping":86,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":91},[],{"prepared":68,"raw":69,"locations":70},11,5,[71,74,77,80,83],{"file":39,"line":72,"context":73},22,"$wpdb->get_var() with unsafe: $dbtablehits",{"file":39,"line":75,"context":76},32,"$wpdb->get_var() with unsafe: $dbtableinfo",{"file":39,"line":78,"context":79},108,"$wpdb->query() with unsafe: $page",{"file":39,"line":81,"context":82},237,"$wpdb->get_results() with unsafe: $dbtablehits",{"file":39,"line":84,"context":85},246,"$wpdb->get_results() with unsafe: $page",{"escaped":13,"rawEcho":64,"locations":87},[88],{"file":39,"line":89,"context":90},213,"raw output",[],[93],{"entryPoint":94,"graph":95,"unsanitizedCount":64,"severity":110},"\u003Cindex> (index.php:0)",{"nodes":96,"edges":107},[97,102],{"id":98,"type":99,"label":100,"file":39,"line":101},"n0","source","$_SERVER",63,{"id":103,"type":104,"label":105,"file":39,"line":78,"wp_function":106},"n1","sink","query() [SQLi]","query",[108],{"from":98,"to":103,"sanitized":109},false,"high",{"summary":112,"deductions":113},"The \"wp-visit-counter\" v1.0 plugin exhibits a mixed security posture.  On the positive side, the plugin has no recorded vulnerabilities (CVEs) and a relatively small attack surface consisting of a single shortcode. It also avoids dangerous functions, file operations, and external HTTP requests, which are common vectors for exploitation. However, significant concerns arise from the static analysis.  A concerning 100% of the single output identified is not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, a critical taint flow with an unsanitized path was detected, indicating a potential for path traversal or arbitrary file access if this flow is exploited in conjunction with user-supplied input. The absence of nonce checks and capability checks on entry points is also a notable weakness, leaving the plugin susceptible to CSRF attacks and unauthorized actions if the shortcode's functionality can be manipulated.",[114,116,119,121],{"reason":115,"points":69},"Unescaped output detected",{"reason":117,"points":118},"Taint flow with unsanitized path (critical)",15,{"reason":120,"points":69},"Missing nonce checks",{"reason":122,"points":69},"Missing capability checks","2026-04-16T12:30:15.551Z",{"wat":125,"direct":130},{"assetPaths":126,"generatorPatterns":127,"scriptPaths":128,"versionParams":129},[],[],[],[],{"cssClasses":131,"htmlComments":132,"htmlAttributes":133,"restEndpoints":134,"jsGlobals":135,"shortcodeOutput":136},[],[],[],[],[61],[60],{"error":138,"url":139,"statusCode":140,"statusMessage":141,"message":141},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-visit-counter\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":13,"versions":143},[]]