[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7rO1-dCqxUIU1I3i67Abru3R-qgaXFTW5kz4-nVkCfc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":143,"fingerprints":377},"yarns-microsub-server","Yarns Microsub Server","1.1.0","jackjamieson","https:\u002F\u002Fprofiles.wordpress.org\u002Fsurfjamrest\u002F","\u003Cp>Yarns Microsub Server helps you follow feeds from across the Web. Enter a website and Yarns will help you find and subscribe to its feed(s) in several different formats (Microformats, RSS, Atom, JSONFeed). Once you’ve added feeds, new posts are collected in the background for you to read whenever you want.\u003C\u002Fp>\n\u003Cp>Rather than viewing posts in Yarns itself, you can choose among \u003Ca href=\"https:\u002F\u002Findieweb.org\u002FMicrosub#Clients\" rel=\"nofollow ugc\">several different apps\u003C\u002Fa> to follow your feeds on your desktop or mobile device.\u003C\u002Fp>\n\u003Cp>No matter which app you choose to view your feed, your replies will be posted on your own website.\u003C\u002Fp>\n\u003Cp>Accompanied by other plugins that support \u003Ca href=\"https:\u002F\u002Findieweb.org\" rel=\"nofollow ugc\">IndieWeb\u003C\u002Fa> standards, Yarns can help use your personal website as the centre of your online identity.\u003C\u002Fp>\n\u003Ch3>Getting started\u003C\u002Fh3>\n\u003Cp>Please see instructions for installing and using Yarns at \u003Ca href=\"https:\u002F\u002Fjackjamieson.net\u002Fyarns-microsub-server-getting-started-guide\u002F\" rel=\"nofollow ugc\">jackjamieson.net\u002Fyarns-microsub-server-getting-started-guide\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, please file an issue at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjackjamieson2\u002Fyarns-microsub-server\" rel=\"nofollow ugc\">github.com\u002Fjackjamieson2\u002Fyarns-microsub-server\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Acknowledgements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Relies on David Shanske’s \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdshanske\u002Fparse-this\" rel=\"nofollow ugc\">Parse-This\u003C\u002Fa> and Barnaby Walters’ \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmicroformats\u002Fphp-mf2\" rel=\"nofollow ugc\">PHP-MF2\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Inspiration from Ashton McAllan’s \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Facegiak\u002FWhisperFollow\" rel=\"nofollow ugc\">WhisperFollow plugin\u003C\u002Fa>, Kyle Mahan’s \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fkylewm\u002Fwoodwind\" rel=\"nofollow ugc\">Woodwind\u003C\u002Fa>, and Aaron Parecki’s \u003Ca href=\"https:\u002F\u002Faperture.p3k.io\" rel=\"nofollow ugc\">Aperture\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Loading spinner created with \u003Ca href=\"https:\u002F\u002Floading.io\u002Fspinner\u002Fwedges\u002F-rotate-pie-preloader-gif\" rel=\"nofollow ugc\">loading.io\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Thanks to many members of IndieWeb’s community for feedback, suggestions, inspiration and help.\u003C\u002Fli>\n\u003C\u002Ful>\n","Using your own WordPress site, aggregate a social timeline of your favourite sites from across the Web and then view and reply to your feeds using a M &hellip;",10,2501,100,2,"2021-07-24T05:45:00.000Z","5.8.13","5.5","",[20,21,22],"indieweb","microsub","reader","https:\u002F\u002Fgithub.com\u002Fjackjamieson2\u002Fyarns-microsub-server","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyarns-microsub-server.1.1.0.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"surfjamrest",1,30,84,"2026-04-04T15:32:24.619Z",[37,53,75,97,121],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":11,"downloaded":45,"rating":26,"num_ratings":26,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":51,"download_link":52,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"aperture","Aperture","1.0.2","aaronpk","https:\u002F\u002Fprofiles.wordpress.org\u002Faaronpk\u002F","\u003Cp>This plugin adds a \u003Ca href=\"https:\u002F\u002Findieweb.org\u002FMicrosub\" rel=\"nofollow ugc\">Microsub\u003C\u002Fa> endpoint to your WordPress site by using the hosted \u003Ca href=\"https:\u002F\u002Faperture.p3k.io\" rel=\"nofollow ugc\">Aperture\u003C\u002Fa> service. This lets you log in to social readers like \u003Ca href=\"https:\u002F\u002Fmonocle.p3k.io\" rel=\"nofollow ugc\">Monocle\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Findigenous.abode.pub\u002Fios\u002F\" rel=\"nofollow ugc\">Indigenous\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin requires the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Findieauth\u002F\" rel=\"ugc\">WordPress IndieAuth plugin\u003C\u002Fa>. Please ensure that plugin is installed and activated first before attempting to install the Aperture plugin.\u003C\u002Fp>\n\u003Cp>When this plugin is activated, it registers a new account at \u003Ca href=\"https:\u002F\u002Faperture.p3k.io\" rel=\"nofollow ugc\">Aperture\u003C\u002Fa>. The \u003Ccode>\u003Clink rel=\"microsub\">\u003C\u002Fcode> tag is then added to your WordPress site automatically.\u003C\u002Fp>\n","This plugin adds a Microsub endpoint to your WordPress site by using the hosted Aperture service. This lets you log in to social readers like Monocle  &hellip;",2403,"2018-08-21T00:27:00.000Z","4.9.29","4.7","5.3",[38,20,21],"https:\u002F\u002Fgithub.com\u002Faaronpk\u002Faperture-wordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faperture.zip",{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":13,"num_ratings":63,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":72,"download_link":73,"security_score":13,"vuln_count":32,"unpatched_count":26,"last_vuln_date":74,"fetched_at":28},"pubsubhubbub","WebSub (FKA. PubSubHubbub)","4.0.0","joshfraz","https:\u002F\u002Fprofiles.wordpress.org\u002Fjoshfraz\u002F","\u003Cp>This plugin implements the \u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebsub\u002F\" rel=\"nofollow ugc\">WebSub\u003C\u002Fa> protocol (formerly known as PubSubHubbub) for WordPress. It enables real-time notifications when your blog is updated and provides a subscriber API for other plugins to consume WebSub-enabled feeds.\u003C\u002Fp>\n\u003Ch3>Publisher Features\u003C\u002Fh3>\n\u003Cp>When you publish or update a post, this plugin automatically notifies WebSub hubs, which then distribute the update to all subscribers in real-time.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Sends realtime notifications when you update your blog\u003C\u002Fli>\n\u003Cli>Supports multi-user installations (WordPress MU)\u003C\u002Fli>\n\u003Cli>Supports multiple hubs\u003C\u002Fli>\n\u003Cli>Supports all feed formats used by WordPress (Atom, RSS2, RDF)\u003C\u002Fli>\n\u003Cli>Adds \u003Ccode>\u003Clink rel=\"hub\">\u003C\u002Fcode> and \u003Ccode>\u003Clink rel=\"self\">\u003C\u002Fcode> declarations to feeds and HTML\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Subscriber Features\u003C\u002Fh3>\n\u003Cp>The plugin provides a subscriber API that allows other plugins (like feed readers) to subscribe to WebSub-enabled feeds using WordPress hooks.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>REST API callback endpoint for subscription verification and content delivery\u003C\u002Fli>\n\u003Cli>Hub discovery from topic URLs (HTTP Link headers and feed content)\u003C\u002Fli>\n\u003Cli>HMAC signature verification (SHA1, SHA256, SHA384, SHA512)\u003C\u002Fli>\n\u003Cli>Full lifecycle hooks for integration with other plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Supported Specifications\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebsub\u002F\" rel=\"nofollow ugc\">WebSub W3C Recommendation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpubsubhubbub.github.io\u002FPubSubHubbub\u002Fpubsubhubbub-core-0.4.html\" rel=\"nofollow ugc\">PubSubHubbub 0.4\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Default Hubs\u003C\u002Fh3>\n\u003Cp>By default this plugin will ping the following hubs:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpubsubhubbub.appspot.com\" rel=\"nofollow ugc\">Demo hub on Google App Engine\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpubsubhubbub.superfeedr.com\" rel=\"nofollow ugc\">SuperFeedr\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwebsubhub.com\" rel=\"nofollow ugc\">WebSubHub\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Please contact us if you operate a hub that you would like to be included as a default option.\u003C\u002Fp>\n","A WebSub plugin for WordPress that enables real-time publishing and subscription capabilities.",100000,2054851,6,"2026-01-22T11:03:00.000Z","6.9.4","4.5","7.2",[69,20,70,54,71],"feed","pubsub","websub","https:\u002F\u002Fgithub.com\u002Fpubsubhubbub\u002Fwordpress-pubsubhubbub\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpubsubhubbub.4.0.0.zip","2024-01-24 00:00:00",{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":85,"num_ratings":86,"last_updated":87,"tested_up_to":65,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":94,"download_link":95,"security_score":13,"vuln_count":32,"unpatched_count":26,"last_vuln_date":96,"fetched_at":28},"pdf-viewer-block","PDF Viewer Block for Gutenberg","1.1","Jb Audras","https:\u002F\u002Fprofiles.wordpress.org\u002Faudrasjb\u002F","\u003Cp>A simple, responsive and 100% free Gutenberg Block to display PDF Viewers \u002F Readers on your website.\u003C\u002Fp>\n\u003Cp>You can easily configure the Reader’s width, height and alignment on the fly.\u003C\u002Fp>\n\u003Cp>Compatibility:\u003Cbr \u002F>\n– Fully responsive\u003Cbr \u002F>\n– Works fine on Chrome, Firefox, Opera, Edge and IE11\u003Cbr \u002F>\n– If javascript is disabled, a download link is provided as a fallback\u003C\u002Fp>\n\u003Cp>This plugin uses \u003Ca href=\"https:\u002F\u002Fmozilla.github.io\u002Fpdf.js\u002F\" rel=\"nofollow ugc\">PDF.js\u003C\u002Fa> library, provided by Mozilla under Apache license.\u003C\u002Fp>\n","A simple and 100% free Gutenberg Block to display PDF Viewers \u002F Readers on your website.",10000,72473,96,9,"2025-11-27T08:56:00.000Z","5.0","5.6",[91,92,22,93],"pdf","pdf-block","viewer","https:\u002F\u002Fwww.whodunit.fr\u002Fgutenberg-pdf-viewer-block","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpdf-viewer-block.1.1.zip","2021-09-20 00:00:00",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":107,"num_ratings":108,"last_updated":109,"tested_up_to":65,"requires_at_least":110,"requires_php":111,"tags":112,"homepage":116,"download_link":117,"security_score":118,"vuln_count":119,"unpatched_count":26,"last_vuln_date":120,"fetched_at":28},"activitypub","ActivityPub","8.0.1","Automattic","https:\u002F\u002Fprofiles.wordpress.org\u002Fautomattic\u002F","\u003Cp>Enter the fediverse with \u003Cstrong>ActivityPub\u003C\u002Fstrong>, broadcasting your blog to a wider audience! Attract followers, deliver updates, and receive comments from a diverse user base of \u003Cstrong>ActivityPub\u003C\u002Fstrong>-compliant platforms.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FQzYozbNneVc?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>With the ActivityPub plugin installed, your WordPress blog itself functions as a federated profile, along with profiles for each author. For instance, if your website is \u003Ccode>example.com\u003C\u002Fcode>, then the blog-wide profile can be found at \u003Ccode>@example.com@example.com\u003C\u002Fcode>, and authors like Jane and Bob would have their individual profiles at \u003Ccode>@jane@example.com\u003C\u002Fcode> and \u003Ccode>@bob@example.com\u003C\u002Fcode>, respectively.\u003C\u002Fp>\n\u003Cp>An example: I give you my Mastodon profile name: \u003Ccode>@pfefferle@mastodon.social\u003C\u002Fcode>. You search, see my profile, and hit follow. Now, any post I make appears in your Home feed. Similarly, with the ActivityPub plugin, you can find and follow Jane’s profile at \u003Ccode>@jane@example.com\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Once you follow Jane’s \u003Ccode>@jane@example.com\u003C\u002Fcode> profile, any blog post she crafts on \u003Ccode>example.com\u003C\u002Fcode> will land in your Home feed. Simultaneously, by following the blog-wide profile \u003Ccode>@example.com@example.com\u003C\u002Fcode>, you’ll receive updates from all authors.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note\u003C\u002Fstrong>: If no one follows your author or blog instance, your posts remain unseen. The simplest method to verify the plugin’s operation is by following your profile. If you possess a Mastodon profile, initiate by following your new one.\u003C\u002Fp>\n\u003Cp>The plugin works with the following tested federated platforms, but there may be more that it works with as well:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fjoinmastodon.org\u002F\" rel=\"nofollow ugc\">Mastodon\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpleroma.social\u002F\" rel=\"nofollow ugc\">Pleroma\u003C\u002Fa>\u002F\u003Ca href=\"https:\u002F\u002Fakkoma.social\u002F\" rel=\"nofollow ugc\">Akkoma\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ffriendi.ca\u002F\" rel=\"nofollow ugc\">friendica\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fhubzilla.org\u002F\" rel=\"nofollow ugc\">Hubzilla\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpixelfed.org\u002F\" rel=\"nofollow ugc\">Pixelfed\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsocialhome.network\u002F\" rel=\"nofollow ugc\">Socialhome\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fjoin.misskey.page\u002F\" rel=\"nofollow ugc\">Misskey\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Some things to note:\u003C\u002Fp>\n\u003Col>\n\u003Cli>The blog-wide profile is only compatible with sites with rewrite rules enabled. If your site does not have rewrite rules enabled, the author-specific profiles may still work.\u003C\u002Fli>\n\u003Cli>Many single-author blogs have chosen to turn off or redirect their author profile pages, usually via an SEO plugin like Yoast or Rank Math. This is usually done to avoid duplicate content with your blog’s home page. If your author page has been deactivated in this way, then ActivityPub author profiles won’t work for you. Instead, you can turn your author profile page back on, and then use the option in your SEO plugin to noindex the author page. This will still resolve duplicate content issues with search engines and will enable ActivityPub author profiles to work.\u003C\u002Fli>\n\u003Cli>Once ActivityPub is installed, \u003Cem>only new posts going forward\u003C\u002Fem> will be available in the fediverse. Likewise, even if you’ve been using ActivityPub for a while, anyone who follows your site will only see new posts you publish from that moment on. They will never see previously-published posts in their Home feed. This process is very similar to subscribing to a newsletter. If you subscribe to a newsletter, you will only receive future emails, but not the old archived ones. With ActivityPub, if someone follows your site, they will only receive new blog posts you publish from then on.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>So what’s the process?\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install the ActivityPub plugin.\u003C\u002Fli>\n\u003Cli>Go to the plugin’s settings page and adjust the settings to your liking. Click the Save button when ready.\u003C\u002Fli>\n\u003Cli>Make sure your blog’s author profile page is active if you are using author profiles.\u003C\u002Fli>\n\u003Cli>Go to Mastodon or any other federated platform, and search for your profile, and follow it. Your new profile will be in the form of either \u003Ccode>@your_username@example.com\u003C\u002Fcode> or \u003Ccode>@example.com@example.com\u003C\u002Fcode>, so that is what you’ll search for.\u003C\u002Fli>\n\u003Cli>On your blog, publish a new post.\u003C\u002Fli>\n\u003Cli>From Mastodon, check to see if the new post appears in your Home feed.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Note\u003C\u002Fstrong>: It may take up to 15 minutes or so for the new post to show up in your federated feed. This is because the messages are sent to the federated platforms using a delayed cron. This avoids breaking the publishing process for those cases where users might have lots of followers. So please don’t assume that just because you didn’t see it show up right away that something is broken. Give it some time. In most cases, it will show up within a few minutes, and you’ll know everything is working as expected.\u003C\u002Fp>\n","Connect your site to the Open Social Web and let millions of users follow, share, and interact with your content from Mastodon, Pixelfed, and more.",6000,495122,98,39,"2026-03-11T09:26:00.000Z","6.5","7.4",[98,113,114,20,115],"activitystream","fediverse","social-web","https:\u002F\u002Fgithub.com\u002FAutomattic\u002Fwordpress-activitypub","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Factivitypub.8.0.1.zip",99,5,"2024-01-05 00:00:00",{"slug":122,"name":123,"version":124,"author":125,"author_profile":126,"description":127,"short_description":128,"active_installs":129,"downloaded":130,"rating":13,"num_ratings":131,"last_updated":132,"tested_up_to":65,"requires_at_least":133,"requires_php":67,"tags":134,"homepage":138,"download_link":139,"security_score":140,"vuln_count":141,"unpatched_count":26,"last_vuln_date":142,"fetched_at":28},"webmention","Webmention","5.6.2","Matthias Pfefferle","https:\u002F\u002Fprofiles.wordpress.org\u002Fpfefferle\u002F","\u003Cp>When you link to a website you can send it a Webmention to notify it and then that website may display your post as a comment, like, or other response, and presto, you’re having a conversation from one site to another!\u003C\u002Fp>\n\u003Cp>A \u003Ca href=\"https:\u002F\u002Fwww.w3.org\u002FTR\u002Fwebmention\u002F\" rel=\"nofollow ugc\">Webmention\u003C\u002Fa> is a notification that one URL links to another. Sending a Webmention is not limited to blog posts, and can be used for additional kinds of content and responses as well.\u003C\u002Fp>\n\u003Cp>For example, a response can be an RSVP to an event, an indication that someone “likes” another post, a “bookmark” of another post, and many others. Webmention enables these interactions to happen across different websites, enabling a distributed social web.\u003C\u002Fp>\n\u003Cp>The Webmention plugin supports the Webmention protocol, giving you support for sending and receiving Webmentions. It offers a simple built in presentation.\u003C\u002Fp>\n","Enable conversation across the web.",900,59493,8,"2026-01-01T12:43:00.000Z","6.2",[20,135,136,137,122],"linkback","pingback","trackback","https:\u002F\u002Fgithub.com\u002Fpfefferle\u002Fwordpress-webmention","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebmention.5.6.2.zip",95,3,"2026-04-01 19:17:16",{"attackSurface":144,"codeSignals":249,"taintFlows":295,"riskAssessment":364,"analyzedAt":376},{"hooks":145,"ajaxHandlers":205,"restRoutes":244,"shortcodes":245,"cronEvents":246,"entryPointCount":248,"unprotectedCount":248},[146,152,158,162,166,170,174,178,181,185,188,191,195,198,202],{"type":147,"name":148,"callback":149,"file":150,"line":151},"filter","query_vars","add_query_vars_filter","includes\\class-yarns-microsub-admin.php",68,{"type":153,"name":154,"callback":155,"file":156,"line":157},"action","rest_api_init","register_routes","includes\\class-yarns-microsub-endpoint.php",37,{"type":147,"name":159,"callback":160,"priority":11,"file":156,"line":161},"rest_request_after_callbacks","return_error",38,{"type":153,"name":163,"callback":164,"priority":118,"file":156,"line":165},"wp_head","html_header",41,{"type":153,"name":167,"callback":168,"file":156,"line":169},"send_headers","http_header",42,{"type":147,"name":171,"callback":172,"file":156,"line":173},"host_meta","jrd_links",43,{"type":153,"name":175,"callback":175,"file":176,"line":177},"plugins_loaded","yarns-microsub.php",21,{"type":153,"name":179,"callback":179,"file":176,"line":180},"init",22,{"type":153,"name":175,"callback":182,"priority":183,"file":176,"line":184},"load_microsub_error",29,36,{"type":147,"name":186,"callback":187,"file":176,"line":108},"cron_schedules","cron_definer",{"type":153,"name":189,"callback":190,"file":176,"line":169},"yarns_microsub_server_cron","poll",{"type":153,"name":192,"callback":193,"file":176,"line":194},"admin_notices","indieauth_not_installed_notice",120,{"type":153,"name":196,"callback":196,"file":176,"line":197},"admin_menu",143,{"type":153,"name":199,"callback":200,"file":176,"line":201},"admin_enqueue_scripts","yarns_microsub_admin_enqueue_scripts",144,{"type":153,"name":192,"callback":203,"file":176,"line":204},"indieauth_plugin_notice",161,[206,210,213,216,219,222,225,228,231,234,237,241],{"action":207,"nopriv":208,"callback":207,"hasNonce":208,"hasCapCheck":208,"file":150,"line":209},"save_filters",false,55,{"action":211,"nopriv":208,"callback":211,"hasNonce":208,"hasCapCheck":208,"file":150,"line":212},"save_options",56,{"action":214,"nopriv":208,"callback":214,"hasNonce":208,"hasCapCheck":208,"file":150,"line":215},"find_feeds",57,{"action":217,"nopriv":208,"callback":217,"hasNonce":208,"hasCapCheck":208,"file":150,"line":218},"preview_feed",58,{"action":220,"nopriv":208,"callback":220,"hasNonce":208,"hasCapCheck":208,"file":150,"line":221},"follow_feed",59,{"action":223,"nopriv":208,"callback":223,"hasNonce":208,"hasCapCheck":208,"file":150,"line":224},"unfollow_feed",60,{"action":226,"nopriv":208,"callback":226,"hasNonce":208,"hasCapCheck":208,"file":150,"line":227},"add_channel",61,{"action":229,"nopriv":208,"callback":229,"hasNonce":208,"hasCapCheck":208,"file":150,"line":230},"update_channel",62,{"action":232,"nopriv":208,"callback":232,"hasNonce":208,"hasCapCheck":208,"file":150,"line":233},"delete_channel",63,{"action":235,"nopriv":208,"callback":235,"hasNonce":208,"hasCapCheck":208,"file":150,"line":236},"order_channels",64,{"action":238,"nopriv":208,"callback":239,"hasNonce":208,"hasCapCheck":208,"file":150,"line":240},"delete_posts","delete_all_posts",65,{"action":242,"nopriv":208,"callback":242,"hasNonce":208,"hasCapCheck":208,"file":150,"line":243},"force_poll",66,[],[],[247],{"hook":189,"callback":189,"file":176,"line":34},12,{"dangerousFunctions":250,"sqlUsage":251,"outputEscaping":253,"fileOperations":26,"externalRequests":26,"nonceChecks":26,"capabilityChecks":14,"bundledLibraries":294},[],{"prepared":26,"raw":26,"locations":252},[],{"escaped":254,"rawEcho":180,"locations":255},34,[256,259,261,263,265,266,268,269,270,273,275,277,278,280,281,282,284,285,287,289,291,293],{"file":150,"line":257,"context":258},284,"raw output",{"file":150,"line":260,"context":258},294,{"file":262,"line":177,"context":258},"templates\\yarns-microsub-admin-template.php",{"file":264,"line":141,"context":258},"templates\\yarns-microsub-channel-settings.php",{"file":264,"line":63,"context":258},{"file":264,"line":267,"context":258},32,{"file":264,"line":184,"context":258},{"file":264,"line":157,"context":258},{"file":271,"line":272,"context":258},"templates\\yarns-microsub-channel-template.php",16,{"file":271,"line":274,"context":258},25,{"file":271,"line":276,"context":258},26,{"file":271,"line":276,"context":258},{"file":271,"line":279,"context":258},31,{"file":271,"line":267,"context":258},{"file":271,"line":108,"context":258},{"file":271,"line":283,"context":258},40,{"file":271,"line":165,"context":258},{"file":271,"line":286,"context":258},45,{"file":288,"line":11,"context":258},"templates\\yarns-microsub-general-settings.php",{"file":288,"line":290,"context":258},13,{"file":288,"line":292,"context":258},23,{"file":288,"line":209,"context":258},[],[296,313,325,335,344,354],{"entryPoint":297,"graph":298,"unsanitizedCount":32,"severity":312},"find_feeds (includes\\class-yarns-microsub-admin.php:276)",{"nodes":299,"edges":310},[300,305],{"id":301,"type":302,"label":303,"file":150,"line":304},"n0","source","$_POST",278,{"id":306,"type":307,"label":308,"file":150,"line":257,"wp_function":309},"n1","sink","echo() [XSS]","echo",[311],{"from":301,"to":306,"sanitized":208},"medium",{"entryPoint":314,"graph":315,"unsanitizedCount":26,"severity":324},"follow_feed (includes\\class-yarns-microsub-admin.php:338)",{"nodes":316,"edges":321},[317,319],{"id":301,"type":302,"label":303,"file":150,"line":318},342,{"id":306,"type":307,"label":308,"file":150,"line":320,"wp_function":309},346,[322],{"from":301,"to":306,"sanitized":323},true,"low",{"entryPoint":326,"graph":327,"unsanitizedCount":26,"severity":324},"unfollow_feed (includes\\class-yarns-microsub-admin.php:357)",{"nodes":328,"edges":333},[329,331],{"id":301,"type":302,"label":303,"file":150,"line":330},359,{"id":306,"type":307,"label":308,"file":150,"line":332,"wp_function":309},363,[334],{"from":301,"to":306,"sanitized":323},{"entryPoint":336,"graph":337,"unsanitizedCount":26,"severity":324},"\u003Cclass-yarns-microsub-admin> (includes\\class-yarns-microsub-admin.php:0)",{"nodes":338,"edges":342},[339,341],{"id":301,"type":302,"label":340,"file":150,"line":304},"$_POST (x3)",{"id":306,"type":307,"label":308,"file":150,"line":257,"wp_function":309},[343],{"from":301,"to":306,"sanitized":323},{"entryPoint":345,"graph":346,"unsanitizedCount":32,"severity":324},"\u003Cyarns-microsub-admin-template> (templates\\yarns-microsub-admin-template.php:0)",{"nodes":347,"edges":352},[348,351],{"id":301,"type":302,"label":349,"file":262,"line":350},"$_GET",20,{"id":306,"type":307,"label":308,"file":262,"line":177,"wp_function":309},[353],{"from":301,"to":306,"sanitized":208},{"entryPoint":355,"graph":356,"unsanitizedCount":363,"severity":324},"\u003Cyarns-microsub-channel-template> (templates\\yarns-microsub-channel-template.php:0)",{"nodes":357,"edges":361},[358,360],{"id":301,"type":302,"label":359,"file":271,"line":14},"$_GET (x7)",{"id":306,"type":307,"label":308,"file":271,"line":276,"wp_function":309},[362],{"from":301,"to":306,"sanitized":208},7,{"summary":365,"deductions":366},"The \"yarns-microsub-server\" v1.1.0 plugin exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices by not using dangerous functions, employing prepared statements for all SQL queries, and having no recorded vulnerabilities, the lack of authentication on its 12 AJAX entry points presents a substantial risk.  The absence of capability checks on these handlers means any authenticated user, regardless of their role, could potentially trigger these functions, opening the door to various attacks if the functionality is sensitive.\n\nThe static analysis highlights three flows with unsanitized paths, though none reached critical or high severity in the taint analysis. This, combined with a notable percentage of improperly escaped output, suggests potential for cross-site scripting (XSS) or information disclosure vulnerabilities if these unsanitized paths or unescaped outputs are exploited.  The presence of capability checks in only two instances further underscores the lack of robust access control across its attack surface.  The plugin's history of zero known CVEs is positive, indicating a lack of previously discovered critical flaws. However, the current lack of authentication on its AJAX endpoints creates a significant risk that outweighs its strengths in other areas.",[367,369,371,374],{"reason":368,"points":11},"12 unprotected AJAX handlers",{"reason":370,"points":119},"3 flows with unsanitized paths",{"reason":372,"points":373},"39% of outputs not properly escaped",4,{"reason":375,"points":141},"Only 2 capability checks found","2026-03-17T01:00:44.217Z",{"wat":378,"direct":387},{"assetPaths":379,"generatorPatterns":382,"scriptPaths":383,"versionParams":384},[380,381],"\u002Fwp-content\u002Fplugins\u002Fyarns-microsub-server\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fyarns-microsub-server\u002Fjs\u002Fadmin.js",[],[381],[385,386],"yarns-microsub-server\u002Fcss\u002Fadmin.css?ver=","yarns-microsub-server\u002Fjs\u002Fadmin.js?ver=",{"cssClasses":388,"htmlComments":390,"htmlAttributes":391,"restEndpoints":394,"jsGlobals":395,"shortcodeOutput":397},[389],"yarns-microsub-admin-page",[],[392,393],"data-yarns-channel-id","data-yarns-post-id",[],[396],"yarns_admin_vars",[]]