[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzPNXwm9WpKDbAMQVGfVVntErfx2eEpQvQTlwaBxMgZU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":13,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":52,"analysis":53,"fingerprints":436},"wt-display-breeze","Breeze Display","1.2.4","Michael","https:\u002F\u002Fprofiles.wordpress.org\u002Fmgyura\u002F","\u003Cp>A plugin that brings in your Breeze church management software data (events, full calendar, pledges, donations and contributions) for display on your WordPress website. It can be displayed via widgets on a sidebar or shortcodes within pages and posts.\u003C\u002Fp>\n\u003Cp>This plugin is built and supported by \u003Ca href=\"https:\u002F\u002Fworshiptimes.org\u002F\" title=\"Worship Times Websites For Ministries\" rel=\"nofollow ugc\">Worship Times\u003C\u002Fa> and is not an official product of Breeze.\u003C\u002Fp>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F195973042\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F401437498\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n","A plugin that brings in your Breeze church management software data (events, full calendar, pledges, donations and contributions) for display on your  &hellip;",80,3591,0,"2025-04-23T15:18:00.000Z","6.8.5","4.9","",[19,20,21,22,23],"breeze","breeze-donations","breeze-events","breeze-wordpress","livebar","https:\u002F\u002Fworshiptimes.org","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwt-display-breeze.zip",99,1,"2025-04-24 09:50:49","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":6,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":27},"CVE-2025-3749","breeze-display-authenticated-contributor-stored-cross-site-scripting-via-calsize-parameter","Breeze Display \u003C= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via cal_size Parameter","The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.2.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-04-24 22:22:14",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F527dd2c7-5bbb-4c79-aa3c-7d70ddd26163?source=api-prod",{"slug":46,"display_name":7,"profile_url":8,"plugin_count":47,"total_installs":48,"avg_security_score":49,"avg_patch_time_days":27,"trust_score":50,"computed_at":51},"mgyura",4,280,92,94,"2026-04-04T15:14:38.576Z",[],{"attackSurface":54,"codeSignals":154,"taintFlows":395,"riskAssessment":421,"analyzedAt":435},{"hooks":55,"ajaxHandlers":134,"restRoutes":135,"shortcodes":136,"cronEvents":153,"entryPointCount":47,"unprotectedCount":13},[56,62,68,72,75,79,82,86,89,93,98,101,106,109,113,117,120,124,127,130],{"type":57,"name":58,"callback":59,"file":60,"line":61},"action","admin_menu","register_breeze_submenu_page","includes\\options.php",6,{"type":63,"name":64,"callback":65,"file":66,"line":67},"filter","media_upload_tabs","wt_breeze_donate_tab","includes\\shortcodes.php",23,{"type":57,"name":69,"callback":70,"file":66,"line":71},"media_upload_wt_breeze_donate_tab","wt_breeze_donate_upload_tab",31,{"type":63,"name":64,"callback":73,"file":66,"line":74},"wt_breeze_fullcal_tab",131,{"type":57,"name":76,"callback":77,"file":66,"line":78},"media_upload_wt_breeze_fullcal_tab","wt_breeze_fullcal_upload_tab",139,{"type":63,"name":64,"callback":80,"file":66,"line":81},"wt_breeze_campaign_tab",298,{"type":57,"name":83,"callback":84,"file":66,"line":85},"media_upload_wt_breeze_campaign_tab","wt_breeze__campaignupload_tab",306,{"type":63,"name":64,"callback":87,"file":66,"line":88},"wt_breeze_tab",528,{"type":57,"name":90,"callback":91,"file":66,"line":92},"media_upload_wt_breeze_tab","wt_breeze_upload_tab",536,{"type":57,"name":94,"callback":95,"file":96,"line":97},"widgets_init","wtbreeze_campaign_register_widgets","includes\\widgets.php",11,{"type":57,"name":94,"callback":99,"file":96,"line":100},"wtbreeze_register_widgets",242,{"type":57,"name":102,"callback":103,"file":104,"line":105},"admin_init","wt_breeze_settings_group","wt-breeze.php",15,{"type":57,"name":102,"callback":107,"file":104,"line":108},"wt_breeze_livebar_settings_group",27,{"type":57,"name":110,"callback":111,"file":104,"line":112},"wp_head","breeze_livebar_javascript",120,{"type":57,"name":114,"callback":115,"file":104,"line":116},"wp_enqueue_scripts","wt_breeze_register_scripts",167,{"type":57,"name":118,"callback":115,"file":104,"line":119},"admin_enqueue_scripts",168,{"type":57,"name":121,"callback":122,"file":104,"line":123},"wp_footer","wt_breeze_print_scripts",169,{"type":57,"name":121,"callback":125,"file":104,"line":126},"wt_breeze_print_contrib_scripts",170,{"type":57,"name":128,"callback":122,"file":104,"line":129},"admin_footer",171,{"type":57,"name":131,"callback":132,"file":104,"line":133},"admin_notices","wt_breeze_showAdminMessages",201,[],[],[137,141,145,149],{"tag":138,"callback":139,"file":66,"line":140},"wt_breeze_giving","wt_breeze_giving_shortcode",5,{"tag":142,"callback":143,"file":66,"line":144},"wt_breeze_full_cal","wt_breeze_full_cal_shortcode",73,{"tag":146,"callback":147,"file":66,"line":148},"wt_breeze_campaigns","wt_breeze_campaigns_shortcode",222,{"tag":150,"callback":151,"file":66,"line":152},"wt_breeze_list","wt_breeze_list_shortcode",410,[],{"dangerousFunctions":155,"sqlUsage":156,"outputEscaping":158,"fileOperations":13,"externalRequests":27,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":394},[],{"prepared":13,"raw":13,"locations":157},[],{"escaped":159,"rawEcho":160,"locations":161},45,134,[162,165,167,169,171,173,175,177,179,181,183,185,187,189,190,191,192,194,195,197,199,201,203,205,207,209,211,213,215,216,217,218,220,222,224,226,228,230,231,232,233,235,237,239,241,243,245,247,249,251,253,255,257,259,261,263,264,266,268,269,270,272,274,276,278,280,282,284,286,288,290,291,292,294,295,297,299,301,302,304,306,308,310,311,313,314,316,318,319,320,322,324,326,328,330,332,334,336,338,340,342,344,346,347,348,349,350,352,353,354,356,357,358,359,360,362,364,366,368,370,372,373,375,377,378,380,382,383,385,386,388,390,391,392],{"file":60,"line":163,"context":164},35,"raw output",{"file":60,"line":166,"context":164},43,{"file":60,"line":168,"context":164},51,{"file":60,"line":170,"context":164},96,{"file":60,"line":172,"context":164},172,{"file":60,"line":174,"context":164},180,{"file":60,"line":176,"context":164},191,{"file":60,"line":178,"context":164},199,{"file":60,"line":180,"context":164},204,{"file":60,"line":182,"context":164},209,{"file":60,"line":184,"context":164},214,{"file":66,"line":186,"context":164},17,{"file":66,"line":188,"context":164},116,{"file":66,"line":188,"context":164},{"file":66,"line":188,"context":164},{"file":66,"line":188,"context":164},{"file":66,"line":193,"context":164},117,{"file":66,"line":193,"context":164},{"file":66,"line":196,"context":164},202,{"file":66,"line":198,"context":164},255,{"file":66,"line":200,"context":164},257,{"file":66,"line":202,"context":164},260,{"file":66,"line":204,"context":164},264,{"file":66,"line":206,"context":164},272,{"file":66,"line":208,"context":164},275,{"file":66,"line":210,"context":164},278,{"file":66,"line":212,"context":164},343,{"file":66,"line":214,"context":164},453,{"file":66,"line":214,"context":164},{"file":66,"line":214,"context":164},{"file":66,"line":214,"context":164},{"file":66,"line":219,"context":164},454,{"file":66,"line":221,"context":164},455,{"file":66,"line":223,"context":164},458,{"file":66,"line":225,"context":164},462,{"file":66,"line":227,"context":164},466,{"file":66,"line":229,"context":164},489,{"file":66,"line":229,"context":164},{"file":66,"line":229,"context":164},{"file":66,"line":229,"context":164},{"file":66,"line":234,"context":164},490,{"file":66,"line":236,"context":164},491,{"file":66,"line":238,"context":164},494,{"file":66,"line":240,"context":164},498,{"file":66,"line":242,"context":164},502,{"file":66,"line":244,"context":164},574,{"file":96,"line":246,"context":164},53,{"file":96,"line":248,"context":164},59,{"file":96,"line":250,"context":164},63,{"file":96,"line":252,"context":164},66,{"file":96,"line":254,"context":164},75,{"file":96,"line":256,"context":164},76,{"file":96,"line":258,"context":164},83,{"file":96,"line":260,"context":164},88,{"file":96,"line":262,"context":164},89,{"file":96,"line":170,"context":164},{"file":96,"line":265,"context":164},100,{"file":96,"line":267,"context":164},110,{"file":96,"line":188,"context":164},{"file":96,"line":193,"context":164},{"file":96,"line":271,"context":164},124,{"file":96,"line":273,"context":164},129,{"file":96,"line":275,"context":164},130,{"file":96,"line":277,"context":164},137,{"file":96,"line":279,"context":164},142,{"file":96,"line":281,"context":164},143,{"file":96,"line":283,"context":164},150,{"file":96,"line":285,"context":164},186,{"file":96,"line":287,"context":164},189,{"file":96,"line":289,"context":164},197,{"file":96,"line":178,"context":164},{"file":96,"line":196,"context":164},{"file":96,"line":293,"context":164},206,{"file":96,"line":184,"context":164},{"file":96,"line":296,"context":164},217,{"file":96,"line":298,"context":164},220,{"file":96,"line":300,"context":164},230,{"file":96,"line":210,"context":164},{"file":96,"line":303,"context":164},285,{"file":96,"line":305,"context":164},286,{"file":96,"line":307,"context":164},293,{"file":96,"line":309,"context":164},299,{"file":96,"line":309,"context":164},{"file":96,"line":312,"context":164},300,{"file":96,"line":312,"context":164},{"file":96,"line":315,"context":164},301,{"file":96,"line":317,"context":164},309,{"file":96,"line":317,"context":164},{"file":96,"line":317,"context":164},{"file":96,"line":321,"context":164},318,{"file":96,"line":323,"context":164},372,{"file":96,"line":325,"context":164},373,{"file":96,"line":327,"context":164},380,{"file":96,"line":329,"context":164},383,{"file":96,"line":331,"context":164},384,{"file":96,"line":333,"context":164},391,{"file":96,"line":335,"context":164},394,{"file":96,"line":337,"context":164},395,{"file":96,"line":339,"context":164},402,{"file":96,"line":341,"context":164},432,{"file":96,"line":343,"context":164},435,{"file":96,"line":345,"context":164},457,{"file":96,"line":345,"context":164},{"file":96,"line":345,"context":164},{"file":96,"line":345,"context":164},{"file":96,"line":223,"context":164},{"file":96,"line":351,"context":164},459,{"file":96,"line":225,"context":164},{"file":96,"line":227,"context":164},{"file":96,"line":355,"context":164},470,{"file":96,"line":238,"context":164},{"file":96,"line":238,"context":164},{"file":96,"line":238,"context":164},{"file":96,"line":238,"context":164},{"file":96,"line":361,"context":164},495,{"file":96,"line":363,"context":164},496,{"file":96,"line":365,"context":164},499,{"file":96,"line":367,"context":164},503,{"file":96,"line":369,"context":164},507,{"file":96,"line":371,"context":164},521,{"file":104,"line":74,"context":164},{"file":104,"line":374,"context":164},132,{"file":104,"line":376,"context":164},133,{"file":104,"line":160,"context":164},{"file":104,"line":379,"context":164},135,{"file":104,"line":381,"context":164},136,{"file":104,"line":277,"context":164},{"file":104,"line":384,"context":164},138,{"file":104,"line":78,"context":164},{"file":104,"line":387,"context":164},140,{"file":104,"line":389,"context":164},141,{"file":104,"line":279,"context":164},{"file":104,"line":281,"context":164},{"file":104,"line":393,"context":164},144,[],[396,413],{"entryPoint":397,"graph":398,"unsanitizedCount":27,"severity":38},"wt_breeze_giving_shortcode (includes\\shortcodes.php:7)",{"nodes":399,"edges":410},[400,405],{"id":401,"type":402,"label":403,"file":66,"line":404},"n0","source","$_SERVER['HTTP_HOST']",13,{"id":406,"type":407,"label":408,"file":66,"line":404,"wp_function":409},"n1","sink","header() [Header Injection]","header",[411],{"from":401,"to":406,"sanitized":412},false,{"entryPoint":414,"graph":415,"unsanitizedCount":27,"severity":38},"\u003Cshortcodes> (includes\\shortcodes.php:0)",{"nodes":416,"edges":419},[417,418],{"id":401,"type":402,"label":403,"file":66,"line":404},{"id":406,"type":407,"label":408,"file":66,"line":404,"wp_function":409},[420],{"from":401,"to":406,"sanitized":412},{"summary":422,"deductions":423},"The \"wt-display-breeze\" plugin v1.2.4 presents a mixed security profile. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and has no known unpatched vulnerabilities, indicating a generally well-maintained codebase regarding past issues. The static analysis also shows no direct dangerous functions, file operations, or external HTTP requests, which are common attack vectors.\n\nHowever, several concerning areas were identified in the static analysis. The plugin exhibits a concerningly low percentage (25%) of properly escaped output, suggesting a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis revealed \"flows with unsanitized paths,\" indicating potential for sensitive data to be exposed or manipulated without proper sanitization, although no critical or high severity issues were flagged in this specific analysis. The absence of nonce checks and capability checks across its entry points (shortcodes) is a significant weakness, allowing unauthenticated or low-privileged users to potentially trigger unintended actions or access restricted data through these shortcodes.\n\nThe vulnerability history shows a past medium severity vulnerability related to XSS, reinforcing the concern raised by the low output escaping. While there are no currently unpatched vulnerabilities, the pattern of past XSS issues coupled with the current lack of output escaping and authorization checks on shortcodes suggests an ongoing risk of similar vulnerabilities if not addressed. The plugin's strengths lie in its SQL handling and lack of unpatched CVEs, but its weaknesses in output sanitization and authorization for shortcodes pose a tangible risk to WordPress installations.",[424,427,429,431,433],{"reason":425,"points":426},"Low output escaping percentage (25%)",8,{"reason":428,"points":140},"Unsanitized paths in taint analysis",{"reason":430,"points":140},"No nonce checks on entry points (shortcodes)",{"reason":432,"points":140},"No capability checks on entry points (shortcodes)",{"reason":434,"points":140},"Past medium XSS vulnerability","2026-03-16T21:28:23.410Z",{"wat":437,"direct":453},{"assetPaths":438,"generatorPatterns":444,"scriptPaths":445,"versionParams":447},[439,440,441,442,443],"\u002Fwp-content\u002Fplugins\u002Fwt-display-breeze\u002Fincludes\u002Fjs\u002Fwt-breeze-admin.js","\u002Fwp-content\u002Fplugins\u002Fwt-display-breeze\u002Fincludes\u002Fjs\u002Fwt-breeze-frontend.js","\u002Fwp-content\u002Fplugins\u002Fwt-display-breeze\u002Fincludes\u002Fcss\u002Fwt-breeze-admin.css","\u002Fwp-content\u002Fplugins\u002Fwt-display-breeze\u002Fincludes\u002Fcss\u002Fwt-breeze-frontend.css","\u002Fwp-content\u002Fplugins\u002Fwt-display-breeze\u002Fincludes\u002Fcss\u002Fwt-breeze-widget.css",[],[446],"https:\u002F\u002Flivebar.church\u002Flivebar.js",[448,449,450,451,452],"wt-breeze-admin.js?ver=","wt-breeze-frontend.js?ver=","wt-breeze-admin.css?ver=","wt-breeze-frontend.css?ver=","wt-breeze-widget.css?ver=",{"cssClasses":454,"htmlComments":461,"htmlAttributes":462,"restEndpoints":477,"jsGlobals":478,"shortcodeOutput":481},[455,456,457,458,459,460],"wt-breeze-calendar","wt-breeze-event-list","wt-breeze-pledge-form","wt-breeze-donation-form","wt-breeze-contribution-form","livebar-header",[],[463,464,465,466,467,468,469,470,471,472,473,474,475,476],"data-layout","data-background-color","data-button-color","data-text-color","data-button-text-color","data-button-text","data-header-text","data-service-1-day-of-week","data-service-1-hours","data-service-1-minutes","data-service-1-duration-minutes","data-dismissable","data-live-url","data-timezone",[],[479,480],"wt_breeze_admin_vars","wt_breeze_frontend_vars",[482,483,484,485,486],"[wt_breeze_calendar]","[wt_breeze_event_list]","[wt_breeze_pledge_form]","[wt_breeze_donation_form]","[wt_breeze_contribution_form]"]