Andrea Bocchetti

**Nome do Software Vulnerável e Versões Afetadas** Cost Calculator Builder versões anteriores a 4.0.2 **Descrição** O plugin é suscetível a Manipulação de Preço Não Autenticada e Referência Direta a Objeto Insegura (IDOR), o que ocorre quando usado em combinação com o Cost Calculator Builder PRO. O problema surge porque a ação AJAX 'ccb woocommerce payment' é registrada via `wp ajax nopriv`, permitindo acesso não autenticado. Além disso, a função `renderWooCommercePayment()` passa dados controlados pelo usuário para `CCBWooCheckout::init()` sem realizar verificações de autorização. Isso permite que atacantes não autenticados adicionem produtos do WooCommerce ao carrinho com preços controlados pelo atacante. **Recomendações** Atualize para uma versão posterior à 4.0.1. Como medida paliativa temporária, restrinja o acesso à ação AJAX 'ccb woocommerce payment' apenas a usuários autenticados.

**Nome do Software Vulnerável e Versões Afetadas** AAWP versão 3.16 **Descrição** Um problema de cross-site scripting refletido existe onde atacantes autenticados podem injetar scripts maliciosos manipulando o parâmetro `tab`. Isso ocorre na página de administração 'aawp-settings', permitindo a execução de JavaScript arbitrário no contexto de usuários autenticados. **Recomendações** Como medida paliativa temporária, restrinja o acesso ao parâmetro `tab` na página de administração 'aawp-settings' para minimizar o risco de exploração.

**Nome do Software Vulnerável e Versões Afetadas** Royal Elementor Addons versões anteriores a 1.7.1057 **Descrição** O plugin Royal Elementor Addons para WordPress contém um problema de Stored Cross-Site Scripting. Isso ocorre devido à sanitização de entrada e escape de saída insuficientes na ação AJAX `wpr update form action meta` através do parâmetro `status`. Além disso, um nonce vazado publicamente permite acesso não autenticado ao manipulador AJAX, possibilitando que atacantes não autenticados injetem scripts web arbitrários em páginas que serão executados quando acessados por usuários. **Recomendações** Atualize o plugin para uma versão posterior a 1.7.1056.

The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration.

Name of the Vulnerable Software and Affected Versions Elementor Website Builder – More Than Just a Page Builder plugin for WordPress versões até 3.35.5 Description O plugin Elementor Website Builder para WordPress é suscetível a Cross-Site Scripting Armazenado devido à sanitização inadequada de entrada e escape de saída. Isso permite que atacantes autenticados com acesso de nível de Contributor ou superior injetem scripts web arbitrários em páginas. Esses scripts serão executados quando um usuário acessar a página afetada. Recommendations Atualize para uma versão posterior a 3.35.5

**Name of the Vulnerable Software and Affected Versions** MetForm Pro plugin for WordPress versions through 3.9.6 **Description** The MetForm Pro plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Quiz feature. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses an injected page. **Recommendations** Update the MetForm Pro plugin to a version later than 3.9.6.

**Name of the Vulnerable Software and Affected Versions** wp.insider Simple Membership versions through 4.6.9 **Description** An authorization issue exists in wp.insider Simple Membership. The issue involves incorrectly configured access control security levels, potentially allowing unauthorized access. **Recommendations** Update to a version later than 4.6.9.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms Pro Add On Pack versions prior to 6.1.13 **Description** The Fluent Forms Pro Add On Pack plugin for WordPress is susceptible to a Server-Side Request Forgery issue. This allows authenticated attackers with Subscriber-level access or higher to make web requests to arbitrary locations from the web application. Exploitation can enable querying and modification of information from internal services via the `saveDataSource` function. **Recommendations** Update Fluent Forms Pro Add On Pack to version 6.1.13 or later.

**Name of the Vulnerable Software and Affected Versions** JAY Login & Register plugin for WordPress versions prior to 2.6.04 **Description** The JAY Login & Register plugin for WordPress is susceptible to a privilege escalation issue. The plugin allows updating arbitrary user meta through the `jay login register ajax create final user` function, potentially enabling unauthenticated attackers to gain administrator privileges. **Recommendations** Update the JAY Login & Register plugin to version 2.6.04 or later.

**Name of the Vulnerable Software and Affected Versions** Infility Global plugin for WordPress versions prior to 2.14.46 **Description** The Infility Global plugin for WordPress is susceptible to unauthenticated SQL Injection through the '`infility get data`' API action. This is a result of inadequate escaping of user-supplied input and insufficient preparation of the SQL query. This allows unauthenticated attackers to potentially append additional SQL queries, and extract sensitive information from the database. **Recommendations** Update the Infility Global plugin to a version later than 2.14.46.

**Name of the Vulnerable Software and Affected Versions** All-in-One Video Gallery plugin for WordPress versions through 4.6.4 **Description** The All-in-One Video Gallery plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check on the `ajax callback create bunny stream video`, `ajax callback get bunny stream video`, and `ajax callback delete bunny stream video` functions. This allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN linked to the victim’s account, if they can acquire a valid nonce, which is present in public player templates. **Recommendations** Update to a version beyond 4.6.4.

**Advanced Custom Fields: Extended Plugin** Advanced Custom Fields: Extended versions up to and including 0.9.2.1 **Description** The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows unauthenticated attackers to gain administrator access. This is due to insufficient restrictions within the `insert user` function, which allows attackers to assign themselves the 'administrator' role during user registration, provided the 'role' parameter is mapped to a custom field. Approximately 100,000 websites are potentially affected. The issue can be exploited by submitting a crafted registration request. The `wp insert user()` function is abused to escalate privileges. The vulnerability allows for full site takeover, including the ability to upload malicious plugins and backdoors. A scanning campaign targeting WordPress plugins has been detected, potentially seeking to identify vulnerable sites. **Recommendations** Update to version 0.9.2.2 or later. Disable user registration until a patch is applied. Strip the role parameter from registration requests as a temporary mitigation. Review recent user registrations for unauthorized administrator accounts.

**Name of the Vulnerable Software and Affected Versions** LearnPress – WordPress LMS Plugin versions prior to 4.3.2.5 **Description** The LearnPress WordPress LMS Plugin is affected by a sensitive information disclosure issue. Unauthenticated attackers can extract sensitive data, including user first names, last names, social profile links, and enrollment information, through the `get item permissions check` function. **Recommendations** Update LearnPress – WordPress LMS Plugin to version 4.3.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** Restrict Content plugin for WordPress versions prior to 3.2.17 **Description** The Restrict Content plugin for WordPress is affected by a missing authentication issue. This occurs due to a missing capability check within the `rcp stripe create setup intent for saved card` function. The plugin also fails to validate a user-controlled key, potentially allowing unauthenticated attackers to obtain Stripe SetupIntent client secret values for any membership. **Recommendations** Update to version 3.2.17 or later.

**Name of the Vulnerable Software and Affected Versions** Cost Calculator Builder plugin for WordPress versions prior to 3.7.0 **Description** The Cost Calculator Builder plugin for WordPress is susceptible to an unauthenticated payment status bypass. This occurs because the `complete payment` AJAX action is registered via `wp ajax nopriv`, allowing access to unauthenticated users. The `complete()` function only verifies a nonce, without checking user capabilities or order ownership. Nonces are exposed to all visitors via `window.ccb nonces` in the page source, enabling an attacker to mark any order's payment status as "completed" without actual payment. The issue requires the use of both Cost Calculator Builder and Cost Calculator Builder PRO. **Recommendations** Update the Cost Calculator Builder plugin to version 3.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Frontend Admin by DynamiApps versions through 3.28.25 **Description** The Frontend Admin by DynamiApps plugin for WordPress is affected by a missing authorization check, allowing unauthorized data modification and deletion. Specifically, a missing capability check on the `delete object` function enables unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. **Recommendations** Versions prior to and including 3.28.25 should be updated to a newer, fixed version.

**Name of the Vulnerable Software and Affected Versions** AMP for WP plugin for WordPress versions prior to 1.1.11 **Description** The AMP for WP plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. Insufficient sanitization of SVG file content allows for the injection of malicious web scripts. Specifically, the sanitization process only removes `<script>` tags, while other XSS vectors, such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes, remain exploitable. Authenticated attackers with Author-level access or higher can upload malicious SVG files. These scripts execute whenever a user views the uploaded file. **Recommendations** Update the AMP for WP plugin to version 1.1.11 or later.

**Name of the Vulnerable Software and Affected Versions** Frontend Admin by DynamiApps versions through 3.28.25 **Description** The Frontend Admin by DynamiApps plugin for WordPress has a flaw that allows unauthenticated attackers to register as administrators and gain complete control of a site. This is possible because user-supplied role values are not adequately validated in the `validate value`, `pre update value`, and `get fields display` functions. An attacker needs access to a user registration form that includes a Role field to exploit this issue. **Recommendations** Versions prior to 3.28.25 should be updated.

**Name of the Vulnerable Software and Affected Versions** Gutenverse Form plugin for WordPress versions prior to 2.3.3 **Description** The Gutenverse Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. The plugin’s framework component allows SVG files through the upload mimes filter without sanitizing the SVG file contents. This allows authenticated attackers with Author-level access or higher to upload SVG files containing malicious JavaScript. When these files are viewed, the malicious JavaScript executes in the victim’s browser, potentially leading to arbitrary JavaScript execution. **Recommendations** Update the Gutenverse Form plugin to version 2.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress versions prior to 1.3.9.3 **Description** The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress allows the upload of potentially dangerous file types, specifically `.phar` and `.svg` files. This is due to the plugin failing to block these file extensions. Successful exploitation could allow unauthenticated attackers to upload malicious files. Uploading `.phar` files, if the server is configured to execute them as PHP, can lead to remote code execution. Uploading `.svg` files can result in Stored Cross-Site Scripting. The vulnerable parameters are the file upload functionality within the contact form. **Recommendations** Update to version 1.3.9.3 or later.