[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5OPbz_yqIKO-CVQsHd1XA25-4dSbb6N5KvJM0OS-cf8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":53,"analysis":148,"fingerprints":317},"xm-backup","XM-Backup","0.9.1","Xavier Media","https:\u002F\u002Fprofiles.wordpress.org\u002Fandreasbylund\u002F","\u003Cp>This plugin will do a backup of your WordPress database and, or your files in wp-content\u002Fuploads and saves\u003Cbr \u002F>\nit somewhere safe. You can have the backup saved in your \u003Ca href=\"http:\u002F\u002Fdb.tt\u002F9Jo39Xy\" rel=\"nofollow ugc\">Dropbox account\u003C\u002Fa>, a FTP account of your choise, your\u003Cbr \u002F>\naccount with \u003Ca href=\"http:\u002F\u002Fwww.securepaynet.net\u002Femail\u002Fonline-file-storage.aspx?ci=1796&prog_id=xaviermedia&isc=xmbackup\" rel=\"nofollow ugc\">Online File Folder\u003C\u002Fa>, or have the backup emailed to you (not recommended for large files). You can\u003Cbr \u002F>\nselect to have the backups named the same every day or to have a date added to each file name.\u003C\u002Fp>\n\u003Cp>This plugin requires PHP, cURL, PHP compiled with ZIP support, and Oauth (for Dropbox).\u003C\u002Fp>\n\u003Cp>** NO WARRANTY SUPPLIED! **\u003C\u002Fp>\n\u003Cp>** Make sure you test your Backups! **\u003C\u002Fp>\n","Does a backup of your Wordpress database and, or your files in wp-content\u002Fuploads and saves it in a safe location.",60,13425,0,"2012-05-19T19:24:00.000Z","3.3.2","2.7.0","",[19,20,21,22,23],"backup","database","dropbox","files","ftp","http:\u002F\u002Fwww.xaviermedia.com\u002Fwordpress\u002Fplugins\u002Fxm-backup.php","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxm-backup.zip",63,1,"2025-08-25 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-48109","xm-backup-cross-site-request-forgery","XM-Backup \u003C= 0.9.1 - Cross-Site Request Forgery","The XM-Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=0.9.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-09-03 20:01:45",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff870f201-deed-4ee1-8468-35cf469b6e6d?source=api-prod",{"slug":46,"display_name":7,"profile_url":8,"plugin_count":47,"total_installs":48,"avg_security_score":49,"avg_patch_time_days":50,"trust_score":51,"computed_at":52},"andreasbylund",2,70,74,30,76,"2026-04-05T02:28:22.775Z",[54,72,97,114,131],{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":50,"downloaded":62,"rating":63,"num_ratings":27,"last_updated":17,"tested_up_to":64,"requires_at_least":65,"requires_php":66,"tags":67,"homepage":69,"download_link":70,"security_score":63,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":71},"atec-backup","atec Backup","1.1.37","docjojo","https:\u002F\u002Fprofiles.wordpress.org\u002Fdocjojo\u002F","\u003Cp>atec Backup provides a clean, high-performance backup and restore system for WordPress.\u003C\u002Fp>\n\u003Cp>Back up your full database and selected file paths with precision. You can exclude specific tables or folders and optionally upload backups to a remote FTP server.\u003C\u002Fp>\n\u003Cp>Manual and automatic backups are supported. The background job uses WP-Cron to execute scheduled backups silently.\u003C\u002Fp>\n\u003Ch3>Specifications\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Schedule: Manual and automatic (via WP-Cron)  \u003C\u002Fli>\n\u003Cli>Storage: Local + optional FTP\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>ZIP extension  \u003C\u002Fli>\n\u003Cli>PDO extension  \u003C\u002Fli>\n\u003Cli>Write access to the uploads directory\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Third-Party Services\u003C\u002Fh3>\n\u003Ch3>Integrity check\u003C\u002Fh3>\n\u003Cp>Once, when activating the plugin, an integrity check is requested from our server – if you give your permission.\u003Cbr \u002F>\nSource: https:\u002F\u002Fatecplugins.com\u002F\u003Cbr \u002F>\nPrivacy policy: https:\u002F\u002Fatecplugins.com\u002Fprivacy-policy\u002F\u003C\u002Fp>\n","All-in-one backup and restore solution – fast & reliable.",2680,100,"6.9.4","4.9","7.4",[19,20,22,23,68],"restore","https:\u002F\u002Fatecplugins.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fatec-backup.1.1.37.zip","2026-03-15T10:48:56.248Z",{"slug":73,"name":74,"version":75,"author":76,"author_profile":77,"description":78,"short_description":79,"active_installs":80,"downloaded":81,"rating":82,"num_ratings":83,"last_updated":84,"tested_up_to":64,"requires_at_least":85,"requires_php":86,"tags":87,"homepage":92,"download_link":93,"security_score":94,"vuln_count":95,"unpatched_count":13,"last_vuln_date":96,"fetched_at":29},"wp-database-backup","WP Database Backup – Unlimited Database & Files Backup by Backup for WP","7.9","Backup For WP","https:\u002F\u002Fprofiles.wordpress.org\u002Fdatabasebackup\u002F","\u003Cp>WP Database Backup plugin helps you to create Database Backup and Restore Database Backup easily on single click. Manual or Automated Database Backups And also store database backup on safe place- Dropbox,FTP,Email,Google drive, Amazon S3\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Create Database Backup\u003Cbr \u002F>\nWP Database Backup plugin helps you to create Database Backup easily on single click.\u003C\u002Fli>\n\u003Cli>Auto Backup – Backup automatically on a repeating \u003Cstrong>schedule\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Website Migration – Migration Your Site with Just One Click!\u003C\u002Fli>\n\u003Cli>Download backup file direct from your WordPress dashboard\u003C\u002Fli>\n\u003Cli>Easy To Install(Very easy to use)\u003Cbr \u002F>\nWP Database Backup is super easy to install. \u003C\u002Fli>\n\u003Cli>Simple to configure(very less configuration), less than a minute.\u003C\u002Fli>\n\u003Cli>Restore Database Backup\u003Cbr \u002F>\nWP Database Backup plugin helps you to Restore Database Backup easily on single click.\u003C\u002Fli>\n\u003Cli>Multiple storage destinations\u003C\u002Fli>\n\u003Cli>Store database backup on safe place- \u003Cstrong> Dropbox, Google drive, Amazon s3, FTP, sFTP, Backblaze, Email\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Reporting- Sends emailed backups and backup reports to any email addresses\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Exclude Table\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Database backup list pagination\u003C\u002Fli>\n\u003Cli>Search and Replace in database backup file.\u003C\u002Fli>\n\u003Cli>Search backup from list(Date\u002F Database Size)\u003C\u002Fli>\n\u003Cli>Sort backup list (Date\u002F Database Size)\u003C\u002Fli>\n\u003Cli>Save database backup file in zip format on local server And Send database backup file to destination in zip format\u003C\u002Fli>\n\u003Cli>Documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Subscribe to Backup for WP Cloudstorage\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>We are excited to introduce a new feature for the Backup for WP plugin , our \u003Ca href=\"https:\u002F\u002Fbackupforwp.com\u002Fregister\" rel=\"nofollow ugc\">Backup For WP Cloudstorage\u003C\u002Fa>. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Affordable Pricing\u003C\u002Fstrong>: Only $1 per 50GB of storage per website per month, with a flexible pay-as-you-go model. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>14-Day Free Trial\u003C\u002Fstrong>: Start with a 14-day free trial to experience the benefits of cloud storage without any upfront cost.  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scalable Storage\u003C\u002Fstrong>: Easily adjusts to your storage needs, providing as much space as required for your backups. \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure Cloud Storage\u003C\u002Fstrong>: All backups are stored securely in the cloud, protecting your data from unauthorized access \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>We try our best to provide support on WordPress.org forums. However, We have a special \u003Ca href=\"https:\u002F\u002Fmagazine3.company\u002Fcontact\u002F\" rel=\"nofollow ugc\">team support\u003C\u002Fa> where you can ask us questions and get help. Delivering a good user experience means a lot to us and so we try our best to reply each and every question that gets asked.\u003C\u002Fp>\n\u003Ch3>Bug Reports\u003C\u002Fh3>\n\u003Cp>Bug reports for WP Database Backup  are \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fahmedkaludi\u002Fwp-database-backup\" rel=\"nofollow ugc\">welcomed on GitHub\u003C\u002Fa>. Please note GitHub is not a support forum, and issues that aren’t properly qualified as bugs will be closed.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>This plugin uses the following third-party libraries:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong> Google APIs Client Library for PHP \u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Author: Google\u003C\u002Fli>\n\u003Cli>URL: https:\u002F\u002Fgithub.com\u002Fgoogleapis\u002Fgoogle-api-php-client\u003C\u002Fli>\n\u003Cli>License: Apache License, Version 2.0 (the “License”)\u003C\u002Fli>\n\u003Cli>License URL: http:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong> PHP Secure Communications Library \u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Author: phpseclib\u003C\u002Fli>\n\u003Cli>URL:https:\u002F\u002Fgithub.com\u002Fphpseclib\u002Fphpseclib\u003C\u002Fli>\n\u003Cli>License: MIT License (or any other applicable license)\u003C\u002Fli>\n\u003Cli>License URL: http:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>PhpConcept Library – Zip Module \u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Author: Vincent Blavet\u003C\u002Fli>\n\u003Cli>URL:http:\u002F\u002Fwww.phpconcept.net\u003C\u002Fli>\n\u003Cli>License: License GNU\u002FLGPL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>phpFileTree \u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Author: Cory S.N. LaViska’s\u003C\u002Fli>\n\u003Cli>URL: https:\u002F\u002Fwww.abeautifulsite.net\u002Fblog\u002F2007\u002F06\u002Fphp-file-tree\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n","Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).",30000,2173638,88,101,"2026-01-22T06:51:00.000Z","3.1","5.6.20",[19,88,89,90,91],"cloud-backup","database-backup","files-backup","wordpress-backup","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-database-backup","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-database-backup.7.9.zip",87,13,"2025-01-08 00:00:00",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":13,"num_ratings":13,"last_updated":17,"tested_up_to":107,"requires_at_least":108,"requires_php":17,"tags":109,"homepage":112,"download_link":113,"security_score":63,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":71},"drop-in-dropbox","Drop in Dropbox","0.2.7","Denis Buka","https:\u002F\u002Fprofiles.wordpress.org\u002Fdenis-buka\u002F","\u003Cp>This plugin allows you to upload single files or entire directories with subdirectories to your Dropbox account. You can use it for backup, synchronization or whatever uploading tasks you may have.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features overview:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Upload entire directories with subdirectories to your Dropbox account.   \u003C\u002Fli>\n\u003Cli>Backup your entire site files by pointing to the WordPress installation directory.   \u003C\u002Fli>\n\u003Cli>Specify a Dropbox folder to which your files should be uploaded. If such folder doesn’t exist it will be created.   \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>My other plugins:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Intuitive Navigation (https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fintuitive-navigation\u002F)   \u003C\u002Fli>\n\u003Cli>Generate Cache (https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fgenerate-cache\u002F)   \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Links: \u003Ca href=\"http:\u002F\u002Fsteamingkettle.net\" rel=\"nofollow ugc\">Steaming Kettle Website Design & Video Production Studio\u003C\u002Fa>\u003C\u002Fp>\n","Upload single files or entire directories with subdirectories to your Dropbox account.",10,8010,"3.4.2","3.2",[19,110,21,22,111],"directories","upload","http:\u002F\u002Fsteamingkettle.net\u002Fweb-design\u002Fwordpress-plugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrop-in-dropbox.0.2.7.zip",{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":105,"downloaded":122,"rating":13,"num_ratings":13,"last_updated":123,"tested_up_to":124,"requires_at_least":125,"requires_php":17,"tags":126,"homepage":128,"download_link":129,"security_score":130,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":29},"site-backup","Site Backup","1.0.0","Elementor Addon","https:\u002F\u002Fprofiles.wordpress.org\u002Felementoraddon\u002F","\u003Cp>Backing up your website is very important. Data loss is common in WordPress websites. So don’t take any risks. Use site backup to backup your website with just one click. Also restore your website with just on click. Backup and restoring has never been easier with Site Backup plugin.\u003C\u002Fp>\n\u003Cp>Schedule automaitc backup to hourly, twice daily, weekly, bi weekly, monthly. Just configure the settings and you don’t have to worry about backing up your website anymore.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Automatic Backup\u003C\u002Fli>\n\u003Cli>Backup with one click\u003C\u002Fli>\n\u003Cli>Restore with one click\u003C\u002Fli>\n\u003Cli>Backup Files\u002FFolders\u003C\u002Fli>\n\u003Cli>Backup Database\u003C\u002Fli>\n\u003Cli>Set Backup Frequency to Hourly, Twice Daily, Daily, Weekly, Bi-Weekly and Monthly\u003C\u002Fli>\n\u003Cli>Exclude file\u002Ffolders that you do not want to backup.\u003C\u002Fli>\n\u003Cli>Receive Notification email when a backup is taken successfully.\u003C\u002Fli>\n\u003C\u002Ful>\n","Backup and restore your site in one click. Schedule automatic backup of your site. No worries anymore!!!",3535,"2017-03-18T00:34:00.000Z","4.7.32","4.4",[19,89,90,91,127],"wp-backup","http:\u002F\u002Fwww.giribaz.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsite-backup.zip",85,{"slug":132,"name":133,"version":134,"author":135,"author_profile":136,"description":137,"short_description":138,"active_installs":13,"downloaded":139,"rating":13,"num_ratings":13,"last_updated":140,"tested_up_to":141,"requires_at_least":142,"requires_php":66,"tags":143,"homepage":146,"download_link":147,"security_score":63,"vuln_count":13,"unpatched_count":13,"last_vuln_date":36,"fetched_at":29},"tiny-backup","Tiny Backup","1.1.1","Takashi Fujisaki","https:\u002F\u002Fprofiles.wordpress.org\u002Fejointjp\u002F","\u003Cp>Tiny Backup is a WordPress plugin that allows you to create backup files simply and without any complicated configuration.\u003Cbr \u002F>\nYou can create and download the bare minimum backup with just one click, stress-free.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Database backup (SQL inside ZIP)\u003C\u002Fli>\n\u003Cli>Files backup (select folders under \u003Ccode>wp-content\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Clear progress indicator and logs\u003C\u002Fli>\n\u003Cli>No external services; everything runs on your server\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is ideal for small to medium sites that need quick on-demand backups.\u003C\u002Fp>\n","Simple and minimal backup plugin for WordPress. Create database and files backups with one click.",174,"2025-11-18T03:09:00.000Z","6.8.5","6.0",[144,19,20,22,145],"admin","zip","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftiny-backup\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftiny-backup.1.1.1.zip",{"attackSurface":149,"codeSignals":167,"taintFlows":237,"riskAssessment":294,"analyzedAt":316},{"hooks":150,"ajaxHandlers":161,"restRoutes":162,"shortcodes":163,"cronEvents":164,"entryPointCount":13,"unprotectedCount":13},[151,157],{"type":152,"name":153,"callback":154,"file":155,"line":156},"action","xmbackup_DoMyBackup","xmbackup_DoBackup","xm-backup.php",14,{"type":152,"name":158,"callback":159,"file":155,"line":160},"admin_menu","xmbackup_addoption",612,[],[],[],[165],{"hook":153,"callback":153,"file":155,"line":166},406,{"dangerousFunctions":168,"sqlUsage":177,"outputEscaping":183,"fileOperations":235,"externalRequests":47,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":236},[169,173,175],{"fn":170,"file":155,"line":171,"context":172},"unserialize",153,"$options = unserialize($opt);",{"fn":170,"file":155,"line":174,"context":172},348,{"fn":170,"file":155,"line":176,"context":172},421,{"prepared":27,"raw":47,"locations":178},[179,181],{"file":155,"line":49,"context":180},"$wpdb->get_results() with variable interpolation",{"file":155,"line":182,"context":180},81,{"escaped":13,"rawEcho":184,"locations":185},25,[186,189,192,194,196,198,200,202,204,206,208,210,212,214,216,218,219,221,223,225,227,229,231,232,234],{"file":187,"line":184,"context":188},"dropbox\\examples\\download_image.php","raw output",{"file":190,"line":191,"context":188},"dropbox\\examples\\oauth_workflow.php",36,{"file":155,"line":193,"context":188},437,{"file":155,"line":195,"context":188},455,{"file":155,"line":197,"context":188},457,{"file":155,"line":199,"context":188},461,{"file":155,"line":201,"context":188},462,{"file":155,"line":203,"context":188},464,{"file":155,"line":205,"context":188},474,{"file":155,"line":207,"context":188},475,{"file":155,"line":209,"context":188},484,{"file":155,"line":211,"context":188},485,{"file":155,"line":213,"context":188},487,{"file":155,"line":215,"context":188},496,{"file":155,"line":217,"context":188},498,{"file":155,"line":217,"context":188},{"file":155,"line":220,"context":188},522,{"file":155,"line":222,"context":188},527,{"file":155,"line":224,"context":188},542,{"file":155,"line":226,"context":188},543,{"file":155,"line":228,"context":188},567,{"file":155,"line":230,"context":188},578,{"file":155,"line":230,"context":188},{"file":155,"line":233,"context":188},579,{"file":155,"line":233,"context":188},9,[],[238,277],{"entryPoint":239,"graph":240,"unsanitizedCount":95,"severity":276},"xmbackup_options (xm-backup.php:315)",{"nodes":241,"edges":270},[242,247,253,255,258,261,265,268],{"id":243,"type":244,"label":245,"file":155,"line":246},"n0","source","$_REQUEST",392,{"id":248,"type":249,"label":250,"file":155,"line":251,"wp_function":252},"n1","sink","update_option() [Settings Manipulation]",410,"update_option",{"id":254,"type":244,"label":245,"file":155,"line":246},"n2",{"id":256,"type":249,"label":257,"file":155,"line":176,"wp_function":170},"n3","unserialize() [Object Injection]",{"id":259,"type":244,"label":260,"file":155,"line":193},"n4","$_SERVER['REQUEST_URI']",{"id":262,"type":249,"label":263,"file":155,"line":193,"wp_function":264},"n5","echo() [XSS]","echo",{"id":266,"type":244,"label":267,"file":155,"line":246},"n6","$_REQUEST (x10)",{"id":269,"type":249,"label":263,"file":155,"line":199,"wp_function":264},"n7",[271,273,274,275],{"from":243,"to":248,"sanitized":272},false,{"from":254,"to":256,"sanitized":272},{"from":259,"to":262,"sanitized":272},{"from":266,"to":269,"sanitized":272},"high",{"entryPoint":278,"graph":279,"unsanitizedCount":95,"severity":276},"\u003Cxm-backup> (xm-backup.php:0)",{"nodes":280,"edges":289},[281,282,283,284,285,286,287,288],{"id":243,"type":244,"label":245,"file":155,"line":246},{"id":248,"type":249,"label":250,"file":155,"line":251,"wp_function":252},{"id":254,"type":244,"label":245,"file":155,"line":246},{"id":256,"type":249,"label":257,"file":155,"line":176,"wp_function":170},{"id":259,"type":244,"label":260,"file":155,"line":193},{"id":262,"type":249,"label":263,"file":155,"line":193,"wp_function":264},{"id":266,"type":244,"label":267,"file":155,"line":246},{"id":269,"type":249,"label":263,"file":155,"line":199,"wp_function":264},[290,291,292,293],{"from":243,"to":248,"sanitized":272},{"from":254,"to":256,"sanitized":272},{"from":259,"to":262,"sanitized":272},{"from":266,"to":269,"sanitized":272},{"summary":295,"deductions":296},"The \"xm-backup\" v0.9.1 plugin exhibits a concerning security posture. While the attack surface appears limited with no directly exposed AJAX handlers, REST API routes, or shortcodes, this is overshadowed by significant code-level weaknesses. The presence of the `unserialize` function is a critical red flag, especially when combined with the fact that no capability checks or nonce verifications are implemented for entry points.  Taint analysis further highlights risk, revealing two flows with unsanitized paths, indicating potential for vulnerabilities like Remote Code Execution or arbitrary file writes.\n\nThe plugin's vulnerability history, though not showing critical or high-severity issues recently, does indicate a past medium-severity vulnerability, specifically a Cross-Site Request Forgery (CSRF). The fact that one CVE remains unpatched is a serious concern and suggests a lack of active maintenance or a deliberate risk taken by users. The complete lack of output escaping is another significant weakness, opening the door to potential Cross-Site Scripting (XSS) attacks. In conclusion, while the plugin may have a small attack surface, the identified code signals and vulnerability history point to a high-risk scenario, primarily due to the misuse of dangerous functions, lack of input validation, absence of security checks, and unpatched historical vulnerabilities.",[297,300,303,306,308,310,313],{"reason":298,"points":299},"Unpatched CVE",18,{"reason":301,"points":302},"Taint flows with unsanitized paths (High severity)",12,{"reason":304,"points":305},"Dangerous function: unserialize",15,{"reason":307,"points":105},"No nonce checks",{"reason":309,"points":105},"No capability checks",{"reason":311,"points":312},"SQL queries not using prepared statements",7,{"reason":314,"points":315},"Output escaping: 0% properly escaped",8,"2026-03-16T21:50:38.863Z",{"wat":318,"direct":326},{"assetPaths":319,"generatorPatterns":323,"scriptPaths":324,"versionParams":325},[320,321,322],"\u002Fwp-content\u002Fplugins\u002Fxm-backup\u002Fdropbox\u002Foauth.php","\u002Fwp-content\u002Fplugins\u002Fxm-backup\u002Fdropbox\u002FAPI.php","\u002Fwp-content\u002Fplugins\u002Fxm-backup\u002Fdropbox\u002FOAuth.php",[],[],[],{"cssClasses":327,"htmlComments":328,"htmlAttributes":329,"restEndpoints":330,"jsGlobals":331,"shortcodeOutput":332},[],[],[],[],[],[]]