[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff9zIibLv7zsa3AakxUZFciyU69x40OMBLDbb3VmUp1E":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":14,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":45,"crawl_stats":35,"alternatives":50,"analysis":51,"fingerprints":118},"sell-btc-by-hayyatapps","Sell BTC – Cryptocurrency Selling  Calculator","1.6","hayyatapps","https:\u002F\u002Fprofiles.wordpress.org\u002Fhayyatapps\u002F","\u003Cp>HayyatApps’s Bitcoin and Cryptocurrency Calculator allows you to set exchange fees for different cryptocurrencies including BTC, BCH, ETH and XRP to USD, EUR, GBP and your other local currencies. You can connect this plugin to your custom checkout pages or use the builtin-in order form of this plugin to engage your customers.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FfhUbUZpwJhI?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Top Fiat Currencies\u003C\u002Fli>\n\u003Cli>Top Crypto Currencies\u003C\u002Fli>\n\u003Cli>Realtime exchange rates\u003C\u002Fli>\n\u003Cli>Show selected currencies only\u003C\u002Fli>\n\u003Cli>Set exchange fees & min convertible amounts\u003C\u002Fli>\n\u003Cli>Show \u002F hide fees and other settings\u003C\u002Fli>\n\u003Cli>Take Orders & get notified via email\u003C\u002Fli>\n\u003Cli>Connect with your custom checkout page\u003C\u002Fli>\n\u003Cli>Admin Backend settings\u003C\u002Fli>\n\u003Cli>Fully Responsive\u003C\u002Fli>\n\u003C\u002Fol>\n","Use this calculator plugin to sell bitcoin and other cryptocurrencies on your website with option to set custom margins fees and minimum convertible a …",10,4078,100,1,"2026-01-30T11:27:00.000Z","6.9.4","5.0","5.6",[20,21,22],"cryptocurrency-calculator","sell-bitcoin","sell-cryptocurrency","https:\u002F\u002Fhayyatapps.com\u002Fsell-btc-by-hayyatapps\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsell-btc-by-hayyatapps.1.6.zip",97,0,"2026-01-30 00:00:00","2026-03-15T15:16:48.613Z",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":6,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":44},"CVE-2025-14554","sell-btc-cryptocurrency-selling-calculator-unauthenticated-stored-cross-site-scripting-via-orderformdata-ajax-action","Sell BTC - Cryptocurrency Selling Calculator \u003C= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action","The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.",null,"\u003C=1.5","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-31 13:24:24",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F720be34d-3fe4-4395-a27b-d386f8612ba9?source=api-prod",2,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":46,"total_installs":47,"avg_security_score":48,"avg_patch_time_days":44,"trust_score":48,"computed_at":49},5,390,99,"2026-04-04T17:04:34.577Z",[],{"attackSurface":52,"codeSignals":80,"taintFlows":103,"riskAssessment":104,"analyzedAt":117},{"hooks":53,"ajaxHandlers":69,"restRoutes":77,"shortcodes":78,"cronEvents":79,"entryPointCount":44,"unprotectedCount":44},[54,61,65],{"type":55,"name":56,"callback":57,"priority":58,"file":59,"line":60},"action","admin_enqueue_scripts","HAYYAT_CSSJS",111,"sell-btc.php",31,{"type":55,"name":62,"callback":63,"file":59,"line":64},"admin_menu","HAYYAT_menu",33,{"type":55,"name":66,"callback":67,"priority":58,"file":59,"line":68},"wp_enqueue_scripts","HAYYAT_scripts",34,[70,75],{"action":71,"nopriv":72,"callback":71,"hasNonce":73,"hasCapCheck":73,"file":59,"line":74},"orderform_data",true,false,36,{"action":71,"nopriv":73,"callback":71,"hasNonce":73,"hasCapCheck":73,"file":59,"line":76},37,[],[],[],{"dangerousFunctions":81,"sqlUsage":82,"outputEscaping":92,"fileOperations":14,"externalRequests":26,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":102},[],{"prepared":14,"raw":44,"locations":83},[84,88],{"file":85,"line":86,"context":87},"functions\\form_tab.php",50,"$wpdb->get_var() with variable interpolation",{"file":89,"line":90,"context":91},"functions-admin.php",59,"$wpdb->get_results() with variable interpolation",{"escaped":93,"rawEcho":44,"locations":94},19,[95,99],{"file":96,"line":97,"context":98},"Pages\\orders.php",28,"raw output",{"file":100,"line":101,"context":98},"Pages\\settings.php",15,[],[],{"summary":105,"deductions":106},"The 'sell-btc-by-hayyatapps' v1.6 plugin exhibits a mixed security posture. While it demonstrates good practices with a high percentage of properly escaped output and no reported critical or high severity taint flows, significant concerns arise from its attack surface and lack of robust authentication checks. The presence of two AJAX handlers without any authentication or capability checks creates a direct entry point for unauthenticated users, which is a major security weakness. This lack of protection could allow malicious actors to trigger unintended actions or access sensitive data if these handlers are not sufficiently secured internally. The plugin's vulnerability history shows one known high severity CVE, although it is currently unpatched. This, coupled with the existing unprotected entry points, suggests a potential for exploitation if similar vulnerabilities are introduced or if the current unprotected handlers are found to be susceptible to common web attacks. While the plugin avoids dangerous functions and external HTTP requests, and a good portion of its SQL queries use prepared statements, the identified unprotected AJAX endpoints and past high-severity vulnerability are critical areas that require immediate attention to improve its overall security.",[107,109,111,113,115],{"reason":108,"points":11},"AJAX handlers without auth checks",{"reason":110,"points":46},"0 Nonce checks",{"reason":112,"points":46},"0 Capability checks",{"reason":114,"points":101},"One high severity CVE in history",{"reason":116,"points":46},"SQL queries without prepared statements","2026-03-16T23:40:40.646Z",{"wat":119,"direct":147},{"assetPaths":120,"generatorPatterns":138,"scriptPaths":139,"versionParams":140},[121,122,123,124,125,126,127,128,125,129,130,131,132,133,134,135,136,137],"\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FCSS\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FJS\u002Ftipx\u002Fjqu.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FJS\u002Ftipx\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FCSS\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FJS\u002Fa81368914c.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Fwpbox-admin.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FJS\u002Ffeedback.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002FJS\u002Fpages.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fformatters.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fscript.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fmenu-haaps.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Forders.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fex.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fhayyatapps.js","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fcss\u002Fskin.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fcss\u002Fcss.css","\u002Fwp-content\u002Fplugins\u002Fsell-btc-by-hayyatapps\u002Flib\u002Fcss\u002Fadditional-css.css",[],[125,126,127,128,125,129,130,131,132,133,134],[141,142,143,144,145,146],"sell-btc-by-hayyatapps\u002FCSS\u002Fstyle.css?v=2.1","sell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fscript.js?ver=2.1","sell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fmenu-haaps.js?ver=2.1","sell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Forders.js?ver=2.1","sell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fex.js?ver=2.1","sell-btc-by-hayyatapps\u002Flib\u002Fjs\u002Fhayyatapps.js?ver=2.1",{"cssClasses":148,"htmlComments":157,"htmlAttributes":158,"restEndpoints":168,"jsGlobals":169,"shortcodeOutput":170},[149,150,151,152,153,154,155,156],"happs-dropdown","happs-noselect","happs-list-btn","happs-menu-item","happs-selected","happs-icons","happs-down-arrow","happs-list",[],[159,160,161,162,163,164,165,166,167],"happs-curr-from","list","happs-curr-to","data-list","data-value-1","data-f","data-mf","data-ma","data-value-2",[],[],[171,172,173,174,175,176,177],"\u003Cdiv class=\"happs-dropdown happs-noselect\">\n\n  \u003Cdiv class=\"happs-list-btn\" happs-curr-from=\"USD\" list=\"happs-from\">\n      \u003Cspan class=\"happs-menu-item happs-selected\">\u003Cimg src=\"","\" class=\"happs-icons\"> USD \u003Ci class=\"fas fa-chevron-down happs-down-arrow\">\u003C\u002Fi>\u003C\u002Fspan>\n\u003C\u002Fdiv>\n\n  \u003Cdiv class=\"happs-list\" data-list=\"happs-from\">\n   \u003Cspan class=\"happs-menu-item\" data-value-1=\"USD\" data-f=\"2.5%\" data-mf=\"1\" data-ma=\"10\">\n\u003Cimg src=\"","\" class=\"happs-icons\"> USD\u003C\u002Fspan>\n  \u003C\u002Fdiv>\n\u003C\u002Fdiv>\n\n","\u003Cdiv class=\"happs-dropdown happs-noselect\">\n  \u003Cdiv class=\"happs-list-btn\" happs-curr-to=\"BTC\" list=\"happs-to\">\n        \u003Cspan class=\"happs-menu-item happs-selected\">\u003Cimg src=\"","\" class=\"happs-icons\"> BTC \u003Ci class=\"fas fa-chevron-down happs-down-arrow\">\u003C\u002Fi>\u003C\u002Fspan>\n  \u003C\u002Fdiv>\n\n  \u003Cdiv class=\"happs-list\" data-list=\"happs-to\">\n\n \u003Cspan class=\"happs-menu-item\" data-value-2=\"BTC\">\n\u003Cimg src=\"","\" class=\"happs-icons\"> BTC\u003C\u002Fspan> \n\n\u003Cspan class=\"happs-menu-item\" data-value-2=\"ETH\">\n\u003Cimg src=\"","\" class=\"happs-icons\"> ETH\u003C\u002Fspan>\n\n \u003C\u002Fdiv>\n\u003C\u002Fdiv>"]