[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fH_KGj72VYOKGv7TC14sNJMSpS4kuD13I2IYxTStXQ8s":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":37,"analysis":138,"fingerprints":361},"wpterm","WPTerm","1.2","bruandet","https:\u002F\u002Fprofiles.wordpress.org\u002Fbruandet\u002F","\u003Ch4>An xterm-like plugin to run non-interactive shell commands.\u003C\u002Fh4>\n\u003Cp>WPTerm is an xterm-like plugin. It can be used to run non-interactive shell commands from the WordPress admin dashboard.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Just like a terminal, WPTerm lets you do almost everything you want (e.g., changing file permissions, viewing network connections or current processes etc). That’s great, but if you aren’t familiar with Unix shell commands, you can also damage your blog. Therefore, each time you use WPTerm, please follow this rule of thumb: \u003Cstrong>if you don’t know what you’re doing, don’t do it!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FNHlWrEK6JfE?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch4>Compatibility\u003C\u002Fh4>\n\u003Cp>WPTerm is not compatible with Microsoft Windows; it works on Unix-like servers only.\u003C\u002Fp>\n\u003Cp>Because it makes use of PHP program execution functions such as \u003Ccode>exec\u003C\u002Fcode> or \u003Ccode>shell_exec\u003C\u002Fcode>, it may not be compatible with some shared hosts that have disabled these functions. To make sure your server is compatible, follow these steps:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Download \u003Ca href=\"https:\u002F\u002Fnintechnet.com\u002Fbruandet\u002Fwpterm-check.txt\" title=\"\" rel=\"nofollow ugc\">this script\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Rename it to “wpterm-check.php”.\u003C\u002Fli>\n\u003Cli>Upload it inside your website root folder.\u003C\u002Fli>\n\u003Cli>Go to http:\u002F\u002FYOUR WEBSITE\u002Fwpterm-check.php\u003C\u002Fli>\n\u003Cli>Delete it afterwards.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Password Protection\u003C\u002Fh4>\n\u003Cp>You can (and probably should!) password protect the access to WPTerm. Consult the contextual help, or type \u003Ccode>help\u003C\u002Fcode> at the terminal prompt to get more details about how to enable this feature.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Selectable PHP program execution function to run commands.\u003C\u002Fli>\n\u003Cli>Custom fonts family, size and color.\u003C\u002Fli>\n\u003Cli>Custom background color.\u003C\u002Fli>\n\u003Cli>History and scrollback buffer.\u003C\u002Fli>\n\u003Cli>Terminal bell (audible \u002F visible).\u003C\u002Fli>\n\u003Cli>Optional password protection.\u003C\u002Fli>\n\u003Cli>Contextual help.\u003C\u002Fli>\n\u003Cli>Multisite compatible (only accessible to the SuperAdmin).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Supported Languages\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>French\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.3+\u003C\u002Fli>\n\u003Cli>PHP 5.3+\u003C\u002Fli>\n\u003Cli>Unix-like OS (Linux, *BSD etc) only. WPTerm is \u003Cstrong>NOT\u003C\u002Fstrong> compatible with Microsoft Windows.\u003C\u002Fli>\n\u003C\u002Ful>\n","An xterm-like plugin to run non-interactive shell commands.",3000,60697,100,14,"2025-11-29T08:52:00.000Z","6.9.4","3.3.0","5.3",[20,21,22,23,24],"bash","command","shell","terminal","xterm","https:\u002F\u002Fnintechnet.com\u002Fbruandet\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpterm.1.2.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":13,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},3,11400,30,94,"2026-04-04T04:57:46.091Z",[38,59,77,94,115],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":46,"downloaded":47,"rating":13,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":52,"tags":53,"homepage":56,"download_link":57,"security_score":58,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"simterm","SimTerm","0.3.0","gasparfm","https:\u002F\u002Fprofiles.wordpress.org\u002Fgasparfm\u002F","\u003Cp>Show the world how you use the command line with this plugin. Designed for tech blogs, tutorials and sections\u003Cbr \u002F>\nwhere terminal commands matter.\u003C\u002Fp>\n\u003Cp>This plugin, make a shortcode: [simterm][\u002Fsimterm] and shows the text inside as in a terminal session, including\u003Cbr \u002F>\nsome typing animation and separating user input and program output.\u003Cbr \u002F>\nBy defaults commands have a $ symbol as the first character of the line and user input has the > (greater than)\u003Cbr \u002F>\nsymbol.\u003C\u002Fp>\n\u003Cp>You can also specify the color of the line using ##red## , ##blue## , ##green## or ##yellow## or even a custom\u003Cbr \u002F>\ndelay for this line with ##delay=[ms]## with the amount of milliseconds to sleep.\u003C\u002Fp>\n\u003Cp>To create the effect it uses “Show Your Terms” by Kande Bofim, a tiny and library agnostic Javascript.\u003C\u002Fp>\n","Make demos of your terminal commands and output in an attractive way.",40,4101,4,"2016-12-14T13:22:00.000Z","4.7.32","4.2","",[20,21,54,55,23],"line","linux","http:\u002F\u002Fgaspar.totaki.com\u002Fen\u002Fphp-project\u002Fsimterm\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimterm.0.3.2.zip",85,{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":27,"num_ratings":27,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":52,"tags":72,"homepage":75,"download_link":76,"security_score":58,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wp-shkshell","WP-ShkShell","0.6.0","ShkSchneider","https:\u002F\u002Fprofiles.wordpress.org\u002Fshkschneider\u002F","\u003Cp>WP-ShkShell provides a terminal-like box for embedding terminal commands within pages or posts.\u003Cbr \u002F>\nIt also support multi-lines, multi-commands and has syntax hightlight.\u003C\u002Fp>\n\u003Cp>The code is a modification of WP-Terminal (https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwp-terminal\u002F).\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Wrap terminal blocks with \u003Ccode>\u003Cpre lang=\"shell\" prompt=\"$\">\u003C\u002Fcode> and \u003Ccode>\u003C\u002Fpre>\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Example 1: Default prompt\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\" prompt=\"$\">\n  ls -a\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 2: Customized prompt\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\" prompt=\"#\">\n  ls -a\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 3: Another customized prompt\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\" prompt=\"user@machine$\">\n  ls -a\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 4: Comments\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\" prompt=\"user@machine$\">\n  ls -a\n  # will also list hidden files\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 5: Multiline commands\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\">\n  ls\n  \u003Cbr>ls -a\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 6: Multiline lines, multiple commands\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003Cpre lang=\"shell\">\n  ls\n  file1 file2 file3\n  \u003Cbr>ls -A\n  .file0 file1 file2 file3\n\u003C\u002Fpre>\n\u003C\u002Fcode>\u003C\u002Fpre>\n","WP-ShkShell provides a terminal-like box for embedding terminal commands within pages or posts. It also support multi-lines, multi-commands and has s &hellip;",10,2722,"2012-03-18T16:58:00.000Z","3.3.2","2.0",[21,73,22,23,74],"console","unix","http:\u002F\u002Fwww.shkschneider.me\u002Fblog\u002F1110\u002Fwp-shell-my-first-public-wordpress-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-shkshell.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":13,"downloaded":85,"rating":27,"num_ratings":27,"last_updated":86,"tested_up_to":87,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":92,"download_link":93,"security_score":58,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"blog-terminal","Blog Terminal","0.2.1","rsprta","https:\u002F\u002Fprofiles.wordpress.org\u002Frsprta\u002F","\u003Cp>Blog Terminal generates a terminal-like box that you can use to demonstrate terminal output or show the entry of terminal\u002Fconsole commands in a manner that is more demonstrative of actually using a Linux\u002FUnix terminal or Windows cmd shell.\u003C\u002Fp>\n\u003Cp>The code is a fork of Post Terminal, which is a fork of WP-Terminal which in turn is a modification of WP-Syntax, a source code highlighter plugin for WordPress.\u003C\u002Fp>\n\u003Cp>Unlike Post terminal, it uses \u003Ccode>[terminal]\u003C\u002Fcode> shorthand for the terminal box. It also shows prompt only on lines explitly set to do that.\u003C\u002Fp>\n\u003Ch4>Basic Usage\u003C\u002Fh4>\n\u003Cp>The most basic usage is to wrap your terminal blocks with \u003Ccode>[terminal][\u002Fterminal]\u003C\u002Fcode> tags. If no further options are defined within the tag a generic prompt is generated using  ‘user@computer’ with no working directory shown. This is similar to exporting PS1=”\\u@\\h:$ ” in sh(1), setting prompt=”%n@%m:$ ” in csh(1), etc.\u003Cbr \u002F>\nOther options available within the tag are user=”user”, computer=”computer”, and  cwd=”\u002Fpath\u002Fto\u002Fdirectory”. These allow you to override the generic user@computer settings as well as provide a ‘current working directory’.\u003Cbr \u002F>\nThe prompt is only shown on the lines starting with ‘$ ‘. So you can mix commands with simulated terminal output.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Wrap terminal blocks with \u003Ccode>[terminal user=\"username\" computer=\"computername\" cwd=\"\u002Fpath\u002Fto\u002Fdirectory\"]\u003C\u002Fcode> and \u003Ccode>[\\terminal]\u003C\u002Fcode>. They are all optional. “user” and “computer” will be shown if you don’t provide them, cwd is purely optional.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Example 1: No customized command\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[terminal]\n$ ls -a\n[\u002Fterminal]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 2: User and computer customizations\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[terminal user=\"tux\" computer=\"linux\"]\n$ ls -a\n[\u002Fterminal]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 3: Customizing just the user\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[terminal user=\"dak\"]\n$ ls -a\n[\u002Fterminal]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Example 4: Customizing user, computer and displaying a working directory\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[terminal user=\"root\" computer=\"linuxserver\" cwd=\"\u002Fusr\u002Fsrc\u002Flinux\"]\n$ make mrproper\n ...\n ... \n[\u002Fterminal]\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Blog Terminal provides a terminal-like box for embedding terminal commands within pages or posts.",3958,"2021-08-11T14:47:00.000Z","5.8.13","2.5","5.4",[91,73,23,74,24],"cmd","https:\u002F\u002Fradeksprta.eu\u002Fprojects\u002Fterminal","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblog-terminal.0.2.1.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":13,"num_ratings":104,"last_updated":105,"tested_up_to":16,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":113,"download_link":114,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wp-console","WP Console – WordPress PHP Console powered by PsySH","2.6.0","Edi Amin","https:\u002F\u002Fprofiles.wordpress.org\u002Fediamin\u002F","\u003Cp>WP Console brings the renowned PsySH directly to your browser. PsySH serves as a runtime developer console, an interactive debugger, and a PHP REPL (Read-Eval-Print Loop).\u003C\u002Fp>\n\u003Cp>To utilize WP Console, simply write your code within the code editor, then press Cmd-Enter (mac) or Ctrl-Enter (win\u002Flinux) to instantly view the output in your browser.\u003C\u002Fp>\n\u003Cp>Moreover, you have the option to employ PsySH alongside wp-cli by executing the command \u003Ccode>wp shell\u003C\u002Fcode>. Notably, wp-cli comes with inherent compatibility for psysh. All that is required is the activation of WP Console to leverage this feature.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Powerful code editor powered by Ace Editor.\u003C\u002Fli>\n\u003Cli>Real-time autocompletion for PHP core and WordPress functions, complete with placeholders.\u003C\u002Fli>\n\u003Cli>Introducing \u003Ccode>_dump\u003C\u002Fcode> as a more versatile alternative to \u003Ccode>var_dump\u003C\u002Fcode>, leveraging the capabilities of Symfony VarDumper.\u003C\u002Fli>\n\u003Cli>Instant access to debug.log contents, with the added convenience of clearing them directly from your browser.\u003C\u002Fli>\n\u003Cli>Enhanced shell experience courtesy of psySH, facilitating advanced interaction through \u003Ccode>wp shell\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>Customizable code snippet functionality, compatible with VS Code supported code snippets. Explore examples like these \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fclaudiosanches\u002Fvscode-woocommerce\u002Fblob\u002Fmaster\u002Fsnippets\u002Ffunctions.json\" rel=\"nofollow ugc\">WooCommerce snippets\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Please note that certain PsySH commands, such as \u003Ccode>ls\u003C\u002Fcode>, \u003Ccode>doc\u003C\u002Fcode>, \u003Ccode>show\u003C\u002Fcode>, and magic variables like \u003Ccode>$_\u003C\u002Fcode>, \u003Ccode>$__class\u003C\u002Fcode>, are not currently supported in the browser console.\u003C\u002Fp>\n\u003Cp>👉 WP Console uses Gutenberg packages and components to ensure a seamless and user-friendly UI\u002FUX.\u003C\u002Fp>\n\u003Ch3>Getting Started\u003C\u002Fh3>\n\u003Cp>To begin using the plugin, follow these steps:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Activate the plugin within your WordPress setup.\u003C\u002Fli>\n\u003Cli>Look for a quick link labeled “Console” in the WP Admin Bar on the right-hand side (see the second screenshot below).\u003C\u002Fli>\n\u003Cli>Click on the “Console” link to access the WP Console panel.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Security Concern\u003C\u002Fh3>\n\u003Cp>WP Console explicitly verifies the presence of the \u003Ccode>manage_options\u003C\u002Fcode> permission to render the user interface and execute various functions. However, it’s important to note that this plugin is not intended for use on a production server.\u003C\u002Fp>\n\u003Ch3>Other Plugin\u003C\u002Fh3>\n\u003Cp>Working with the block or the block editor? Checkout \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcss-class-manager\u002F\" rel=\"ugc\">CSS Class Manager\u003C\u002Fa> – An advanced autocomplete additional css class control for your blocks.\u003C\u002Fp>\n","An in-browser PHP console for WordPress powered by PsySH",20000,1899294,20,"2025-11-08T09:02:00.000Z","5.3.12","7.4",[109,110,111,112,22],"autocomplete","browser","dump","repl","https:\u002F\u002Fgithub.com\u002Fediamin\u002Fwp-console","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-console.2.6.0.zip",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":125,"num_ratings":126,"last_updated":127,"tested_up_to":128,"requires_at_least":129,"requires_php":52,"tags":130,"homepage":135,"download_link":136,"security_score":137,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"dashboard-commander","Dashboard Commander","1.0.3","Josh Hartman","https:\u002F\u002Fprofiles.wordpress.org\u002Fjoshhartman\u002F","\u003Cp>Command your admin dashboard. Manage built-in widgets (Right Now, Recent Comments, etc.) and dynamically registered widgets (Google Analytics Summary, WP E-Commerce Dashboard, etc.). Hide widgets depending upon user capabilities.\u003C\u002Fp>\n\u003Cp>This plugin is based upon Dave Kinkead’s Dashboard Heaven plugin and extends it to support dynamically registered widgets, such as dashboard widgets that are added by a plugin.\u003C\u002Fp>\n\u003Cp>After installation access to all dashboard widgets is removed, then you can use the options at Settings > Dashboard Commander to configure the minimum access level for each widget.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7YBOm5ov3vs?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n","Command your admin dashboard. Manage built-in widgets and dynamically registered widgets. Hide widgets depending upon user capabilities.",900,34553,96,8,"2024-04-05T06:01:00.000Z","6.5.8","2.9.2",[131,21,132,133,134],"admin","dashboard","manage","widgets","http:\u002F\u002Fwww.warpconduit.net\u002Fwordpress-plugins\u002Fdashboard-commander\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdashboard-commander.1.0.3.zip",92,{"attackSurface":139,"codeSignals":175,"taintFlows":273,"riskAssessment":347,"analyzedAt":360},{"hooks":140,"ajaxHandlers":164,"restRoutes":171,"shortcodes":172,"cronEvents":173,"entryPointCount":174,"unprotectedCount":27},[141,147,151,155,160],{"type":142,"name":143,"callback":144,"file":145,"line":146},"action","admin_init","wpterm_session","wpterm.php",65,{"type":142,"name":148,"callback":149,"file":145,"line":150},"admin_footer","wpterm_js_insert",140,{"type":142,"name":152,"callback":153,"file":145,"line":154},"admin_menu","wpterm_admin_menu",169,{"type":156,"name":157,"callback":158,"priority":67,"file":145,"line":159},"filter","pre_http_request","wpterm_pre_http_request",1165,{"type":156,"name":161,"callback":162,"file":145,"line":163},"site_status_tests","wpterm_remove_php_sessions_test",1188,[165],{"action":166,"nopriv":167,"callback":168,"hasNonce":169,"hasCapCheck":169,"file":145,"line":170},"wptermajax",false,"wptermajax_callback",true,958,[],[],[],1,{"dangerousFunctions":176,"sqlUsage":197,"outputEscaping":199,"fileOperations":174,"externalRequests":27,"nonceChecks":32,"capabilityChecks":48,"bundledLibraries":272},[177,181,185,189,193],{"fn":178,"file":145,"line":179,"context":180},"shell_exec",1033,"$res = shell_exec( $command );",{"fn":182,"file":145,"line":183,"context":184},"system",1037,"system( $command, $ret_var );",{"fn":186,"file":145,"line":187,"context":188},"passthru",1043,"passthru( $command, $ret_var );",{"fn":190,"file":145,"line":191,"context":192},"popen",1048,"if ( ( $handle = popen( $command , 'r' ) ) !== false ) {",{"fn":194,"file":145,"line":195,"context":196},"exec",1056,"if ( exec( $command, $res, $ret_var ) ) {",{"prepared":27,"raw":27,"locations":198},[],{"escaped":200,"rawEcho":201,"locations":202},16,36,[203,206,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235,237,239,241,243,245,247,249,251,252,253,254,256,258,260,262,264,266,268,270],{"file":145,"line":204,"context":205},289,"raw output",{"file":145,"line":204,"context":205},{"file":145,"line":208,"context":205},346,{"file":145,"line":210,"context":205},347,{"file":145,"line":212,"context":205},348,{"file":145,"line":214,"context":205},349,{"file":145,"line":216,"context":205},353,{"file":145,"line":218,"context":205},354,{"file":145,"line":220,"context":205},355,{"file":145,"line":222,"context":205},356,{"file":145,"line":224,"context":205},357,{"file":145,"line":226,"context":205},358,{"file":145,"line":228,"context":205},359,{"file":145,"line":230,"context":205},367,{"file":145,"line":232,"context":205},382,{"file":145,"line":234,"context":205},406,{"file":145,"line":236,"context":205},409,{"file":145,"line":238,"context":205},411,{"file":145,"line":240,"context":205},413,{"file":145,"line":242,"context":205},434,{"file":145,"line":244,"context":205},462,{"file":145,"line":246,"context":205},474,{"file":145,"line":248,"context":205},500,{"file":145,"line":250,"context":205},519,{"file":145,"line":250,"context":205},{"file":145,"line":250,"context":205},{"file":145,"line":250,"context":205},{"file":145,"line":255,"context":205},648,{"file":145,"line":257,"context":205},903,{"file":145,"line":259,"context":205},912,{"file":145,"line":261,"context":205},974,{"file":145,"line":263,"context":205},979,{"file":145,"line":265,"context":205},1008,{"file":145,"line":267,"context":205},1011,{"file":145,"line":269,"context":205},1013,{"file":145,"line":271,"context":205},1017,[],[274,303],{"entryPoint":275,"graph":276,"unsanitizedCount":174,"severity":302},"wptermajax_callback (wpterm.php:960)",{"nodes":277,"edges":298},[278,283,288,291,295],{"id":279,"type":280,"label":281,"file":145,"line":282},"n0","source","$_POST",1006,{"id":284,"type":285,"label":286,"file":145,"line":265,"wp_function":287},"n1","sink","echo() [XSS]","echo",{"id":289,"type":280,"label":281,"file":145,"line":290},"n2",999,{"id":292,"type":293,"label":294,"file":145,"line":290},"n3","transform","→ run_command()",{"id":296,"type":285,"label":297,"file":145,"line":195,"wp_function":194},"n4","exec() [RCE]",[299,300,301],{"from":279,"to":284,"sanitized":169},{"from":289,"to":292,"sanitized":167},{"from":292,"to":296,"sanitized":167},"critical",{"entryPoint":304,"graph":305,"unsanitizedCount":174,"severity":302},"\u003Cwpterm> (wpterm.php:0)",{"nodes":306,"edges":338},[307,308,309,311,313,314,317,319,322,324,327,330,332,334,336],{"id":279,"type":280,"label":281,"file":145,"line":282},{"id":284,"type":285,"label":286,"file":145,"line":265,"wp_function":287},{"id":289,"type":280,"label":281,"file":145,"line":310},992,{"id":292,"type":285,"label":312,"file":145,"line":179,"wp_function":178},"shell_exec() [RCE]",{"id":296,"type":280,"label":281,"file":145,"line":310},{"id":315,"type":285,"label":316,"file":145,"line":183,"wp_function":182},"n5","system() [RCE]",{"id":318,"type":280,"label":281,"file":145,"line":310},"n6",{"id":320,"type":285,"label":321,"file":145,"line":187,"wp_function":186},"n7","passthru() [RCE]",{"id":323,"type":280,"label":281,"file":145,"line":310},"n8",{"id":325,"type":285,"label":326,"file":145,"line":191,"wp_function":190},"n9","popen() [RCE]",{"id":328,"type":280,"label":329,"file":145,"line":310},"n10","$_POST (x2)",{"id":331,"type":285,"label":297,"file":145,"line":195,"wp_function":194},"n11",{"id":333,"type":280,"label":281,"file":145,"line":290},"n12",{"id":335,"type":293,"label":294,"file":145,"line":290},"n13",{"id":337,"type":285,"label":297,"file":145,"line":195,"wp_function":194},"n14",[339,340,341,342,343,344,345,346],{"from":279,"to":284,"sanitized":169},{"from":289,"to":292,"sanitized":169},{"from":296,"to":315,"sanitized":169},{"from":318,"to":320,"sanitized":169},{"from":323,"to":325,"sanitized":169},{"from":328,"to":331,"sanitized":169},{"from":333,"to":335,"sanitized":167},{"from":335,"to":337,"sanitized":167},{"summary":348,"deductions":349},"The wpterm plugin v1.2 exhibits a mixed security posture. On the positive side, it demonstrates strong practices by utilizing prepared statements for all SQL queries and implementing capability checks for most entry points, with no known CVEs historically. This indicates a developer who is aware of common WordPress security pitfalls.\n\nHowever, significant concerns arise from the static analysis. The presence of five dangerous functions (shell_exec, system, passthru, popen, exec) is a critical red flag, as these can be leveraged for remote code execution if user-supplied input is not meticulously sanitized. Compounding this is the taint analysis, which revealed two critical severity flows with unsanitized paths. This strongly suggests that external input can be used to influence command execution in a dangerous way. Furthermore, a low rate of proper output escaping (31%) increases the risk of cross-site scripting (XSS) vulnerabilities.\n\nIn conclusion, while the lack of historical vulnerabilities and good SQL practices are strengths, the identified dangerous functions combined with critical unsanitized taint flows create a high-risk profile for this plugin. The potential for remote code execution and XSS needs immediate attention and remediation.",[350,353,355,357],{"reason":351,"points":352},"Critical taint flows with unsanitized paths",15,{"reason":354,"points":352},"Presence of dangerous functions (shell_exec, system, etc.)",{"reason":356,"points":126},"Low percentage of properly escaped output",{"reason":358,"points":359},"File operations detected",5,"2026-03-16T18:20:40.903Z",{"wat":362,"direct":375},{"assetPaths":363,"generatorPatterns":367,"scriptPaths":368,"versionParams":371},[364,365,366],"\u002Fwp-content\u002Fplugins\u002Fwpterm\u002Fwpterm-terminal.js","\u002Fwp-content\u002Fplugins\u002Fwpterm\u002Fwpterm.js","\u002Fwp-content\u002Fplugins\u002Fwpterm\u002Fwpterm.css",[],[369,370],"wpterm-terminal.js","wpterm.js",[372,373,374],"wpterm\u002Fwpterm.css?ver=","wpterm\u002Fwpterm.js?ver=","wpterm\u002Fwpterm-terminal.js?ver=",{"cssClasses":376,"htmlComments":379,"htmlAttributes":382,"restEndpoints":385,"jsGlobals":386,"shortcodeOutput":390},[377,378],"wpterm-title","wpterm-input",[380,381],"\u003C!-- WPTerm Plugin -->","\u003C!-- WPTerm Plugin - Generated by Jerome Bruandet -->",[383,384],"data-wpterm-dir","data-wpterm-path",[],[387,388,389],"wpterm_options","wpterm_password","wpterm_path",[391,392,393,394,395],"\u003Cdiv class='wpterm-prompt'>","\u003Cspan class='wpterm-user'>","\u003Cspan class='wpterm-cwd'>","\u003Cspan class='wpterm-prompt-char'>","\u003Cdiv class='wpterm-terminal'>"]