[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc7-bppYkugH5PHj1S755a-lIRnxArBlWogztGR0Pt9o":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":22,"download_link":23,"security_score":24,"vuln_count":25,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":36,"analysis":37,"fingerprints":149},"get-news-vnexpress-net","Get news VNEXPRESS.NET","1.3","Huy Kira","https:\u002F\u002Fprofiles.wordpress.org\u002Fhuykiradotnet\u002F","\u003Cp>For more history, see: https:\u002F\u002Fhuykira.net\u002Fwebmaster\u002Fwordpress\u002Fplugin-lay-tin-tu-dong-tu-vnexpress-net.html\u003C\u002Fp>\n\u003Ch3>Arbitrary section 1\u003C\u002Fh3>\n","Auto post wordpress news vnexpress",20,5234,100,1,"2021-06-17T18:40:00.000Z","5.7.15","5.0","",[20,21],"auto-get-news","auto-post-wordpress","https:\u002F\u002Fhuykira.net\u002Fwebmaster\u002Fwordpress\u002Fplugin-lay-tin-tu-dong-tu-vnexpress-net.html","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fget-news-vnexpress-net.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":13,"avg_security_score":32,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"huykiradotnet",6,93,30,89,"2026-04-04T11:13:02.066Z",[],{"attackSurface":38,"codeSignals":68,"taintFlows":103,"riskAssessment":137,"analyzedAt":148},{"hooks":39,"ajaxHandlers":56,"restRoutes":65,"shortcodes":66,"cronEvents":67,"entryPointCount":61,"unprotectedCount":61},[40,46,50,54],{"type":41,"name":42,"callback":43,"file":44,"line":45},"action","admin_menu","gnv_add_menu_hk","get_news_vnexpress.php",22,{"type":41,"name":47,"callback":48,"file":44,"line":49},"admin_init","gnv_register_mysettings",32,{"type":41,"name":51,"callback":52,"file":44,"line":53},"admin_enqueue_scripts","gnv_custom_style",46,{"type":41,"name":51,"callback":52,"file":44,"line":55},49,[57,62],{"action":58,"nopriv":59,"callback":58,"hasNonce":59,"hasCapCheck":59,"file":60,"line":61},"Link_action",false,"includes\\ajax.php",2,{"action":58,"nopriv":63,"callback":58,"hasNonce":59,"hasCapCheck":59,"file":60,"line":64},true,3,[],[],[],{"dangerousFunctions":69,"sqlUsage":70,"outputEscaping":72,"fileOperations":101,"externalRequests":14,"nonceChecks":25,"capabilityChecks":25,"bundledLibraries":102},[],{"prepared":64,"raw":25,"locations":71},[],{"escaped":73,"rawEcho":74,"locations":75},10,13,[76,79,81,82,84,86,88,90,92,94,95,97,99],{"file":44,"line":77,"context":78},86,"raw output",{"file":44,"line":80,"context":78},109,{"file":44,"line":80,"context":78},{"file":44,"line":83,"context":78},164,{"file":44,"line":85,"context":78},175,{"file":44,"line":87,"context":78},230,{"file":44,"line":89,"context":78},343,{"file":44,"line":91,"context":78},352,{"file":44,"line":93,"context":78},359,{"file":60,"line":74,"context":78},{"file":96,"line":83,"context":78},"includes\\simple_html_dom.php",{"file":96,"line":98,"context":78},169,{"file":96,"line":100,"context":78},229,5,[],[104,127],{"entryPoint":105,"graph":106,"unsanitizedCount":14,"severity":126},"Link_action (includes\\ajax.php:4)",{"nodes":107,"edges":123},[108,113,117],{"id":109,"type":110,"label":111,"file":60,"line":112},"n0","source","$_POST",8,{"id":114,"type":115,"label":116,"file":60,"line":112},"n1","transform","→ file_get_html()",{"id":118,"type":119,"label":120,"file":96,"line":121,"wp_function":122},"n2","sink","file_get_contents() [SSRF\u002FLFI]",77,"file_get_contents",[124,125],{"from":109,"to":114,"sanitized":59},{"from":114,"to":118,"sanitized":59},"medium",{"entryPoint":128,"graph":129,"unsanitizedCount":14,"severity":126},"\u003Cajax> (includes\\ajax.php:0)",{"nodes":130,"edges":134},[131,132,133],{"id":109,"type":110,"label":111,"file":60,"line":112},{"id":114,"type":115,"label":116,"file":60,"line":112},{"id":118,"type":119,"label":120,"file":96,"line":121,"wp_function":122},[135,136],{"from":109,"to":114,"sanitized":59},{"from":114,"to":118,"sanitized":59},{"summary":138,"deductions":139},"The 'get-news-vnexpress-net' v1.3 plugin exhibits a mixed security posture.  While it demonstrates good practices by using prepared statements for all its SQL queries and appears to have no recorded past vulnerabilities, significant concerns arise from its attack surface and the handling of AJAX requests. The presence of two AJAX handlers without any authentication or capability checks represents a direct and exploitable entry point for attackers. Furthermore, the taint analysis revealed two flows with unsanitized paths, which, while not classified as critical or high severity in this report, warrant attention as they indicate potential for data manipulation or execution if combined with other vulnerabilities or misconfigurations.  The lack of nonce checks on these AJAX handlers exacerbates the risk, as it allows for cross-site request forgery (CSRF) attacks. The low percentage of properly escaped output (43%) also suggests a risk of cross-site scripting (XSS) vulnerabilities, although the specific impact of these flows was not detailed.",[140,142,144,146],{"reason":141,"points":73},"AJAX handlers without auth checks",{"reason":143,"points":101},"Flows with unsanitized paths",{"reason":145,"points":101},"Low output escaping percentage",{"reason":147,"points":73},"Missing nonce checks on AJAX","2026-03-16T22:55:28.068Z",{"wat":150,"direct":161},{"assetPaths":151,"generatorPatterns":155,"scriptPaths":156,"versionParams":157},[152,153,154],"\u002Fwp-content\u002Fplugins\u002Fget-news-vnexpress-net\u002Fscripts\u002Fcss\u002Fbootstrap.min.css","\u002Fwp-content\u002Fplugins\u002Fget-news-vnexpress-net\u002Fscripts\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fget-news-vnexpress-net\u002Fscripts\u002Fjs\u002Fcustom.js",[],[154],[158,159,160],"get-news-vnexpress-net\u002Fscripts\u002Fcss\u002Fbootstrap.min.css?ver=","get-news-vnexpress-net\u002Fscripts\u002Fcss\u002Fstyle.css?ver=","get-news-vnexpress-net\u002Fscripts\u002Fjs\u002Fcustom.js?ver=",{"cssClasses":162,"htmlComments":168,"htmlAttributes":170,"restEndpoints":172,"jsGlobals":173,"shortcodeOutput":175},[163,164,165,166,167],"tp-app","click-more-check","list-input","click-more","kiki",[169],"\u003C!-- Get category -->",[171],"data-target=\"#myModal\"",[],[174],"window.custom",[]]