[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxAGaAC98oyIS1-BGKHw0GS1enfitXPrOH99ccd1HswU":3,"$fKnrr9dGfhQM0uQBb_YLJwn58WQUPXDwzovu5vTO_0go":163,"$f3kD2MTkolQBX4rMan6WDQg9TDvTdkRQ9GrsfZlLIjjo":168},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":48,"crawl_stats":37,"alternatives":55,"analysis":72,"fingerprints":129},"bang-tinh-lai-suat","Bang tinh vay","1.0.1","hanhdo205","https:\u002F\u002Fprofiles.wordpress.org\u002Fhanhdo205\u002F","\u003Cp>Shortcode [laisuat]\u003C\u002Fp>\n\u003Ch4>Docs & Support\u003C\u002Fh4>\n\u003Cp>Currently we have no Docs.\u003C\u002Fp>\n","Bang tinh lai vay ngan hang",40,9679,0,"2019-09-26T00:36:00.000Z","5.2.24","4.4","",[19,20,21,22,23],"bang-tinh-vay","hanhdo","lai-suat","nqhanh","tra-gop","https:\u002F\u002Fhanhdo.info","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbang-tinh-lai-suat.zip",64,1,"2025-06-05 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":37,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":37,"patch_diff_files":46,"patch_trac_url":37,"research_status":37,"research_verified":47,"research_rounds_completed":13,"research_plan":37,"research_summary":37,"research_vulnerable_code":37,"research_fix_diff":37,"research_exploit_outline":37,"research_model_used":37,"research_started_at":37,"research_completed_at":37,"research_error":37,"poc_status":37,"poc_video_id":37,"poc_summary":37,"poc_steps":37,"poc_tested_at":37,"poc_wp_version":37,"poc_php_version":37,"poc_playwright_script":37,"poc_exploit_code":37,"poc_has_trace":47,"poc_model_used":37,"poc_verification_depth":37},"CVE-2023-26000","bang-tinh-vay-authenticated-administrator-stored-cross-site-scripting","Bang tinh vay \u003C= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Bang tinh vay plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=1.0.1","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-06-11 19:40:12",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2c7a1cb4-a61e-41ac-8ce2-06de5104a368?source=api-prod",[],false,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":50,"avg_security_score":51,"avg_patch_time_days":52,"trust_score":53,"computed_at":54},2,100,75,30,77,"2026-06-21T05:11:29.619Z",[56],{"slug":57,"name":58,"version":59,"author":7,"author_profile":8,"description":60,"short_description":61,"active_installs":62,"downloaded":63,"rating":62,"num_ratings":64,"last_updated":65,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":66,"homepage":69,"download_link":70,"security_score":71,"vuln_count":13,"unpatched_count":13,"last_vuln_date":37,"fetched_at":29},"emoji-in-comments","Emoji in comments","1.0.0","\u003Cp>Display emojis in WordPress comments using emojone\u003C\u002Fp>\n\u003Ch4>Docs & Support\u003C\u002Fh4>\n\u003Cp>Currently we have no Docs.\u003C\u002Fp>\n","Display emojis in WordPress comments",60,3024,4,"2019-09-28T08:19:00.000Z",[67,68,20,22],"comment","emoji","https:\u002F\u002Ffacebook.com\u002Fhanhdo205","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femoji-in-comments.zip",85,{"attackSurface":73,"codeSignals":102,"taintFlows":113,"riskAssessment":114,"analyzedAt":128},{"hooks":74,"ajaxHandlers":93,"restRoutes":94,"shortcodes":95,"cronEvents":101,"entryPointCount":27,"unprotectedCount":13},[75,81,85,89],{"type":76,"name":77,"callback":78,"file":79,"line":80},"action","plugins_loaded","laisuat_load_plugin_textdomain","laisuat.php",17,{"type":76,"name":82,"callback":83,"file":79,"line":84},"wp_enqueue_scripts","laisuat_reg_scripts",28,{"type":76,"name":86,"callback":87,"file":79,"line":88},"admin_init","laisuat_admin_init",31,{"type":76,"name":90,"callback":91,"file":79,"line":92},"admin_menu","laisuat_add_page",32,[],[],[96],{"tag":97,"callback":98,"file":99,"line":100},"laisuat","add_laisuat_form","form.php",70,[],{"dangerousFunctions":103,"sqlUsage":104,"outputEscaping":106,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":112},[],{"prepared":13,"raw":13,"locations":105},[],{"escaped":13,"rawEcho":49,"locations":107},[108,110],{"file":99,"line":62,"context":109},"raw output",{"file":99,"line":111,"context":109},61,[],[],{"summary":115,"deductions":116},"The \"bang-tinh-lai-suat\" plugin v1.0.1 exhibits a mixed security posture. On the positive side, the static analysis reveals no identified dangerous functions, no file operations, no external HTTP requests, and all SQL queries utilize prepared statements, which are strong indicators of good security practices regarding direct database interaction. The limited attack surface, with only one shortcode and no unprotected entry points found, is also a positive sign. However, a significant concern arises from the complete lack of output escaping, meaning all outputs are potentially vulnerable to Cross-Site Scripting (XSS) attacks. Furthermore, the absence of nonce checks and capability checks on the shortcode is concerning, as it could allow unauthenticated or unauthorized users to trigger its functionality.\n\nThe vulnerability history is particularly alarming. The plugin has a known CVE with a medium severity, specifically identified as Cross-Site Scripting. The fact that this vulnerability is currently unpatched is a critical red flag. The timing of the last vulnerability (2025-06-05) suggests it might be a future vulnerability or an error in the provided data, but regardless, an unpatched medium-severity XSS vulnerability poses a real risk. The recurring nature of XSS vulnerabilities, as indicated by the vulnerability history, suggests potential systemic issues in how the plugin handles user-supplied data for output, exacerbating the risk posed by the lack of output escaping in the static analysis.",[117,120,123,126],{"reason":118,"points":119},"Unpatched CVE (Medium severity XSS)",15,{"reason":121,"points":122},"0% output escaping",6,{"reason":124,"points":125},"No nonce checks on entry points",8,{"reason":127,"points":125},"No capability checks on entry points","2026-03-16T22:12:42.107Z",{"wat":130,"direct":139},{"assetPaths":131,"generatorPatterns":134,"scriptPaths":135,"versionParams":136},[132,133],"\u002Fwp-content\u002Fplugins\u002Fbang-tinh-lai-suat\u002Fcss\u002Flaisuat.css","\u002Fwp-content\u002Fplugins\u002Fbang-tinh-lai-suat\u002Fjs\u002Flaisuat.js",[],[133],[137,138],"bang-tinh-lai-suat\u002Fcss\u002Flaisuat.css?ver=","bang-tinh-lai-suat\u002Fjs\u002Flaisuat.js?ver=",{"cssClasses":140,"htmlComments":150,"htmlAttributes":151,"restEndpoints":157,"jsGlobals":158,"shortcodeOutput":161},[141,142,143,144,145,146,147,148,149],"input-form","input-box","show","bangtinh","ky-thanh-toan","amount-start","result-body","tong-lai-gop","tong-goc-lai-gop",[],[152,153,154,155,156],"data-ky-thanh-toan","data-amount-start","data-goc-phai-tra","data-lai-phai-tra","data-tong-tien-tra",[],[159,160],"congthuc","BASE_URL",[162],"[laisuat]",{"error":164,"url":165,"statusCode":166,"statusMessage":167,"message":167},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fbang-tinh-lai-suat\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":27,"versions":169},[170],{"version":6,"download_url":171,"svn_tag_url":172,"released_at":37,"has_diff":47,"diff_files_changed":173,"diff_lines":37,"trac_diff_url":37,"vulnerabilities":174,"is_current":164},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbang-tinh-lai-suat.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbang-tinh-lai-suat\u002Ftags\u002F1.0.1\u002F",[],[175],{"id":33,"url_slug":34,"title":35,"severity":39,"cvss_score":40,"vuln_type":42,"patched_in_version":37}]