[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpJctrTiC1NVoRFolzxxtolax7QTuy6Z3HMTALVhUpS0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-9008","page-list-missing-authorization-to-authenticated-contributor-sensitive-information-disclosure-via-shortcode-attributes","Page-list \u003C= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes","The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] \u002F [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status\u002Ftype. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content\u002Fexcerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.","page-list",null,"\u003C=6.2","6.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-06-05 12:41:56","2026-06-06 01:26:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F22defe19-28ac-43b3-814d-5a2038380adb?source=api-prod",1,[22,23,24,25,26,27],"inc\u002Fshortcode-pagelist-ext.php","inc\u002Fshortcode-pagelist.php","inc\u002Fshortcode-siblings.php","inc\u002Fshortcode-subpages.php","page-list.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-9008 (Page-list Plugin)\n\n## 1. Vulnerability Summary\nThe **Page-list** plugin for WordPress (versions \u003C= 6.2) contains a **Missing Authorization** vulnerability. The `pagelist_unqprfx_ext_shortcode()` function, which handles the `[pagelist_ext]` shortcode, allows users to specify `post_status`, `post_type`, and `show_meta_key` attributes without verifying if the user viewing the rendered output has the authority to access that information. \n\nBy inserting a crafted shortcode into a post (even a draft), an authenticated attacker with **Contributor-level** access can disclose sensitive information—including titles, full content, and custom field (meta) values—from private or draft posts created by other users. This is exacerbated by a \"fallback\" mechanism: if the current post has no child pages, the shortcode automatically performs a site-wide query, exposing unrelated content.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Shortcode:** `[pagelist_ext]` (and alias `[pagelistext]`).\n*   **Vulnerable Function:** `pagelist_unqprfx_ext_shortcode()` in `inc\u002Fshortcode-pagelist-ext.php`.\n*   **Vulnerable Attributes:** `post_status`, `post_type`, `show_meta_key`.\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and view previews, which is sufficient to trigger the shortcode rendering.\n*   **Mechanism:** The shortcode parameters are passed to `get_pages()` and `get_post_meta()` without capability checks (e.g., `current_user_can('read_private_posts')`).\n\n## 3. Code Flow\n1.  **Entry Point:** A user with Contributor role creates or edits a post\u002Fpage and inserts the `[pagelist_ext ...]` shortcode.\n2.  **Rendering:** When the post is previewed or viewed, WordPress calls `do_shortcode()`, which invokes `pagelist_unqprfx_ext_shortcode( $atts )`.\n3.  **Parameter Extraction:** The function uses `extract( shortcode_atts( ..., $atts ) )` to populate variables like `$post_status` and `$show_meta_key` directly from user input.\n4.  **Query Logic:**\n    *   The function builds `$page_list_ext_args`.\n    *   If `child_of` is not provided, it defaults to the current post ID (`$post->ID`).\n    *   It calls `get_pages( $page_list_ext_args )`.\n5.  **Vulnerable Fallback:** If `count( $list_pages ) == 0` (standard for a new contributor draft), it re-runs the query using `$page_list_ext_args_all`, which sets `'child_of' => 0`, targeting the entire site.\n6.  **Information Leak (Sink):**\n    *   The function iterates through the retrieved pages.\n    *   It retrieves content via `$page->post_content`.\n    *   It retrieves meta data via `get_post_meta( $page->ID, $show_meta_key","The Page-list plugin for WordPress is vulnerable to sensitive information disclosure because the [pagelist_ext] shortcode accepts user-defined attributes like post_status and show_meta_key without verifying the viewer's permissions. This allows authenticated attackers with Contributor-level access to disclose the titles, full body content, and private metadata of draft or private posts by previewing a post containing the crafted shortcode.","\u002F\u002F inc\u002Fshortcode-pagelist-ext.php\n\n\tfunction pagelist_unqprfx_ext_shortcode( $atts ) {\n\t\tglobal $post, $pagelist_unq_settings;\n\t\t$return = '';\n\t\textract( shortcode_atts( array(\n\t\t\t\u002F\u002F ... (truncated attributes)\n\t\t\t'post_type' => 'page',\n\t\t\t'post_status' => 'publish',\n\t\t\t'show_meta_key' => '',\n\t\t\t'meta_template' => '%meta%'\n\t\t), $atts ) );\n\n---\n\n\u002F\u002F inc\u002Fshortcode-pagelist-ext.php approx line 141\n\n\t\t$list_pages = get_pages( $page_list_ext_args );\n\t\tif ( count( $list_pages ) == 0 && $post_status === 'publish' ) { \u002F\u002F if there is no subpages\n\t\t\t\u002F\u002F Only fall back to a site-wide query for public content to avoid\n\t\t\t\u002F\u002F disclosing unrelated private\u002Fdraft pages (Wordfence ticket 454582).\n\t\t\t$list_pages = get_pages( $page_list_ext_args_all ); \u002F\u002F we are showing all pages\n\t\t}","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2: .gitattributes\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2: .gitignore\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-pagelist-ext.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-pagelist-ext.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-pagelist-ext.php\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-pagelist-ext.php\t2026-05-29 03:09:30.000000000 +0000\n@@ -29,7 +29,6 @@\n \t\t\t'number' => '',\n \t\t\t'offset' => 0,\n \t\t\t'post_type' => 'page',\n-\t\t\t'post_status' => 'publish',\n \t\t\t'class' => '',\n \t\t\t'strip_tags' => 1,\n \t\t\t'strip_shortcodes' => 1,\n@@ -55,30 +54,26 @@\n \t\t\t$child_of = isset($post->ID) ? $post->ID : 0;\n \t\t}\n \n-\t\t\u002F\u002F --- Security hardening (CVE: Wordfence ticket 454582) ---\n+\t\t\u002F\u002F --- Security hardening (Wordfence ticket 454582) ---\n+\t\t\u002F\u002F post_status is no longer accepted from the shortcode: only published\n+\t\t\u002F\u002F content is ever listed. This removes the unauthorized-disclosure\n+\t\t\u002F\u002F vector for private\u002Fdraft pages entirely.\n+\t\t$post_status = 'publish';\n \t\t\u002F\u002F Restrict post_type to public post types; fall back to 'page' otherwise.\n \t\t$pagelist_ext_allowed_types = get_post_types( array( 'public' => true ) );\n \t\tif ( ! is_array( $pagelist_ext_allowed_types ) || ! in_array( $post_type, $pagelist_ext_allowed_types, true ) ) {\n \t\t\t$post_type = 'page';\n \t\t}\n-\t\t\u002F\u002F Restrict post_status: only allow non-public statuses if the current\n-\t\t\u002F\u002F user has the capability to read those posts for the requested type.\n-\t\t$pagelist_ext_requested_status = $post_status;\n-\t\t$post_status = 'publish';\n-\t\t$pagelist_ext_pt_obj = get_post_type_object( $post_type );\n-\t\tif ( $pagelist_ext_requested_status === 'private'\n-\t\t\t&& $pagelist_ext_pt_obj\n-\t\t\t&& current_user_can( $pagelist_ext_pt_obj->cap->read_private_posts ) ) {\n-\t\t\t$post_status = 'private';\n-\t\t} elseif ( in_array( $pagelist_ext_requested_status, array( 'draft', 'pending', 'future', 'trash' ), true )\n-\t\t\t&& $pagelist_ext_pt_obj\n-\t\t\t&& current_user_can( $pagelist_ext_pt_obj->cap->edit_others_posts ) ) {\n-\t\t\t$post_status = $pagelist_ext_requested_status;\n-\t\t}\n-\t\t\u002F\u002F Disallow protected (underscore-prefixed) meta keys unless the user\n-\t\t\u002F\u002F can edit others' posts. Prevents disclosure of arbitrary post meta.\n-\t\tif ( $show_meta_key !== '' && is_protected_meta( $show_meta_key, 'post' ) && ! current_user_can( 'edit_others_posts' ) ) {\n-\t\t\t$show_meta_key = '';\n+\t\t\u002F\u002F Restrict show_meta_key to prevent disclosure of arbitrary or protected\n+\t\t\u002F\u002F post meta. Users who cannot edit posts may only read meta keys that are\n+\t\t\u002F\u002F registered as publicly visible (show_in_rest) and are not protected.\n+\t\tif ( $show_meta_key !== '' && ! current_user_can( 'edit_posts' ) ) {\n+\t\t\t$pagelist_ext_registered_meta = get_registered_meta_keys( 'post' );\n+\t\t\tif ( is_protected_meta( $show_meta_key, 'post' )\n+\t\t\t\t|| ! isset( $pagelist_ext_registered_meta[ $show_meta_key ] )\n+\t\t\t\t|| empty( $pagelist_ext_registered_meta[ $show_meta_key ]['show_in_rest'] ) ) {\n+\t\t\t\t$show_meta_key = '';\n+\t\t\t}\n \t\t}\n \n \t\t$page_list_ext_args = array(\n@@ -156,14 +151,6 @@\n \t\t$offset_count = 0;\n \t\tif ( $list_pages !== false && count( $list_pages ) > 0 ) {\n \t\t\tforeach($list_pages as $page){\n-\t\t\t\t\u002F\u002F Skip pages the current user is not permitted to read\n-\t\t\t\t\u002F\u002F (Wordfence ticket 454582). Only enforced for non-public\n-\t\t\t\t\u002F\u002F statuses; published pages are visible to everyone and\n-\t\t\t\t\u002F\u002F current_user_can( 'read_post', ... ) returns false for\n-\t\t\t\t\u002F\u002F anonymous viewers, which would hide published content.\n-\t\t\t\tif ( $post_status !== 'publish' && ! current_user_can( 'read_post', $page->ID ) ) {\n-\t\t\t\t\tcontinue;\n-\t\t\t\t}\n \t\t\t\t$count++;\n \t\t\t\t$offset_count++;\n \t\t\t\tif ( !empty( $offset ) && is_numeric( $offset ) && $offset_count \u003C= $offset ) {\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc: shortcode-pagelist-ext.php.orig\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-pagelist.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-pagelist.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-pagelist.php\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-pagelist.php\t2026-05-29 03:09:30.000000000 +0000\n@@ -27,8 +27,7 @@\n \t\t\t'sort_order'   => $sort_order,\n \t\t\t'link_before'  => esc_html($link_before),\n \t\t\t'link_after'   => esc_html($link_after),\n-\t\t\t'post_type'    => $post_type,\n-\t\t\t'post_status'  => $post_status\n+\t\t\t'post_type'    => $post_type\n \t\t);\n \t\t$list_pages = wp_list_pages( $page_list_args );\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-siblings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-siblings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-siblings.php\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-siblings.php\t2026-05-29 03:09:30.000000000 +0000\n@@ -31,8 +31,7 @@\n \t\t\t'sort_order'   => $sort_order,\n \t\t\t'link_before'  => esc_html($link_before),\n \t\t\t'link_after'   => esc_html($link_after),\n-\t\t\t'post_type'    => $post_type,\n-\t\t\t'post_status'  => $post_status\n+\t\t\t'post_type'    => $post_type\n \t\t);\n \t\t$list_pages = wp_list_pages( $page_list_args );\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-subpages.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-subpages.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Finc\u002Fshortcode-subpages.php\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Finc\u002Fshortcode-subpages.php\t2026-05-29 03:09:30.000000000 +0000\n@@ -27,8 +27,7 @@\n \t\t\t'sort_order'   => $sort_order,\n \t\t\t'link_before'  => esc_html($link_before),\n \t\t\t'link_after'   => esc_html($link_after),\n-\t\t\t'post_type'    => $post_type,\n-\t\t\t'post_status'  => $post_status\n+\t\t\t'post_type'    => $post_type\n \t\t);\n \t\t$list_pages = wp_list_pages( $page_list_args );\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Fpage-list.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Fpage-list.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Fpage-list.php\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Fpage-list.php\t2026-05-29 03:09:30.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Page-list\n Plugin URI: http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpage-list\u002F\n Description: [pagelist], [subpages], [siblings] and [pagelist_ext] shortcodes\n-Version: 6.2\n+Version: 6.3\n Author: webvitaly\n Author URI: http:\u002F\u002Fweb-profile.net\u002Fwordpress\u002Fplugins\u002F\n License: GPLv3\n@@ -11,7 +11,7 @@\n \n if ( ! defined( 'ABSPATH' ) ) { exit; }\n \n-define('PAGE_LIST_PLUGIN_VERSION', '6.2');\n+define('PAGE_LIST_PLUGIN_VERSION', '6.3');\n define('PAGE_LIST_PLUGIN_FILE', __FILE__);\n \n $pagelist_unq_settings = array(\n@@ -36,7 +36,6 @@\n \t\t'link_before' => '',\n \t\t'link_after' => '',\n \t\t'post_type' => 'page',\n-\t\t'post_status' => 'publish',\n \t\t'class' => ''\n \t)\n );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.2\u002Freadme.txt\t2026-05-26 15:10:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpage-list\u002F6.3\u002Freadme.txt\t2026-05-29 03:09:30.000000000 +0000\n@@ -4,7 +4,7 @@\n Tags: page-list, pagelist, sitemap, subpages, siblings\n Requires at least: 3.0\n Tested up to: 7.0\n-Stable tag: 6.2\n+Stable tag: 6.3\n License: GPLv3\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl.html\n \n@@ -47,7 +47,6 @@\n * **number** - sets the number of pages to display: `[pagelist number=\"10\"]`; by default the number is unlimited (number=\"\");\n * **offset** - the number of pages to pass over (or displace) before collecting the set of pages: `[pagelist offset=\"5\"]`; by default there is no offset (offset=\"\");\n * **post_type** - list associated with a certain hierarchical Post Type `[pagelist post_type=\"page\"]`; by default: (post_type=\"page\"); possible values: page, revision, Hierarchical Custom Post Types ('post' is not a Hierarchical Post Type);\n-* **post_status** - a comma-separated list of all post status types: `[pagelist post_status=\"private\"]`; by default: (post_status=\"publish\"); possible values: publish, private, draft;\n * **meta_key** and **meta_value** - only include the pages that have this Custom Field Key and this Custom Field Value: `[pagelist meta_key=\"metakey\" meta_value=\"metaval\"]`;\n * **show_date** - display creation or last modified date next to each Page: `[pagelist show_date=\"created\"]`; possible values: created, modified, updated;\n * **date_format** - the format of the Page date set by the show_date parameter: `[pagelist date_format=\"l, F j, Y\"]`; by default use the date format configured in your WordPress options;\n@@ -83,7 +82,6 @@\n * **number** - sets the number of pages to display: `[pagelist_ext number=\"10\"]`; by default the number is unlimited (number=\"\");\n * **offset** - the number of pages to pass over (or displace) before collecting the set of pages: `[pagelist_ext offset=\"5\"]`; by default there is no offset (offset=\"\");\n * **post_type** - list associated with a certain hierarchical Post Type `[pagelist_ext post_type=\"page\"]`; by default: (post_type=\"page\"); possible values: page, revision, Hierarchical Custom Post Types ('post' is not a Hierarchical Post Type);\n-* **post_status** - a comma-separated list of all post status types: `[pagelist_ext post_status=\"private\"]`; by default: (post_status=\"publish\"); possible values: publish, private, draft;\n * **class** - the CSS class for list of pages: `[pagelist_ext class=\"listclass\"]`; by default the class is empty (class=\"\");\n * **strip_tags** - strip tags or not: `[pagelist_ext strip_tags=\"0\"]`; by default the tags are stripped (strip_tags=\"1\");\n * **strip_shortcodes** - strip registered shortcodes or not: `[pagelist_ext strip_shortcodes=\"0\"]`; by default shortcodes are stripped (strip_shortcodes=\"1\") and all registered shortcodes are removed;\n@@ -129,6 +127,9 @@\n \n == Changelog ==\n \n+= 6.3 =\n+* Removed post_status parameter from shortcodes and restricted meta key output to harden against unauthorized content disclosure\n+\n = 6.2 =\n * Fixed issue with published pages not showing up in lists","The exploit is performed by an authenticated user with Contributor permissions or higher. The attacker creates a new post draft and inserts the [pagelist_ext] shortcode with the post_status attribute set to 'private' or 'draft'. Because the contributor's new post likely has no child pages, the plugin's internal logic falls back to a site-wide query. By previewing the post, the contributor can view the titles and full content of other users' private or draft posts in the rendering. Additionally, by using the show_meta_key attribute, the attacker can disclose internal or sensitive post metadata that would otherwise be hidden.","gemini-3-flash-preview","2026-06-26 03:32:18","2026-06-26 03:33:57",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpage-list\u002Ftags\u002F6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpage-list.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpage-list\u002Ftags\u002F6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpage-list.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpage-list\u002Ftags"]