Does Hesabfa Accounting have any unpatched vulnerabilities?

Yes — Hesabfa Accounting currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Hesabfa Accounting compatible with WordPress 6.8.5?

According to WordPress.org data, Hesabfa Accounting 2.2.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Hesabfa Accounting compatible with PHP 5.6+?

Hesabfa Accounting requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Hesabfa Accounting updated?

Hesabfa Accounting was last updated on Sep 29, 2025. Frequent updates are generally a positive security signal.

What is Hesabfa Accounting's security score?

Hesabfa Accounting has a WP-Safety security score of 54/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Hesabfa Accounting Security Review — Score 54/100 (use caution)

Safety Verdict

Is Hesabfa Accounting Safe to Use in 2026?

Use With Caution

Score 54/100

Hesabfa Accounting has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

4 known CVEs 2 unpatched Last CVE: Aug 20, 2025Updated 6mo ago

Risk Assessment

The hesabfa-accounting v2.2.5 plugin presents a significant security risk primarily due to its extensive, unprotected attack surface. With 23 AJAX handlers identified, all of which lack authentication checks, any authenticated user could potentially trigger these functionalities, leading to unintended actions or data manipulation. While the plugin shows some positive signs like a moderate use of prepared statements for SQL queries and proper output escaping in over half of its outputs, the absence of capability checks on any entry points is a major concern. This, combined with 12 high-severity taint flows indicating potential for vulnerabilities like Cross-Site Scripting or data leakage, points to a plugin that requires immediate attention.

The plugin's vulnerability history, with 4 total CVEs including 4 medium-severity issues, further reinforces the security concerns. The fact that 2 CVEs remain unpatched is a critical red flag, suggesting a pattern of past vulnerabilities that may not have been fully addressed. The types of past vulnerabilities, such as Insertion of Sensitive Information into Log File, Cross-Site Request Forgery, and Cross-site Scripting, are common attack vectors that can have severe consequences.

In conclusion, while the plugin demonstrates some positive coding practices, such as the use of prepared statements and output escaping, these strengths are overshadowed by the critical weaknesses. The vast unprotected attack surface, lack of capability checks, high-severity taint flows, and unpatched historical vulnerabilities collectively create a high-risk environment. It is strongly recommended that users update to a patched version if available or consider disabling the plugin until these issues are resolved.

Key Concerns

23 unprotected AJAX handlers
12 high severity taint flows
0 capability checks on entry points
2 unpatched CVEs
4 medium severity CVEs (cumulative impact)
23 flows with unsanitized paths
2 nonce checks (low coverage)
31% of SQL queries not using prepared statements
31% of output not properly escaped

Vulnerabilities

4

Hesabfa Accounting Security Vulnerabilities

CVEs by Year

4 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

4

4 total CVEs

CVE-2025-48361medium · 5.3Insertion of Sensitive Information into Log File

Hesabfa Accounting <= 2.2.4 - Unauthenticated Sensitive Information Exposure via Log File

Aug 20, 2025Unpatched

CVE-2025-48362medium · 4.3Cross-Site Request Forgery (CSRF)

Hesabfa Accounting <= 2.2.4 - Cross-Site Request Forgery

Aug 20, 2025Unpatched

CVE-2025-30815medium · 4.3Cross-Site Request Forgery (CSRF)

Hesabfa Accounting <= 2.1.8 - Cross-Site Request Forgery

Mar 27, 2025 Patched in 2.2.0 (7d)

CVE-2025-22682medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hesabfa Accounting <= 2.1.2 - Reflected Cross-Site Scripting

Jan 31, 2025 Patched in 2.1.3 (4d)

Code Analysis

Analyzed Mar 16, 2026

Hesabfa Accounting Code Analysis

Dangerous Functions

0

Raw SQL Queries

26

75 prepared

Unescaped Output

172

381 escaped

Nonce Checks

2

Capability Checks

0

File Operations

10

External Requests

2

Bundled Libraries

0

SQL Query Safety

74% prepared101 total queries

Output Escaping

69% escaped553 total outputs

Data Flows

23 unsanitized

Data Flow Analysis

25 flows23 with unsanitized paths

adminImportProductsCallback (admin\class-ssbhesabfa-admin.php:238)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

23 unprotected

Hesabfa Accounting Attack Surface

Entry Points23

Unprotected23

AJAX Handlers 23

noprivwp_ajax_handle_webhook_requestincludes\class-ssbhesabfa.php:168

authwp_ajax_handle_webhook_requestincludes\class-ssbhesabfa.php:169

authwp_ajax_adminExportProductsincludes\class-ssbhesabfa.php:281

authwp_ajax_adminImportProductsincludes\class-ssbhesabfa.php:282

authwp_ajax_adminExportProductsOpeningQuantityincludes\class-ssbhesabfa.php:283

authwp_ajax_adminExportCustomersincludes\class-ssbhesabfa.php:284

authwp_ajax_adminSyncChangesincludes\class-ssbhesabfa.php:290

authwp_ajax_adminSyncProductsincludes\class-ssbhesabfa.php:291

authwp_ajax_adminSyncOrdersincludes\class-ssbhesabfa.php:292

authwp_ajax_adminUpdateProductsincludes\class-ssbhesabfa.php:293

authwp_ajax_adminUpdateProductsWithFilterincludes\class-ssbhesabfa.php:294

authwp_ajax_adminSubmitInvoiceincludes\class-ssbhesabfa.php:295

authwp_ajax_adminRemoveInvoiceincludes\class-ssbhesabfa.php:296

authwp_ajax_adminCleanLogFileincludes\class-ssbhesabfa.php:302

authwp_ajax_adminSyncProductsManuallyincludes\class-ssbhesabfa.php:304

authwp_ajax_adminClearPluginDataincludes\class-ssbhesabfa.php:305

authwp_ajax_adminInstallPluginDataincludes\class-ssbhesabfa.php:306

authwp_ajax_adminChangeProductCodeincludes\class-ssbhesabfa.php:307

authwp_ajax_adminDeleteProductLinkincludes\class-ssbhesabfa.php:308

authwp_ajax_adminUpdateProductincludes\class-ssbhesabfa.php:309

authwp_ajax_adminChangeProductsCodeincludes\class-ssbhesabfa.php:310

authwp_ajax_adminDeleteProductsLinkincludes\class-ssbhesabfa.php:311

authwp_ajax_adminUpdateProductAndVariationsincludes\class-ssbhesabfa.php:312

WordPress Hooks 64

actionadmin_menuadmin\partials\ssbhesabfa-admin-display.php:21

actionssbhesabfa_home_settingadmin\partials\ssbhesabfa-admin-setting.php:24

actionssbhesabfa_catalog_settingadmin\partials\ssbhesabfa-admin-setting.php:26

actionssbhesabfa_catalog_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:27

actionssbhesabfa_customers_settingadmin\partials\ssbhesabfa-admin-setting.php:32

actionssbhesabfa_customers_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:33

actionssbhesabfa_invoice_settingadmin\partials\ssbhesabfa-admin-setting.php:38

actionssbhesabfa_invoice_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:39

actionssbhesabfa_payment_settingadmin\partials\ssbhesabfa-admin-setting.php:44

actionssbhesabfa_payment_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:45

actionssbhesabfa_api_settingadmin\partials\ssbhesabfa-admin-setting.php:50

actionssbhesabfa_api_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:51

actionssbhesabfa_export_settingadmin\partials\ssbhesabfa-admin-setting.php:53

actionssbhesabfa_sync_settingadmin\partials\ssbhesabfa-admin-setting.php:55

actionssbhesabfa_log_settingadmin\partials\ssbhesabfa-admin-setting.php:57

actionssbhesabfa_extra_settingadmin\partials\ssbhesabfa-admin-setting.php:59

actionssbhesabfa_extra_setting_save_fieldadmin\partials\ssbhesabfa-admin-setting.php:60

actionadmin_noticesincludes\class-ssbhesabfa-webhook.php:123

actionplugins_loadedincludes\class-ssbhesabfa.php:141

actionadmin_enqueue_scriptsincludes\class-ssbhesabfa.php:158

actionadmin_enqueue_scriptsincludes\class-ssbhesabfa.php:159

actionupgrader_process_completeincludes\class-ssbhesabfa.php:162

filterquery_varsincludes\class-ssbhesabfa.php:165

actionparse_requestincludes\class-ssbhesabfa.php:166

actioninitincludes\class-ssbhesabfa.php:172

actionadmin_noticesincludes\class-ssbhesabfa.php:177

filterwoocommerce_product_export_column_namesincludes\class-ssbhesabfa.php:182

filterwoocommerce_product_export_product_default_columnsincludes\class-ssbhesabfa.php:183

filterwoocommerce_product_export_rowsincludes\class-ssbhesabfa.php:184

filtermanage_edit-product_columnsincludes\class-ssbhesabfa.php:190

actionmanage_product_posts_custom_columnincludes\class-ssbhesabfa.php:191

filtermanage_edit-product_sortable_columnsincludes\class-ssbhesabfa.php:192

actionpre_get_postsincludes\class-ssbhesabfa.php:193

actioncustom_product_tabsincludes\class-ssbhesabfa.php:196

filterwoocommerce_shop_order_list_table_columnsincludes\class-ssbhesabfa.php:200

actionwoocommerce_shop_order_list_table_custom_columnincludes\class-ssbhesabfa.php:201

filterbulk_actions-woocommerce_page_wc-ordersincludes\class-ssbhesabfa.php:202

filterhandle_bulk_actions-woocommerce_page_wc-ordersincludes\class-ssbhesabfa.php:203

filtermanage_edit-shop_order_columnsincludes\class-ssbhesabfa.php:205

actionmanage_shop_order_posts_custom_columnincludes\class-ssbhesabfa.php:206

filterbulk_actions-edit-shop_orderincludes\class-ssbhesabfa.php:207

filterhandle_bulk_actions-edit-shop_orderincludes\class-ssbhesabfa.php:208

filterwoocommerce_checkout_fieldsincludes\class-ssbhesabfa.php:214

actionwoocommerce_admin_order_data_after_billing_addressincludes\class-ssbhesabfa.php:219

actionwoocommerce_order_status_changedincludes\class-ssbhesabfa.php:224

actionwoocommerce_order_status_changedincludes\class-ssbhesabfa.php:226

actionwoocommerce_new_orderincludes\class-ssbhesabfa.php:227

filterwoocommerce_order_status_changedincludes\class-ssbhesabfa.php:234

actionedit_user_profileincludes\class-ssbhesabfa.php:238

actionuser_registerincludes\class-ssbhesabfa.php:240

actionpersonal_options_updateincludes\class-ssbhesabfa.php:244

actionprofile_updateincludes\class-ssbhesabfa.php:246

actiondelete_userincludes\class-ssbhesabfa.php:248

actionwoocommerce_update_productincludes\class-ssbhesabfa.php:254

actionbefore_delete_postincludes\class-ssbhesabfa.php:257

actionwoocommerce_product_options_general_product_dataincludes\class-ssbhesabfa.php:261

actionwoocommerce_process_product_metaincludes\class-ssbhesabfa.php:262

actionwoocommerce_product_after_variable_attributesincludes\class-ssbhesabfa.php:264

actionwoocommerce_save_product_variationincludes\class-ssbhesabfa.php:265

filterwoocommerce_product_data_tabsincludes\class-ssbhesabfa.php:267

actionwoocommerce_product_data_panelsincludes\class-ssbhesabfa.php:268

actionadmin_noticesincludes\class-ssbhesabfa.php:272

actionadmin_noticesincludes\class-ssbhesabfa.php:274

actionadmin_noticesincludes\class-ssbhesabfa.php:315

Maintenance & Trust

Hesabfa Accounting Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 29, 2025

PHP min version5.6

Downloads19K

Community Trust

Rating100/100

Number of ratings3

Active installs500

Alternatives

Hesabfa Accounting Alternatives

No alternatives data available yet.

Developer Profile

Hesabfa Accounting Developer Profile

Saeed Sattar Beglou

1 plugin · 500 total installs

68

trust score

Avg Security Score

54/100

Avg Patch Time

6 days

View full developer profile

Detection Fingerprints

How We Detect Hesabfa Accounting

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/hesabfa-accounting/admin/css/ssbhesabfa-admin.css/wp-content/plugins/hesabfa-accounting/admin/css/bootstrap.css/wp-content/plugins/hesabfa-accounting/admin/js/ssbhesabfa-admin.js/wp-content/plugins/hesabfa-accounting/admin/js/bootstrap.bundle.min.js

Script Paths

/wp-content/plugins/hesabfa-accounting/admin/js/ssbhesabfa-admin.js/wp-content/plugins/hesabfa-accounting/admin/js/bootstrap.bundle.min.js

Version Parameters

hesabfa-accounting/admin/css/ssbhesabfa-admin.css?v=1hesabfa-accounting/admin/css/bootstrap.csshesabfa-accounting/admin/js/ssbhesabfa-admin.jshesabfa-accounting/admin/js/bootstrap.bundle.min.js

HTML / DOM Fingerprints

CSS Classes

ssbhesabfa-admin-css

Data Attributes

data-bs-toggledata-bs-targetaria-controlsaria-labelledbydata-bs-parent

JS Globals

ssbhesabfa_obj

FAQ

Hesabfa Accounting Security & Risk Analysis