[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyP-GAGkOZn4gxw_y0wTJ5q22ulzdMgi_WGb-Ug7IJzc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":13,"tags":16,"homepage":13,"download_link":19,"security_score":20,"vuln_count":11,"unpatched_count":11,"last_vuln_date":21,"fetched_at":22,"vulnerabilities":23,"developer":24,"crawl_stats":21,"alternatives":32,"analysis":33,"fingerprints":310},"dotix","Dotix","1.5","WPDO","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpdo5ea\u002F","\u003Cp>This plugin will enable the connection between your app and WooCommerce orders for digital credits usage. It can be used to check the remaining credits in one order, or consume them.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Redirect to your app link on order paid page, carring on the order key.\u003C\u002Fp>\n\u003Cp>Let’s assume the order_key=\u003Ccode>wc_order_xQhmRjJ7\u003C\u002Fcode>, your app URL is \u003Ccode>https:\u002F\u002Fapp.EXAMPLE.com\u002Frefill\u003C\u002Fcode>, your WordPress URL is \u003Ccode>https:\u002F\u002FEXAMPLE.com\u002F\u003C\u002Fcode>\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>On the order Thank You page, show a button \u003Ccode>\u003Ca href=\"https:\u002F\u002Fapp.EXAMPLE.com\u002Frefill?order_key=wc_order_xQhmRjJ7\">Go back to app.EXAMPLE\u003C\u002Fa>\u003C\u002Fcode>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>In \u003Ccode>https:\u002F\u002Fapp.EXAMPLE.com\u002Frefill\u003C\u002Fcode>, call \u003Ccode>https:\u002F\u002FEXAMPLE.com\u002Fwp-json\u002Fdotix\u002Fv1\u002Forder\u002Fwc_order_xQhmRjJ7\u003C\u002Fcode> with \u003Ccode>$_POST[ 'num' ] = 'max'\u003C\u002Fcode>, assume the consumed credits is 42 in returned JSON.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add 42 credits into the corresponding user account.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>REST APIs\u003C\u002Fh3>\n\u003Cp>1) Show balance:\u003Cbr \u002F>\n    Method: GET\u003Cbr \u002F>\n    URL: \u003Ccode>https:\u002F\u002FEXAMPLE.com\u002Fwp-json\u002Fdotix\u002Fv1\u002Forder\u002Fwc_order_xQhmRjJ7\u003C\u002Fcode>\u003Cbr \u002F>\n    Return: \u003Ccode>{\"_res\":\"ok\", \"order_id\":45, \"status\":\"completed\", \"balance\":\"142\"}\u003C\u002Fcode>\u003Cbr \u002F>\n    \u002F\u002F NOTE: only the order with status=\u003Ccode>completed\u003C\u002Fcode> can be consumed credits.\u003C\u002Fp>\n\u003Cp>2) Consume 100 credits:\u003Cbr \u002F>\n    Method: \u003Ccode>POST\u003C\u002Fcode>\u003Cbr \u002F>\n    URL: \u003Ccode>https:\u002F\u002FEXAMPLE.com\u002Fwp-json\u002Fdotix\u002Fv1\u002Forder\u002Fwc_order_xQhmRjJ7\u003C\u002Fcode>\u003Cbr \u002F>\n    Data: \u003Ccode>[ 'num' => 100 ]\u003C\u002Fcode>\u003Cbr \u002F>\n    Return: \u003Ccode>{\"_res\":\"ok\", \"order_id\":45, \"consumed\":\"100\", \"balance\":\"42\"}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>3) Consume all credits:\u003Cbr \u002F>\n    Method: POST\u003Cbr \u002F>\n    URL: https:\u002F\u002FEXAMPLE.com\u002Fwp-json\u002Fdotix\u002Fv1\u002Forder\u002Fwc_order_xQhmRjJ7\u003Cbr \u002F>\n    Data: \u003Ccode>[ 'num' => 'max' ]\u003C\u002Fcode>\u003Cbr \u002F>\n    Return: \u003Ccode>{\"_res\":\"ok\", \"order_id\":45, \"consumed\":\"42\", \"balance\":\"0\"}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>For all errors, will return {“_res”:”err”, “_msg”:”error_msg_tag or content”}\u003C\u002Fp>\n\u003Ch3>Order Status\u003C\u002Fh3>\n\u003Cp>If an order contains only items that have valid credit in product detail, once the order is paid, the status will change to \u003Ccode>completed\u003C\u002Fcode> automatically instead of \u003Ccode>processing\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>The reason to do this is because some unpaid getways (Bank Wire, Cheque, Cash on delivery) will have status \u003Ccode>processing\u003C\u002Fcode> once the order is placed while not paid. Thus we can’t use \u003Ccode>processing\u003C\u002Fcode> to detect if the order is paid or not.\u003C\u002Fp>\n\u003Cp>To make the credits in the orders with the unpaid gateways available, please update the order status to \u003Ccode>completed\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Ch3>Error Message Tag In REST API\u003C\u002Fh3>\n\u003Cp>Error code: \u003Ccode>wrong_hash\u003C\u002Fcode>\u003Cbr \u002F>\nDescription: The order key doesn’t match any order.\u003C\u002Fp>\n\u003Cp>Error code: \u003Ccode>wrong_status\u003C\u002Fcode>\u003Cbr \u002F>\nDescription: The order isn’t in processing\u002Fcompleted status, maybe not paid yet?\u003C\u002Fp>\n\u003Cp>Error code: \u003Ccode>lack_of_param\u003C\u002Fcode>\u003Cbr \u002F>\nDescription: Need to specify the ammount to consume. Either numeric or a fixed string \u003Ccode>max\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Error code: \u003Ccode>lack_of_bal\u003C\u002Fcode>\u003Cbr \u002F>\nDescription: Not enough balance left in this order.\u003C\u002Fp>\n","Connect your app with WooCommerce credits. Append additional credits for each product in WooCommerce.",0,1572,"","6.0.11","4.0",[17,18],"credit-point-system-for-woocommerce","ticket-system-for-woocommerce","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdotix.1.5.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":25,"display_name":7,"profile_url":8,"plugin_count":26,"total_installs":27,"avg_security_score":28,"avg_patch_time_days":29,"trust_score":30,"computed_at":31},"wpdo5ea",6,7810,91,146,73,"2026-04-04T16:19:29.467Z",[],{"attackSurface":34,"codeSignals":169,"taintFlows":277,"riskAssessment":300,"analyzedAt":309},{"hooks":35,"ajaxHandlers":147,"restRoutes":148,"shortcodes":166,"cronEvents":167,"entryPointCount":168,"unprotectedCount":168},[36,41,46,49,54,57,62,66,71,75,79,82,85,88,91,94,98,101,104,107,109,112,116,119,123,127,131,135,139,143],{"type":37,"name":38,"callback":38,"file":39,"line":40},"action","admin_menu","src\\admin.cls.php",23,{"type":42,"name":43,"callback":44,"file":39,"line":45},"filter","plugin_action_links_dotix\u002Fdotix.php","add_plugin_links",24,{"type":37,"name":47,"callback":47,"file":39,"line":48},"admin_init",25,{"type":42,"name":50,"callback":51,"file":52,"line":53},"manage_edit-shop_order_columns","column_title","src\\order.cls.php",21,{"type":37,"name":55,"callback":56,"file":52,"line":40},"manage_shop_order_posts_custom_column","column",{"type":37,"name":58,"callback":59,"priority":60,"file":52,"line":61},"woocommerce_order_item_meta_start","field_frontend",10,26,{"type":37,"name":63,"callback":64,"priority":60,"file":52,"line":65},"woocommerce_order_details_after_order_table","tix_frontend",28,{"type":37,"name":67,"callback":68,"priority":69,"file":52,"line":70},"woocommerce_thankyou","maybe_auto_complete",20,31,{"type":37,"name":72,"callback":73,"priority":60,"file":52,"line":74},"woocommerce_checkout_create_order","fillup",34,{"type":37,"name":76,"callback":77,"file":78,"line":53},"woocommerce_product_options_general_product_data","field","src\\product.cls.php",{"type":37,"name":80,"callback":81,"file":78,"line":40},"woocommerce_process_product_meta","field_save",{"type":42,"name":83,"callback":51,"priority":84,"file":78,"line":48},"manage_edit-product_columns",15,{"type":37,"name":86,"callback":56,"priority":60,"file":78,"line":87},"manage_product_posts_custom_column",27,{"type":37,"name":89,"callback":59,"priority":60,"file":78,"line":90},"woocommerce_product_meta_start",30,{"type":37,"name":92,"callback":92,"file":93,"line":53},"rest_api_init","src\\rest.cls.php",{"type":42,"name":95,"callback":96,"priority":60,"file":97,"line":45},"auto_update_plugin","auto_update","src\\util.cls.php",{"type":37,"name":63,"callback":99,"priority":90,"file":100,"line":53},"qrcode_in_order_detail","src\\vendor.cls.php",{"type":37,"name":102,"callback":103,"file":100,"line":40},"add_meta_boxes_shop_order","qrcode_in_order_edit",{"type":37,"name":105,"callback":106,"file":100,"line":48},"init","qrcode_page",{"type":37,"name":105,"callback":108,"priority":11,"file":100,"line":65},"custom_post_type",{"type":37,"name":110,"callback":111,"file":100,"line":90},"add_meta_boxes_vendor","qrcode_in_vendor_edit",{"type":37,"name":113,"callback":114,"file":100,"line":115},"save_post_vendor","hash_save",32,{"type":37,"name":105,"callback":117,"priority":11,"file":100,"line":118},"vendor_dotix_taxonomies",35,{"type":37,"name":120,"callback":121,"priority":60,"file":100,"line":122},"vendor_dotix_add_form_fields","dotix_amount_meta_add",38,{"type":37,"name":124,"callback":125,"priority":60,"file":100,"line":126},"created_vendor_dotix","dotix_amount_meta_post",40,{"type":37,"name":128,"callback":129,"priority":60,"file":100,"line":130},"vendor_dotix_edit_form_fields","dotix_amount_meta_edit",42,{"type":37,"name":132,"callback":133,"priority":60,"file":100,"line":134},"edited_vendor_dotix","dotix_amount_meta_update",44,{"type":42,"name":136,"callback":137,"file":100,"line":138},"manage_edit-vendor_dotix_columns","dotix_amount_column_title",46,{"type":42,"name":140,"callback":141,"priority":60,"file":100,"line":142},"manage_vendor_dotix_custom_column","dotix_amount_column",48,{"type":42,"name":144,"callback":145,"file":100,"line":146},"manage_edit-vendor_dotix_sortable_columns","dotix_amount_column_sortable",50,[],[149,156,161],{"namespace":150,"route":151,"methods":152,"callback":154,"permissionCallback":155,"file":93,"line":118},"dotix\u002Fv1","\u002Fvendor\u002F(?P\u003Cid>\\d+)\u002F(?P\u003Chash>\\w+)",[153],"GET","rest_vendor_get","__return_true",{"namespace":150,"route":157,"methods":158,"callback":159,"permissionCallback":155,"file":93,"line":160},"\u002Forder\u002F(?P\u003Chash>\\w+)",[153],"rest_tix_get",41,{"namespace":150,"route":157,"methods":162,"callback":164,"permissionCallback":155,"file":93,"line":165},[163],"POST","rest_tix_consume",47,[],[],3,{"dangerousFunctions":170,"sqlUsage":171,"outputEscaping":182,"fileOperations":262,"externalRequests":275,"nonceChecks":275,"capabilityChecks":11,"bundledLibraries":276},[],{"prepared":172,"raw":173,"locations":174},4,2,[175,178],{"file":39,"line":176,"context":177},109,"$wpdb->get_results() with variable interpolation",{"file":179,"line":180,"context":181},"src\\data.cls.php",59,"$wpdb->get_var() with variable interpolation",{"escaped":173,"rawEcho":146,"locations":183},[184,187,189,191,193,195,197,199,200,202,204,207,209,210,211,212,213,215,217,219,221,223,225,227,229,230,232,234,236,237,239,241,243,245,247,249,251,252,254,256,258,259,260,263,265,267,269,271,272,273],{"file":52,"line":185,"context":186},55,"raw output",{"file":52,"line":188,"context":186},71,{"file":52,"line":190,"context":186},81,{"file":52,"line":192,"context":186},114,{"file":52,"line":194,"context":186},119,{"file":78,"line":196,"context":186},88,{"file":78,"line":198,"context":186},107,{"file":100,"line":192,"context":186},{"file":100,"line":201,"context":186},122,{"file":100,"line":203,"context":186},130,{"file":205,"line":206,"context":186},"tpl\\settings.tpl.php",33,{"file":205,"line":208,"context":186},45,{"file":205,"line":165,"context":186},{"file":205,"line":142,"context":186},{"file":205,"line":142,"context":186},{"file":205,"line":146,"context":186},{"file":205,"line":214,"context":186},56,{"file":205,"line":216,"context":186},58,{"file":205,"line":218,"context":186},60,{"file":205,"line":220,"context":186},66,{"file":205,"line":222,"context":186},68,{"file":205,"line":224,"context":186},70,{"file":205,"line":226,"context":186},84,{"file":205,"line":228,"context":186},90,{"file":205,"line":28,"context":186},{"file":205,"line":231,"context":186},92,{"file":205,"line":233,"context":186},93,{"file":205,"line":235,"context":186},94,{"file":205,"line":20,"context":186},{"file":205,"line":238,"context":186},101,{"file":205,"line":240,"context":186},102,{"file":205,"line":242,"context":186},103,{"file":205,"line":244,"context":186},104,{"file":205,"line":246,"context":186},105,{"file":248,"line":84,"context":186},"tpl\\tix_shortpage.tpl.php",{"file":248,"line":250,"context":186},16,{"file":248,"line":250,"context":186},{"file":248,"line":253,"context":186},17,{"file":248,"line":255,"context":186},18,{"file":248,"line":257,"context":186},19,{"file":248,"line":53,"context":186},{"file":248,"line":53,"context":186},{"file":261,"line":262,"context":186},"tpl\\vendor_dotix.tpl.php",5,{"file":264,"line":172,"context":186},"tpl\\vendor_dotix_ammount_add.tpl.php",{"file":264,"line":266,"context":186},7,{"file":264,"line":268,"context":186},8,{"file":270,"line":172,"context":186},"tpl\\vendor_dotix_ammount_edit.tpl.php",{"file":270,"line":26,"context":186},{"file":270,"line":268,"context":186},{"file":270,"line":274,"context":186},9,1,[],[278],{"entryPoint":279,"graph":280,"unsanitizedCount":275,"severity":299},"\u003Ctix_shortpage.tpl> (tpl\\tix_shortpage.tpl.php:0)",{"nodes":281,"edges":295},[282,286,290],{"id":283,"type":284,"label":285,"file":248,"line":87},"n0","source","$_GET['qrtix']",{"id":287,"type":288,"label":289,"file":248,"line":87},"n1","transform","→ qrcode()",{"id":291,"type":292,"label":293,"file":100,"line":201,"wp_function":294},"n2","sink","echo() [XSS]","echo",[296,298],{"from":283,"to":287,"sanitized":297},false,{"from":287,"to":291,"sanitized":297},"medium",{"summary":301,"deductions":302},"The \"dotix\" v1.5 plugin exhibits a concerning security posture primarily due to a significant number of unprotected entry points into its REST API. While the absence of dangerous functions, bundled libraries, and a clean vulnerability history are positive indicators, the identified vulnerabilities in the static analysis are critical.  Specifically, all three REST API routes lack permission callbacks, meaning any authenticated user could potentially interact with these endpoints without proper authorization, leading to potential unauthorized actions.  Furthermore, the extremely low percentage of properly escaped output (4%) presents a high risk of Cross-Site Scripting (XSS) vulnerabilities across the plugin's functionality. The single unsanitized path flow identified in the taint analysis, although not classified as critical or high, warrants further investigation as it represents a potential avenue for exploitation.",[303,305,307],{"reason":304,"points":84},"REST API routes without permission callbacks",{"reason":306,"points":60},"Low percentage of properly escaped output",{"reason":308,"points":262},"Unsanitized path flow in taint analysis","2026-03-17T06:05:26.313Z",{"wat":311,"direct":320},{"assetPaths":312,"generatorPatterns":315,"scriptPaths":316,"versionParams":317},[313,314],"\u002Fwp-content\u002Fplugins\u002Fdotix\u002Fdist\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fdotix\u002Fdist\u002Fjs\u002Fdotix.js",[],[314],[318,319],"dotix\u002Fdist\u002Fcss\u002Fstyle.css?ver=","dotix\u002Fdist\u002Fjs\u002Fdotix.js?ver=",{"cssClasses":321,"htmlComments":325,"htmlAttributes":326,"restEndpoints":328,"jsGlobals":331,"shortcodeOutput":333},[4,322,323,324],"dotix-containing","dotix-order-remaining_title","dotix-remaining_num",[],[327],"data-dotix-field",[329,330],"\u002Fwp-json\u002Fdotix\u002Fv1\u002Fvendor\u002F","\u002Fwp-json\u002Fdotix\u002Fv1\u002Forder\u002F",[332],"dotix_credit_title",[]]