[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fg5XQZbNIO3Smg31vlU8Pu8K7A2ukXlUiWdMF6-yDjh8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":44,"crawl_stats":33,"alternatives":47,"analysis":48,"fingerprints":84},"hostfact-bestelformulier-integratie","HostFact bestelformulier integratie","1.3","HostFact","https:\u002F\u002Fprofiles.wordpress.org\u002Fhostfact\u002F","\u003Cp>Zie https:\u002F\u002Fwww.hostfact.nl\u002Fhelp\u002Fartikel\u002F87\u002Fbestelformulier-integreren-in-een-wordpress-website\u002F voor meer informatie.\u003C\u002Fp>\n","Eenvoudige manier om het bestelformulier van HostFact in de Wordpress website te integreren.",200,2863,0,"2025-05-16T15:05:00.000Z","6.8.5","4.0","",[19,20],"hostfact","iframe-wrapper","https:\u002F\u002Fwww.hostfact.nl\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhostfact-bestelformulier-integratie.1.3.zip",99,1,"2024-12-11 15:22:05","2026-03-15T15:16:48.613Z",[28],{"id":29,"url_slug":30,"title":31,"description":32,"plugin_slug":4,"theme_slug":33,"affected_versions":34,"patched_in_version":35,"severity":36,"cvss_score":37,"cvss_vector":38,"vuln_type":39,"published_date":25,"updated_date":40,"references":41,"days_to_patch":43},"CVE-2024-11413","hostfact-bestelformulier-integratie-authenticated-contributor-stored-cross-site-scripting","HostFact bestelformulier integratie \u003C= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The HostFact bestelformulier integratie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bestelformulier' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.1","1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-03-18 18:17:25",[42],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F24a33857-5df2-4747-950e-f5a87fd287c6?source=api-prod",97,{"slug":19,"display_name":7,"profile_url":8,"plugin_count":24,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":43,"trust_score":45,"computed_at":46},78,"2026-04-04T19:19:55.314Z",[],{"attackSurface":49,"codeSignals":65,"taintFlows":72,"riskAssessment":73,"analyzedAt":83},{"hooks":50,"ajaxHandlers":57,"restRoutes":58,"shortcodes":59,"cronEvents":64,"entryPointCount":24,"unprotectedCount":13},[51],{"type":52,"name":53,"callback":54,"file":55,"line":56},"action","wp_enqueue_scripts","loadScripts","hostfact-bestelformulier.php",12,[],[],[60],{"tag":61,"callback":62,"file":55,"line":63},"bestelformulier","shortcode",15,[],{"dangerousFunctions":66,"sqlUsage":67,"outputEscaping":69,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":71},[],{"prepared":13,"raw":13,"locations":68},[],{"escaped":24,"rawEcho":13,"locations":70},[],[],[],{"summary":74,"deductions":75},"The \"hostfact-bestelformulier-integratie\" v1.3 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals excellent adherence to secure coding practices. There are no detected dangerous functions, all SQL queries use prepared statements, and all output is properly escaped. Furthermore, there are no file operations or external HTTP requests, which generally reduces the attack surface. The absence of taint flows with unsanitized paths is also a strong indicator of secure input handling.\n\nHowever, the plugin does present some concerning areas. The static analysis highlights a lack of any nonce or capability checks across its entry points, including its single shortcode. This means that actions triggered by the shortcode are not protected against unauthorized execution or CSRF attacks. The vulnerability history, while showing no currently unpatched issues, indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability. The fact that this vulnerability was recently disclosed (2024-12-11) and is no longer present suggests that the developer actively patches issues, but the presence of XSS in the past warrants caution.\n\nIn conclusion, while the plugin demonstrates good fundamental coding practices regarding SQL and output handling, the complete absence of authorization checks on its sole entry point is a significant weakness. Combined with the past XSS vulnerability, this suggests a moderate risk, particularly if the shortcode performs sensitive operations that are not adequately protected by WordPress's built-in role management.",[76,79,81],{"reason":77,"points":78},"No nonce checks on entry points",10,{"reason":80,"points":78},"No capability checks on entry points",{"reason":82,"points":63},"Past medium severity XSS vulnerability","2026-03-16T20:28:22.493Z",{"wat":85,"direct":92},{"assetPaths":86,"generatorPatterns":88,"scriptPaths":89,"versionParams":90},[87],"\u002Fwp-content\u002Fplugins\u002Fhostfact-bestelformulier-integratie\u002Fhf-orderform.js",[],[87],[91],"hostfact-bestelformulier-integratie\u002Fhf-orderform.js?ver=",{"cssClasses":93,"htmlComments":95,"htmlAttributes":96,"restEndpoints":97,"jsGlobals":98,"shortcodeOutput":99},[94],"hf-orderform",[],[],[],[],[100,101],"\u003Ciframe src=\"","\" scrolling=\"no\" class=\"hf-orderform\" style=\"width:100%;border:0;overflow-y:hidden;\">\u003C\u002Fiframe>"]