[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxZoo4NXtTdsIxbgz5vWDVzEsft7oC04W6NKiqaidgvE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":33,"analysis":34,"fingerprints":165},"wysiwyg-button-manager","WYSIWYG Button Manager","0.5","Paul Menard","https:\u002F\u002Fprofiles.wordpress.org\u002Fpmenard\u002F","\u003Cp>Allow the admin to override the default WYSIWYG button bar. Also allow the admin to create a unique 3-row button panel and assign this to a user.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.codehooligans.com\u002F2007\u002F03\u002F19\u002Fwysiwyg-button-manager-for-wordpress\u002F\" title=\"WYSIWYG Button Manager\" rel=\"nofollow ugc\">Plugin Homepage\u003C\u002Fa>\u003C\u002Fp>\n","Allow the admin to override the default WYSIWYG button bar. Also allow the admin to create a unique 3-row button panel and assign this to a user.",10,7019,0,"2007-04-24T18:22:00.000Z","2.1.3","2.0.2","",[19],"wysiwyg-button-manager-admin-editor","http:\u002F\u002Fwww.codehooligans.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwysiwyg-button-manager.1.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":27,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":22,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},"pmenard",4,240,30,84,"2026-04-04T13:49:02.912Z",[],{"attackSurface":35,"codeSignals":66,"taintFlows":117,"riskAssessment":145,"analyzedAt":164},{"hooks":36,"ajaxHandlers":62,"restRoutes":63,"shortcodes":64,"cronEvents":65,"entryPointCount":13,"unprotectedCount":13},[37,43,47,52,56,59],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","admin_menu","add_manage_menu","wysiwyg_button_manager.php",74,{"type":38,"name":44,"callback":45,"file":41,"line":46},"init","button_manager_install",80,{"type":48,"name":49,"callback":50,"file":41,"line":51},"filter","mce_plugins","extended_editor_mce_plugins",82,{"type":48,"name":53,"callback":54,"file":41,"line":55},"mce_buttons","user_mce_buttons_1",83,{"type":48,"name":57,"callback":58,"file":41,"line":31},"mce_buttons_2","user_mce_buttons_2",{"type":48,"name":60,"callback":61,"file":41,"line":22},"mce_buttons_3","user_mce_buttons_3",[],[],[],[],{"dangerousFunctions":67,"sqlUsage":72,"outputEscaping":78,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":116},[68],{"fn":69,"file":41,"line":70,"context":71},"unserialize",104,"$this->button_info = unserialize($this->button_info);",{"prepared":73,"raw":73,"locations":74},1,[75],{"file":41,"line":76,"context":77},204,"$wpdb->get_col() with variable interpolation",{"escaped":13,"rawEcho":79,"locations":80},19,[81,84,86,88,90,92,94,95,96,97,99,100,102,104,106,108,110,112,114],{"file":41,"line":82,"context":83},232,"raw output",{"file":41,"line":85,"context":83},246,{"file":41,"line":87,"context":83},249,{"file":41,"line":89,"context":83},256,{"file":41,"line":91,"context":83},261,{"file":41,"line":93,"context":83},312,{"file":41,"line":93,"context":83},{"file":41,"line":93,"context":83},{"file":41,"line":93,"context":83},{"file":41,"line":98,"context":83},315,{"file":41,"line":98,"context":83},{"file":41,"line":101,"context":83},317,{"file":41,"line":103,"context":83},348,{"file":41,"line":105,"context":83},349,{"file":41,"line":107,"context":83},356,{"file":41,"line":109,"context":83},362,{"file":41,"line":111,"context":83},366,{"file":41,"line":113,"context":83},370,{"file":41,"line":115,"context":83},374,[],[118,136],{"entryPoint":119,"graph":120,"unsanitizedCount":28,"severity":135},"display_buttons_editor (wysiwyg_button_manager.php:328)",{"nodes":121,"edges":132},[122,127],{"id":123,"type":124,"label":125,"file":41,"line":126},"n0","source","$_REQUEST (x4)",338,{"id":128,"type":129,"label":130,"file":41,"line":109,"wp_function":131},"n1","sink","echo() [XSS]","echo",[133],{"from":123,"to":128,"sanitized":134},false,"medium",{"entryPoint":137,"graph":138,"unsanitizedCount":28,"severity":144},"\u003Cwysiwyg_button_manager> (wysiwyg_button_manager.php:0)",{"nodes":139,"edges":142},[140,141],{"id":123,"type":124,"label":125,"file":41,"line":126},{"id":128,"type":129,"label":130,"file":41,"line":109,"wp_function":131},[143],{"from":123,"to":128,"sanitized":134},"low",{"summary":146,"deductions":147},"The \"wysiwyg-button-manager\" v0.5 plugin presents a mixed security profile.  On the positive side, it boasts a zero attack surface in terms of AJAX handlers, REST API routes, shortcodes, and cron events, indicating a deliberate effort to limit entry points.  Furthermore, there's no known vulnerability history, which is a strong indicator of past security diligence. However, the static analysis reveals significant concerns, most notably the presence of the `unserialize` function without any apparent sanitization or nonce checks.  Combined with a complete lack of output escaping and capability checks, this creates a substantial risk. The taint analysis showing two flows with unsanitized paths further exacerbates this, suggesting that user-controlled data could potentially be manipulated to execute arbitrary code or lead to other vulnerabilities.",[148,151,154,156,158,161],{"reason":149,"points":150},"Unescaped output",6,{"reason":152,"points":153},"Dangerous function: unserialize",15,{"reason":155,"points":11},"No nonce checks",{"reason":157,"points":11},"No capability checks",{"reason":159,"points":160},"Taint flow with unsanitized paths",12,{"reason":162,"points":163},"SQL queries not fully prepared",5,"2026-03-16T23:55:52.123Z",{"wat":166,"direct":173},{"assetPaths":167,"generatorPatterns":169,"scriptPaths":170,"versionParams":171},[168],"\u002Fwp-content\u002Fplugins\u002Fwysiwyg-button-manager\u002Fjs\u002Fwysiwyg-button-manager.js",[],[],[172],"wysiwyg-button-manager\u002Fjs\u002Fwysiwyg-button-manager.js?ver=",{"cssClasses":174,"htmlComments":175,"htmlAttributes":176,"restEndpoints":179,"jsGlobals":180,"shortcodeOutput":181},[],[],[177,178],"name=\"users_panel\"","id=\"updateusers\"",[],[],[]]