Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam Security & Risk Analysis

The plugin 'bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang' v2.0.1 presents a significant security risk due to a combination of unprotected entry points and a history of high-severity vulnerabilities. While the plugin utilizes prepared statements for SQL queries and has some output escaping, the lack of authentication checks on all AJAX handlers and the REST API route is a major concern, creating a large attack surface. The presence of two known high-severity vulnerabilities, with one currently unpatched, specifically related to Cross-Site Scripting (XSS), indicates a pattern of insecure input handling.

The static analysis reveals that all 7 identified entry points are unprotected, meaning an attacker could potentially trigger malicious actions without proper user authentication or authorization. The two flows with unsanitized paths in the taint analysis further support the potential for XSS or other injection vulnerabilities, even though they are not classified as critical or high in this specific scan. The bundled TCPDF library is also a potential concern if it's an outdated version, although this specific data doesn't confirm its version or known vulnerabilities.

In conclusion, the plugin's security posture is weak. The high number of unprotected entry points and the existing unpatched high-severity XSS vulnerability are critical indicators of risk. While good practices like prepared statements are present, they are overshadowed by the fundamental security flaws in access control and input sanitization. Users should be extremely cautious when deploying this plugin, and immediate remediation of the unpatched CVE is paramount.