[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvnIytDCa3F9W0gKDXt9zcSSNIQVQdqpb0ZtuWhGt8dg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":15,"download_link":17,"security_score":18,"vuln_count":13,"unpatched_count":13,"last_vuln_date":19,"fetched_at":20,"vulnerabilities":21,"developer":22,"crawl_stats":19,"alternatives":28,"analysis":29,"fingerprints":73},"xbox-live-avatar-widget","XBOX Live Avatar","0.9","williampatton","https:\u002F\u002Fprofiles.wordpress.org\u002Fwilliampatton\u002F","\u003Cp>Adds your XBOX Live Avatar to your sidebar.\u003C\u002Fp>\n","Adds your XBOX Live Avatar to your sidebar.",10,1816,0,"2010-01-25T19:47:00.000Z","",[],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxbox-live-avatar-widget.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":23,"total_installs":24,"avg_security_score":18,"avg_patch_time_days":25,"trust_score":26,"computed_at":27},4,210,30,84,"2026-04-04T16:04:07.462Z",[],{"attackSurface":30,"codeSignals":42,"taintFlows":61,"riskAssessment":62,"analyzedAt":72},{"hooks":31,"ajaxHandlers":38,"restRoutes":39,"shortcodes":40,"cronEvents":41,"entryPointCount":13,"unprotectedCount":13},[32],{"type":33,"name":34,"callback":35,"file":36,"line":37},"action","plugins_loaded","widget_xboxavatar_init","xboxliveavatar.php",46,[],[],[],[],{"dangerousFunctions":43,"sqlUsage":44,"outputEscaping":46,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":60},[],{"prepared":13,"raw":13,"locations":45},[],{"escaped":13,"rawEcho":47,"locations":48},5,[49,52,54,56,58],{"file":36,"line":50,"context":51},20,"raw output",{"file":36,"line":53,"context":51},21,{"file":36,"line":55,"context":51},22,{"file":36,"line":57,"context":51},37,{"file":36,"line":59,"context":51},38,[],[],{"summary":63,"deductions":64},"The xbox-live-avatar-widget plugin version 0.9 exhibits a concerning lack of basic security hygiene, despite the absence of known vulnerabilities and a seemingly small attack surface.  The static analysis reveals a significant weakness in output escaping, with 0% of the observed outputs being properly escaped. This means that any data displayed to users could potentially be manipulated by an attacker, leading to cross-site scripting (XSS) vulnerabilities. Furthermore, the complete absence of nonce and capability checks across all entry points is a critical oversight. While there are no direct AJAX handlers or REST API routes exposed without authentication, the lack of these fundamental checks on any potential future entry points or within internal functions leaves the plugin vulnerable to various unauthorized actions and privilege escalation attacks. The plugin's vulnerability history being clean is positive but does not mitigate the current, evident security flaws.",[65,68,70],{"reason":66,"points":67},"Output escaping is not implemented",8,{"reason":69,"points":47},"No nonce checks implemented",{"reason":71,"points":47},"No capability checks implemented","2026-03-17T00:59:40.985Z",{"wat":74,"direct":79},{"assetPaths":75,"generatorPatterns":76,"scriptPaths":77,"versionParams":78},[],[],[],[],{"cssClasses":80,"htmlComments":81,"htmlAttributes":82,"restEndpoints":83,"jsGlobals":84,"shortcodeOutput":85},[],[],[],[],[],[86],"\u003Ciframe src=\"http:\u002F\u002Favatar.xboxlive.com\u002Favatar\u002F"]