[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVJvRbGd1vrPuxOH6SzDT8RDIrWkMOEQYYiDsZ9fhtKk":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":44,"crawl_stats":35,"alternatives":52,"analysis":154,"fingerprints":281},"wpcas","wpCAS","1.07","Casey Bisson","https:\u002F\u002Fprofiles.wordpress.org\u002Fmisterbisson\u002F","\u003Cp>wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogeneous environment.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCentral_Authentication_Service\" rel=\"nofollow ugc\">From Wikipedia\u003C\u002Fa>:\u003C\u002Fp>\n\u003Cblockquote>\u003Cp>The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to log into multiple applications simultaneously and automatically. It also allows untrusted web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.\u003C\u002Fp>\u003C\u002Fblockquote>\n\u003Cp>Users who attempt to login to WordPress are redirected to the central CAS sign-on screen. After the user’s credentials are verified, s\u002Fhe is then redirected back to the WordPress site. If the CAS username matches the WordPress username, the user is recognized as valid and allowed access.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAuthZ\" rel=\"nofollow ugc\">Authorization\u003C\u002Fa> of that user’s capabilities is based on native WordPress settings and functions. CAS only authenticates that the user is who s\u002Fhe claims to be.\u003C\u002Fp>\n\u003Cp>If the CAS user does not have an account in the WordPress site, an administrator defined function can be called to provision the account or do other actions. By default, CAS users without WordPress accounts are simply refused access.\u003C\u002Fp>\n","wpCAS integrates WordPress into an established CAS architecture, allowing centralized management and authentication of user credentials in a heterogen …",100,6205,0,"2010-03-25T15:28:00.000Z","2.7.1","2.7","",[19,20,21,22,4],"authentication","cas","central-authentication-service","phpcas","http:\u002F\u002Fmaisonbisson.com\u002Fprojects\u002Fwpcas","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcas.zip",63,1,"2026-01-20 00:00:00","2026-03-15T15:16:48.613Z",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":35},"CVE-2025-68858","wpcas-reflected-cross-site-scripting","wpCAS \u003C= 1.07 - Reflected Cross-Site Scripting","The wpCAS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.07 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.07","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 19:19:39",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc915b30b-a15d-4ac7-abb6-f6d81a6e2ee7?source=api-prod",{"slug":45,"display_name":7,"profile_url":8,"plugin_count":46,"total_installs":47,"avg_security_score":48,"avg_patch_time_days":49,"trust_score":50,"computed_at":51},"misterbisson",7,290,84,3405,68,"2026-04-04T15:07:51.612Z",[53,71,92,111,133],{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":13,"num_ratings":13,"last_updated":63,"tested_up_to":64,"requires_at_least":65,"requires_php":17,"tags":66,"homepage":68,"download_link":69,"security_score":70,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"wpcas-server","wpCAS Server","1.0","Adam Backstrom","https:\u002F\u002Fprofiles.wordpress.org\u002Fadambackstrom\u002F","\u003Cp>This plugin reserves a collection of URIs that create, validate, and destroy CAS tickets.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u002Fcas\u002Flogin :: If user is not authenticated he\u002Fshe is redirected to the login page. Otherwise the user is redirected to the service specified as a GET variable in the URL – or if service is not provided, the user is redirected to the WordPress instance’s home.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u002Fcas\u002Flogout :: The user’s session is destroyed, user is logged out of the WordPress instance, and redirected to $_GET[‘service’] (or the blog home if service isn’t provided)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u002Fcas\u002FproxyValidate and \u002Fcas\u002Fvalidate :: The CAS ticket must be passed as a GET parameter in the URL when calling \u002Fcas\u002Fvalidate. The ticket is validated and XML is output with either cas:authenticationSuccess or cas:authenticationFailure\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Hooks & Filters\u003C\u002Fh3>\n\u003Ch4>wpcas_server_login Hook\u003C\u002Fh4>\n\u003Cp>This hook allows for the insertion of code after login has successfully completed and just before the ticket creation. One common use of this hook is to fill out the $_SESSION variable with site\u002Fuser specific information.\u003C\u002Fp>\n\u003Ch4>wpcas_server_auth_value Filter\u003C\u002Fh4>\n\u003Cp>This filter (executed in a successful ticket validation in \u002Fcas\u002Fvalidate) is used to override the user identifier returned in the cas:authenticationSuccess XML response. By default, the value returned is the $user_ID of the authenticated user. Using this filter, that value can be altered to whatever suits your implementation.\u003C\u002Fp>\n","Turns WordPress or WordPress MU into a CAS single sign-on authenticator.",10,2448,"2012-07-12T13:42:00.000Z","2.9.2","2.8",[67,19,21,4,54],"auth","http:\u002F\u002Fborkweb.com\u002Fprojects\u002Fwpcas-server","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcas-server.zip",85,{"slug":72,"name":73,"version":74,"author":75,"author_profile":76,"description":77,"short_description":78,"active_installs":79,"downloaded":80,"rating":11,"num_ratings":81,"last_updated":82,"tested_up_to":83,"requires_at_least":84,"requires_php":85,"tags":86,"homepage":88,"download_link":89,"security_score":90,"vuln_count":26,"unpatched_count":13,"last_vuln_date":91,"fetched_at":28},"wp-cassify","WP Cassify","2.3.9","Alain-Aymerick FRANCOIS","https:\u002F\u002Fprofiles.wordpress.org\u002Faaf017\u002F","\u003Cp>If you’re happy with this plugin :\u003Cbr \u002F>\nAs a reward for my efforts, I would like to receive T-shirts (or other goodies) as gifts from the universities or companies that use it.\u003Cbr \u002F>\nMy size is L. Best regards.\u003C\u002Fp>\n\u003Cp>This Apereo CAS authentication plugin has no phpCas library dependency. This is not only an authentication plugin.\u003Cbr \u002F>\nYou can build custom authorization rules according to cas user attributes populated. If user don’t exist in WordPress\u003Cbr \u002F>\ndatabase, it can be created automatically. There are many features. You can customize everything.\u003C\u002Fp>\n\u003Ch4>Website\u003C\u002Fh4>\n\u003Cp>https:\u002F\u002Fwpcassify.wordpress.com\u002F\u003C\u002Fp>\n\u003Ch4>Development and release environment\u003C\u002Fh4>\n\u003Cp>This plugin is now developed and tested from a github repository. You can find it here :\u003Cbr \u002F>\nhttps:\u002F\u002Fgithub.com\u002FWP-Cassify\u002Fwp-cassify-develop\u003C\u002Fp>\n\u003Cp>Don’t hesitate to contribute to this project. You can fork it and make pull requests !\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Require at least PHP version 7.0\u003C\u002Fli>\n\u003Cli>Require at least PHP CURL package\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>SLO (Single Log Out) support (thanks to dedotombo and me)\u003C\u002Fli>\n\u003Cli>Adding NCONTAINS operator (thanks to blandman)\u003C\u002Fli>\n\u003Cli>Fix bug on Gateway mode (autologin) (thanks to dedotombo again). Now it’s now necessary to hack theme files to fire it.\u003C\u002Fli>\n\u003Cli>Adding option logout on authentication failure to not disturb users\u003C\u002Fli>\n\u003Cli>Initialize PHP session at a later stage (on wp_loaded not on init)\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Adding some customs hooks and filters.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Tested with Apereo CAS Server version 7.2.5\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Compatible with CAS Protocol version 2 and 3\u003C\u002Fli>\n\u003Cli>Automatic user creation if not exist in WordPress database.\u003C\u002Fli>\n\u003Cli>Synchronize WordPress User metas with CAS User attributes.\u003C\u002Fli>\n\u003Cli>Add support for multivaluate cas user fields. Now multivaluate fields can be serialized to be stored in custom WP User meta.\u003C\u002Fli>\n\u003Cli>Backup \u002F Restore plugin configuration options settings\u003C\u002Fli>\n\u003Cli>You can choose CAS User attributes you want to populate. Then you can access them via PHP Session.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Be careful, to access to CAS User Attributes from your theme file (from 1.8.4), use code below :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n if ( isset($GLOBALS['wp-cassify']) ) {\n print_r( $GLOBALS['wp-cassify']->wp_cassify_get_cas_user_datas() );\n }\n?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Set up WordPress Roles to User according to CAS User attributes.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>If plugin is network activated, you can define User Role Rule scope by blog id.\u003C\u002Fli>\n\u003Cli>Authorization rule editor.\u003C\u002Fli>\n\u003Cli>Compatible with WordPress Access Control Plugin.\u003C\u002Fli>\n\u003Cli>Manage URL White List to bypass CAS Authentication on certain pages.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Much simpler bypass authentication with post method provided by Susan Boland (See online documentation). Create wordpress authentication form with redirect attribute like this :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n\n $args = array(\n 'echo' => true,\n 'remember' => true,\n 'redirect' => site_url( '\u002F?wp_cassify_bypass=bypass' ),\n 'form_id' => 'loginform',\n 'id_username' => 'user_login',\n 'id_password' => 'user_pass',\n 'id_remember' => 'rememberme',\n 'id_submit' => 'wp-submit',\n 'label_username' => __( 'Username' ),\n 'label_password' => __( 'Password' ),\n 'label_remember' => __( 'Remember Me' ),\n 'label_log_in' => __( 'Log In' ),\n 'value_username' => '',\n 'value_remember' => false\n );\n\n wp_login_form( $args ); \n?>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Receive email notifications when trigger is fired (after user account creation, after user login\u002Flogout).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Define notifications rules based on user attributes values.\u003C\u002Fli>\n\u003Cli>Purge user roles before applying user role rules.\u003C\u002Fli>\n\u003Cli>Define user account expiration rules bases on CAS User attributes.\u003C\u002Fli>\n\u003Cli>Network activation allowed\u003C\u002Fli>\n\u003Cli>You can set Service Logout URL (Needs to have CAS Server with followServiceRedirects option configured).\u003C\u002Fli>\n\u003Cli>Add support for web application hosted behind a reverse proxy. (Thanks to franck86)\u003C\u002Fli>\n\u003Cli>Add custom hooks : wp_cassify_after_cas_authentication, wp_cassify_before_auth_user_wordpress, wp_cassify_before_redirect, wp_cassify_after_redirect. (See online documentation)\u003C\u002Fli>\n\u003Cli>Custom filter to perform custom cas server response parsing. Hook name : wp_cassify_custom_parsing_cas_xml_response (See online documentation)\u003C\u002Fli>\n\u003Cli>Custom shortcode to generate CAS login\u002Flogout link into your blog. (See online documentation)\u003C\u002Fli>\n\u003Cli>Debug settings, dump last xml cas server response.\u003C\u002Fli>\n\u003Cli>Detect if user has already authenticated by CAS from your public pages and perform auto-login with gateway mode\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add ‘-IN’ and ‘-NOTIN’ operators to process array attributes values returned from CAS.\u003Cbr \u002F>\nWhen you have :\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$cas_user_datas['title'] = array( 'Student', 'Professor' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you can use :\u003C\u002Fp>\n\u003Cpre>\u003Ccode> (CAS{title} -IN \"professor\")\n\u003C\u002Fcode>\u003C\u002Fpre>\n","The plugin is an Apereo CAS Client. It performs CAS authentication and autorization for Wordpress.",900,34201,16,"2025-10-02T08:22:00.000Z","6.8.5","4.4","7.0",[67,19,20,87,4],"central","https:\u002F\u002Fwpcassify.wordpress.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-cassify.2.3.9.zip",99,"2025-03-26 00:00:00",{"slug":93,"name":94,"version":95,"author":96,"author_profile":97,"description":98,"short_description":99,"active_installs":100,"downloaded":101,"rating":11,"num_ratings":102,"last_updated":103,"tested_up_to":104,"requires_at_least":105,"requires_php":17,"tags":106,"homepage":109,"download_link":110,"security_score":70,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"wp-cas-server","Cassava CAS Server","1.2.3","Luis Rodrigues","https:\u002F\u002Fprofiles.wordpress.org\u002Fgoblindegook\u002F","\u003Cp>Cassava allows WordPress to act as a single sign-on authenticator using the Central Authentication Service (CAS) protocol.\u003C\u002Fp>\n\u003Cp>That way, users on your WordPress install may be able to access different applications that support the CAS protocol by providing a single set of credentials and without exposing the user’s password.\u003C\u002Fp>\n\u003Cp>By default, CAS method URIs are provided under the \u003Ccode>wp-cas\u003C\u002Fcode> endpoint:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Flogin\u003C\u002Fcode>: Allows a remote service to request that a user authenticate on the CAS server. Will redirect back to the remote service along with a service ticket.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Flogout\u003C\u002Fcode>: Terminates the single sign-on session. May optionally redirect the user back to the remote service.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fvalidate\u003C\u002Fcode> [CAS 1.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns a plaintext response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fproxy\u003C\u002Fcode> [CAS 2.0]: Provides access to remote services with proxy tickets in exchange for proxy-granting tickets. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002FproxyValidate\u003C\u002Fcode> [CAS 2.0]: Allows a remote service to validate a service or proxy ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002FserviceValidate\u003C\u002Fcode> [CAS 2.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fp3\u002FproxyValidate\u003C\u002Fcode> [CAS 3.0]: Allows a remote service to validate a service or proxy ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u002Fwp-cas\u002Fp3\u002FserviceValidate\u003C\u002Fcode> [CAS 3.0]: Allows a remote service to validate a service ticket forwarded by the user on redirect. Returns an XML response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>There are a few \u003Ca href=\"http:\u002F\u002Fwww.jasig.org\u002Fcas\u002Fclient-integration\" rel=\"nofollow ugc\">client integration\u003C\u002Fa> libraries available for CAS, as well as a handy guide for \u003Ca href=\"https:\u002F\u002Fwiki.jasig.org\u002Fdisplay\u002FCASC\u002FCASifying+Applications\" rel=\"nofollow ugc\">CASifying several existing applications\u003C\u002Fa>. Independent WordPress installations may integrate with Cassava using a client plugin such as \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcas-maestro\u002F\" rel=\"ugc\">CAS Maestro\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Please follow and contribute to Cassava’s development on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fgoblindegook\u002Fwp-cas-server\" rel=\"nofollow ugc\">Github\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Ch4>Action: cas_server_before_request\u003C\u002Fh4>\n\u003Cp>Fires before a CAS request is processed.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_after_request\u003C\u002Fh4>\n\u003Cp>Fires after a CAS request is processed.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_error\u003C\u002Fh4>\n\u003Cp>Fires if the CAS server has to return an XML error.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>WP_Error\u003C\u002Fem> \u003Ccode>$error\u003C\u002Fcode>: WordPress error to return as XML.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Action: cas_server_validation_success\u003C\u002Fh4>\n\u003Cp>Fires on successful ticket validation.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: WordPress user validated by ticket.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$ticket\u003C\u002Fcode>: Valid ticket string.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_enabled\u003C\u002Fh4>\n\u003Cp>Allows developers to disable CAS.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>boolean\u003C\u002Fem> \u003Ccode>$cas_enabled\u003C\u002Fcode>: Whether the server should respond to single sign-on requests.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_routes\u003C\u002Fh4>\n\u003Cp>Allows developers to override the default controller mapping, define additional endpoints and provide alternative implementations to the provided controllers.\u003C\u002Fp>\n\u003Cp>Controllers provided in this fashion should extend the \u003Ccode>\\Cassava\\CAS\\Controller\\BaseController\u003C\u002Fcode> class.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$cas_routes\u003C\u002Fcode>: CAS endpoint to controller mapping.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_response\u003C\u002Fh4>\n\u003Cp>Lets developers change the CAS server response string.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$output\u003C\u002Fcode>: Response output string.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_dispatch_args\u003C\u002Fh4>\n\u003Cp>Filters the callback arguments to be dispatched for the request. Plugin developers may return a \u003Ccode>WP_Error\u003C\u002Fcode> object here to abort the request.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: Arguments to pass the callback.\u003C\u002Fli>\n\u003Cli>\u003Cem>(string|array)\u003C\u002Fem> \u003Ccode>$callback\u003C\u002Fcode>: Callback function or method.\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$path\u003C\u002Fcode>: Requested URI path.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_login_args\u003C\u002Fh4>\n\u003Cp>Allows developers to change the request parameters passed to a \u003Ccode>\u002Flogin\u003C\u002Fcode> request.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: HTTP request (GET, POST) parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_redirect_service\u003C\u002Fh4>\n\u003Cp>Filters the redirect URI for the service requesting user authentication.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$service\u003C\u002Fcode>: Service URI requesting user authentication.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Logged in WordPress user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_custom_auth_uri\u003C\u002Fh4>\n\u003Cp>Allows developers to redirect the user to a custom login form.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$custom_login_url\u003C\u002Fcode>: URI for the custom login page.\u003C\u002Fli>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$args\u003C\u002Fcode>: Login request parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_ticket_expiration\u003C\u002Fh4>\n\u003Cp>This filter allows developers to override the default ticket expiration period.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>int\u003C\u002Fem> \u003Ccode>$expiration\u003C\u002Fcode>: Ticket expiration period (in seconds).\u003C\u002Fli>\n\u003Cli>\u003Cem>string\u003C\u002Fem> \u003Ccode>$type\u003C\u002Fcode>: Type of ticket to set.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Authenticated user associated with the ticket.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_validation_user_attributes\u003C\u002Fh4>\n\u003Cp>Allows developers to change the list of (key, value) pairs before they’re included in a \u003Ccode>\u002FserviceValidate\u003C\u002Fcode> response.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$attributes\u003C\u002Fcode>: List of attributes to output.\u003C\u002Fli>\n\u003Cli>\u003Cem>WP_User\u003C\u002Fem> \u003Ccode>$user\u003C\u002Fcode>: Authenticated user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Filter: cas_server_settings_user_attribute_options\u003C\u002Fh4>\n\u003Cp>Allows developers to change the list of user attributes that appear in the dashboard for an administrator to set to return on successful validation requests.\u003C\u002Fp>\n\u003Cp>Options are stored in an associative array, with user attribute slugs as array keys and option labels as array values.\u003C\u002Fp>\n\u003Cp>These settings are valid only for CAS 2.0 validation requests.\u003C\u002Fp>\n\u003Cp>Parameters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>array\u003C\u002Fem> \u003Ccode>$attributeOptions\u003C\u002Fcode> Attribute options an administrator can set on the dashboard.\u003C\u002Fli>\n\u003C\u002Ful>\n","Cassava provides authentication services based on the Jasig CAS protocol.",30,3163,2,"2016-02-13T00:05:00.000Z","4.4.34","3.9",[19,20,21,107,108],"jasig-cas","single-sign-on","https:\u002F\u002Fgoblindegook.github.io\u002Fwp-cas-server","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-cas-server.1.2.3.zip",{"slug":112,"name":113,"version":114,"author":115,"author_profile":116,"description":117,"short_description":118,"active_installs":119,"downloaded":120,"rating":11,"num_ratings":121,"last_updated":122,"tested_up_to":123,"requires_at_least":124,"requires_php":125,"tags":126,"homepage":130,"download_link":131,"security_score":90,"vuln_count":26,"unpatched_count":13,"last_vuln_date":132,"fetched_at":28},"authorizer","Authorizer","3.13.4","Paul Ryan","https:\u002F\u002Fprofiles.wordpress.org\u002Ffigureone\u002F","\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> restricts access to a WordPress site to specific users, typically students enrolled in a university course. It maintains a list of approved users that you can edit to determine who has access. It also replaces the default WordPress login\u002Fauthorization system with one relying on an external server, such as Google, CAS, LDAP, or an OAuth2 provider. Finally, \u003Cem>Authorizer\u003C\u002Fem> lets you limit invalid login attempts to prevent bots from compromising your users’ accounts.\u003C\u002Fp>\n\u003Cp>View or contribute to the plugin source on GitHub: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> requires the following:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>CAS server\u003C\u002Fstrong> (2.x, 3.x, 4.x, 5.x, 6.x, or 7.x) or \u003Cstrong>LDAP server\u003C\u002Fstrong> (plugin needs the URL)\u003C\u002Fli>\n\u003Cli>PHP extensions: php-ldap, php-curl, php-dom\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Authorizer\u003C\u002Fem> provides the following options:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Authentication\u003C\u002Fstrong>: WordPress accounts; Google accounts; CAS accounts; LDAP accounts; OAuth2 accounts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Access\u003C\u002Fstrong>: All authenticated users (all local and all external can log in); Only specific users (all local and approved external users can log in)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>View Access\u003C\u002Fstrong>: Everyone (open access); Only logged in users\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Login Attempts\u003C\u002Fstrong>: Progressively increase the amount of time required between invalid login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcode\u003C\u002Fstrong>: Use the \u003Ccode>[authorizer_login_form]\u003C\u002Fcode> shortcode to embed a wp_login_form() outside of wp-login.php.\u003C\u002Fli>\n\u003C\u002Ful>\n","Authorizer limits login attempts, restricts access to specific users, and authenticates against external sources (OAuth2, Google, LDAP, or CAS).",5000,181710,19,"2025-12-19T20:52:00.000Z","6.9.4","5.5","7.4",[19,20,127,128,129],"ldap","login","oauth","https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Fauthorizer","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauthorizer.3.13.4.zip","2022-11-01 00:00:00",{"slug":134,"name":135,"version":136,"author":137,"author_profile":138,"description":139,"short_description":140,"active_installs":141,"downloaded":142,"rating":13,"num_ratings":13,"last_updated":143,"tested_up_to":123,"requires_at_least":144,"requires_php":145,"tags":146,"homepage":152,"download_link":153,"security_score":11,"vuln_count":13,"unpatched_count":13,"last_vuln_date":35,"fetched_at":28},"wpcasa-contact-form-7","WPCasa Contact Form 7","1.4.0","WPSight","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpsight\u002F","\u003Cp>The WPCasa Contact Form 7 add-on is a bridge plugin for the Contact Form 7 form builder that can be used to display a contact form on single listing pages in WPCasa. The add-on makes sure that useful property information is attached to the emails sent through the form. It also comes with a starter form that includes all the necessary fields to make your life easier.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Please notice that this plugin is an add-on for \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpcasa\u002F\" rel=\"ugc\">WPCasa\u003C\u002Fa> and will NOT work without the core plugin.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>WPCasa is a WordPress solution that provides an intuitive way to manage property listings and create first-class real estate websites.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Website: \u003Ca href=\"https:\u002F\u002Fwpcasa.com\" rel=\"nofollow ugc\">wpcasa.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Demo: \u003Ca href=\"https:\u002F\u002Fdemo.wpcasa.com\" rel=\"nofollow ugc\">demo.wpcasa.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Documentation: \u003Ca href=\"https:\u002F\u002Fdocs.wpcasa.com\" rel=\"nofollow ugc\">docs.wpcasa.com\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Contributors\u003C\u002Fh3>\n\u003Cp>This is a list of contributors to WPCasa Contact Form 7.\u003Cbr \u002F>\nMany thanks to all of them for contributing and making WPCasa Contact Form 7 even better.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.kybernetik-services.com\u002F?utm_source=wordpress_org&utm_medium=plugin&utm_campaign=wpcasa&utm_content=readme\" rel=\"nofollow ugc\">Kybernetik Services\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fusers\u002Fjoehana\u002F\" rel=\"ugc\">Joe Hana\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fusers\u002Fcodestylist\u002F\" rel=\"ugc\">codestylist\u003C\u002Fa>\u003C\u002Fp>\n","Add support for Contact Form 7 to attach property details to the contact email sent from WPCasa listing pages.",500,11877,"2025-12-06T21:40:00.000Z","6.2","7.2",[147,148,149,150,151],"cf-7","contact","contact-form","contact-form-7","wpcasa","https:\u002F\u002Fwpcasa.com\u002Fdownloads\u002Fwpcasa-contact-form-7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcasa-contact-form-7.1.4.0.zip",{"attackSurface":155,"codeSignals":202,"taintFlows":226,"riskAssessment":265,"analyzedAt":280},{"hooks":156,"ajaxHandlers":198,"restRoutes":199,"shortcodes":200,"cronEvents":201,"entryPointCount":13,"unprotectedCount":13},[157,164,169,174,178,182,186,189,192,195],{"type":158,"name":159,"callback":160,"priority":161,"file":162,"line":163},"filter","wpmu_signup_blog_notification","psu_signup_blog_notification",11,"provisioning_example.php",86,{"type":165,"name":166,"callback":167,"file":162,"line":168},"action","wp_head","signuppageheaders",92,{"type":165,"name":170,"callback":171,"file":172,"line":173},"admin_menu","wpcas_options_page_add","wpcas.php",46,{"type":165,"name":175,"callback":176,"priority":61,"file":172,"line":177},"wp_authenticate","authenticate",77,{"type":165,"name":179,"callback":180,"file":172,"line":181},"wp_logout","logout",78,{"type":165,"name":183,"callback":184,"file":172,"line":185},"lost_password","disable_function",79,{"type":165,"name":187,"callback":184,"file":172,"line":188},"retrieve_password",80,{"type":165,"name":190,"callback":190,"priority":61,"file":172,"line":191},"check_passwords",81,{"type":165,"name":193,"callback":184,"file":172,"line":194},"password_reset",82,{"type":158,"name":196,"callback":196,"file":172,"line":197},"show_password_fields",83,[],[],[],[],{"dangerousFunctions":203,"sqlUsage":204,"outputEscaping":206,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":225},[],{"prepared":13,"raw":13,"locations":205},[],{"escaped":102,"rawEcho":207,"locations":208},9,[209,212,213,214,215,217,219,221,223],{"file":162,"line":210,"context":211},73,"raw output",{"file":162,"line":210,"context":211},{"file":162,"line":185,"context":211},{"file":162,"line":185,"context":211},{"file":172,"line":216,"context":211},200,{"file":172,"line":218,"context":211},215,{"file":172,"line":220,"context":211},230,{"file":172,"line":222,"context":211},234,{"file":172,"line":224,"context":211},238,[],[227,253],{"entryPoint":228,"graph":229,"unsanitizedCount":102,"severity":37},"wpcas_options_page (wpcas.php:163)",{"nodes":230,"edges":249},[231,236,242,245],{"id":232,"type":233,"label":234,"file":172,"line":235},"n0","source","$_POST",188,{"id":237,"type":238,"label":239,"file":172,"line":240,"wp_function":241},"n1","sink","update_option() [Settings Manipulation]",191,"update_option",{"id":243,"type":233,"label":244,"file":172,"line":216},"n2","$_SERVER['PHP_SELF']",{"id":246,"type":238,"label":247,"file":172,"line":216,"wp_function":248},"n3","echo() [XSS]","echo",[250,252],{"from":232,"to":237,"sanitized":251},false,{"from":243,"to":246,"sanitized":251},{"entryPoint":254,"graph":255,"unsanitizedCount":102,"severity":264},"\u003Cwpcas> (wpcas.php:0)",{"nodes":256,"edges":261},[257,258,259,260],{"id":232,"type":233,"label":234,"file":172,"line":235},{"id":237,"type":238,"label":239,"file":172,"line":240,"wp_function":241},{"id":243,"type":233,"label":244,"file":172,"line":216},{"id":246,"type":238,"label":247,"file":172,"line":216,"wp_function":248},[262,263],{"from":232,"to":237,"sanitized":251},{"from":243,"to":246,"sanitized":251},"low",{"summary":266,"deductions":267},"The wpcas plugin v1.07 exhibits a mixed security posture. While the static analysis shows no direct attack surface (AJAX handlers, REST API routes, shortcodes, cron events) and all SQL queries utilize prepared statements, significant concerns arise from the output escaping and vulnerability history. The low percentage of properly escaped output (18%) indicates a strong potential for Cross-Site Scripting (XSS) vulnerabilities, even if not directly flagged by the taint analysis. The presence of a known medium severity Cross-Site Scripting (XSS) vulnerability, which remains unpatched and was discovered in 2026, is a critical indicator of ongoing risk. The fact that this is the only known CVE also suggests a potential for undiscovered vulnerabilities. The absence of nonce and capability checks across the board, coupled with a low output escaping rate, amplifies the risk associated with any potential input vectors that might exist but were not identified by the static analysis.",[268,271,273,276,278],{"reason":269,"points":270},"Unpatched medium severity CVE",15,{"reason":272,"points":61},"Low percentage of properly escaped output",{"reason":274,"points":275},"No nonce checks",5,{"reason":277,"points":275},"No capability checks",{"reason":279,"points":275},"Flows with unsanitized paths","2026-03-16T20:52:35.306Z",{"wat":282,"direct":287},{"assetPaths":283,"generatorPatterns":284,"scriptPaths":285,"versionParams":286},[],[],[],[],{"cssClasses":288,"htmlComments":289,"htmlAttributes":290,"restEndpoints":291,"jsGlobals":292,"shortcodeOutput":293},[],[],[],[],[],[]]