Angus Girvan

**Nome do Software Vulnerável e Versões Afetadas** Loco Translate versões anteriores a 2.8.3 **Descrição** O plugin Loco Translate para WordPress contém uma falha de path traversal. Atacantes autenticados com acesso de nível Translator ou superior (exigindo a capacidade `loco admin`) podem ler arquivos `.php`, `.js`, `.json` e `.twig` arbitrários do sistema de arquivos do servidor, excluindo o `wp-config.php`. Isso ocorre porque a função `findSourceFile()` não valida se o caminho resolvido permanece no diretório pretendido ao processar a variável `ref` através da rota AJAX 'fsReference', permitindo o uso de sequências `../` para acessar arquivos fora do diretório de tradução. **Recomendações** Atualize o plugin para uma versão posterior a 2.8.2. Como medida paliativa temporária, restrinja o acesso à rota AJAX 'fsReference' ou limite os usuários com a capacidade `loco admin`.

**Name of the Vulnerable Software and Affected Versions** WP Customer Area versões anteriores a 8.3.5 **Description** A validação insuficiente do caminho do arquivo na função `ajax attach file()` permite que atacantes autenticados com funções concedidas por um administrador, como Assinante, leiam ou excluam arquivos arbitrários no servidor. A leitura de arquivos pode expor informações sensíveis, enquanto a exclusão de arquivos, como 'wp-config.php', pode levar à execução remota de código. **Recommendations** Atualize para uma versão posterior à 8.3.4. Como medida paliativa temporária, restrinja o acesso à função `ajax attach file()` até que a atualização seja aplicada.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder versions prior to 3.35.8 **Description** The Elementor Website Builder plugin for WordPress is susceptible to a flaw that allows unauthorized access to sensitive information. This is caused by a permission check error in the `is allowed to read template()` function, which incorrectly allows reading of non-published templates without proper edit capability verification. Authenticated attackers with contributor-level access or higher can read private or draft Elementor template content by manipulating the `template id` parameter within the `get template data` action of the `elementor ajax` endpoint. **Recommendations** Update Elementor Website Builder to version 3.35.8 or later.

**Name of the Vulnerable Software and Affected Versions** WP DSGVO Tools (GDPR) plugin for WordPress versions through 3.1.38 **Description** The WP DSGVO Tools (GDPR) plugin for WordPress is susceptible to unauthorized account destruction. The `super-unsubscribe` AJAX action allows unauthenticated users to bypass the email-confirmation process and immediately trigger irreversible account anonymization by submitting a victim's email address with the `process now` parameter set to 1. This results in password randomization, username/email overwriting, role stripping, comment anonymization, and the wiping of sensitive user metadata. The required nonce for the request is publicly available on any page containing the `[unsubscribe form]` shortcode. The vulnerable parameter is `process now`. The affected API endpoint is the `super-unsubscribe` AJAX action. **Recommendations** Update to version 3.1.39 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Restrict Content anteriores à 3.2.21 **Descrição** O plugin Restrict Content para WordPress possui uma falha que permite escalonamento de privilégios não autorizado. A função `rcp setup registration init()` manipula incorretamente o parâmetro POST `rcp level`, não verificando a atividade do nível de associação ou os requisitos de pagamento. Isso, combinado com o método `add user role()`, permite que atacantes se registrem com qualquer nível de associação, potencialmente obtendo funções privilegiadas do WordPress, como Administrador, ou acionando cobranças para níveis pagos. Uma correção parcial foi implementada na versão 3.2.18, mas o problema persistiu até a versão 3.2.20, inclusive. **Recomendações** Atualize para a versão 3.2.21 ou superior.

**Name of the Vulnerable Software and Affected Versions** weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress versions through 2.0.7 **Description** The weMail plugin for WordPress is affected by a flaw allowing unauthorized deletion of forms. The `Forms::permission()` function inadequately validates the `X-WP-Nonce` header, failing to verify user capabilities. The REST nonce is accessible to unauthenticated visitors through the `weMail` JavaScript object on pages containing weMail forms. This allows any unauthenticated user to permanently delete all weMail forms by obtaining the nonce from the page source and sending a DELETE request to the forms endpoint: `/wp-json/wemail/v1/forms`. The vulnerable parameter is the `X-WP-Nonce` header. **Recommendations** Update to a version of the weMail plugin later than 2.0.7.

**Name of the Vulnerable Software and Affected Versions** The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress versions through 21.0.9 **Description** The Shield Security plugin for WordPress is susceptible to unauthorized data modification. A missing capability check on the `MfaEmailDisable` action allows authenticated attackers with Subscriber-level access or higher to disable the global Email 2FA setting for the entire site. **Recommendations** Update The Shield Security plugin to a version later than 21.0.9.

**Name of the Vulnerable Software and Affected Versions** Zarinpal Gateway for WooCommerce plugin versions prior to 5.0.17 **Description** The Zarinpal Gateway for WooCommerce plugin for WordPress has an issue with Improper Access Control to Payment Status Update. The payment callback handler `Return from ZarinPal Gateway` does not properly validate the authority token provided in the callback URL, ensuring it belongs to the specific order being marked as paid. This allows unauthenticated attackers to mark orders as paid without completing a legitimate payment by reusing a valid authority token from a different transaction of the same amount. **Recommendations** Update the Zarinpal Gateway for WooCommerce plugin to version 5.0.17 or later.

**Name of the Vulnerable Software and Affected Versions** Super Page Cache versions prior to 5.2.3 **Description** The Super Page Cache plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Activity Log. Insufficient input sanitization and output escaping allows unauthenticated attackers to inject arbitrary web scripts into pages. When a user accesses an injected page, the script will execute. **Recommendations** Update Super Page Cache to version 5.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress versions through 7.8.1 **Description** The Ajax Load More plugin for WordPress has a flaw where data access isn’t properly controlled. Specifically, the `parse custom args()` function lacks correct authorization checks. This allows attackers who haven’t logged in to view titles and excerpts of posts that are private, drafts, pending publication, scheduled, or in the trash. **Recommendations** Update to a version newer than 7.8.1.

**Name of the Vulnerable Software and Affected Versions** Dokan versions up to and including 4.2.4 **Description** The Dokan plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the `/wp-json/dokan/v1/settings` API endpoint. Authenticated attackers possessing customer-level permissions or higher can potentially read or modify store settings belonging to other vendors. This includes sensitive data such as PayPal email addresses, bank account details, routing numbers, IBANs, SWIFT codes, phone numbers, and addresses. Exploitation could allow attackers to redirect marketplace payouts to accounts they control, resulting in financial theft. The vulnerable parameter is a user-controlled key. **Recommendations** Update Dokan to a version beyond 4.2.4.

**Name of the Vulnerable Software and Affected Versions** weMail versions prior to 2.0.8 **Description** The weMail plugin for WordPress has a flaw where the REST API relies on the `x-wemail-user` HTTP header for user identification without confirming a valid WordPress session. This allows unauthenticated attackers, who can determine an administrator's email address (through the `/wp-json/wp/v2/users` endpoint), to act as that user. Successful exploitation grants access to CSV subscriber endpoints, potentially leading to the theft of Personally Identifiable Information (PII) like emails, names, and phone numbers from imported CSV files. **Recommendations** Update weMail to version 2.0.8 or later.

**Name of the Vulnerable Software and Affected Versions** Awesome Support - WordPress HelpDesk & Support Plugin versions prior to 6.3.7 **Description** The Awesome Support plugin for WordPress is affected by an authorization bypass. This is due to insufficient capability checks within the `wpas do mr activate user` function, which does not properly verify user permissions when modifying roles. A nonce reuse issue exists where nonces intended for public registration are also valid for privileged actions because all actions share the same nonce namespace. An unauthenticated attacker can exploit this by submitting a request to the 'wpas-do=mr activate user' action with a user-controlled `user id` parameter, provided they have access to a valid nonce from the public registration or submit ticket page. This allows them to demote administrators to lower-privilege roles. **Recommendations** Update to version 6.3.7 or later.

**Name of the Vulnerable Software and Affected Versions** Booking Calendar versions prior to 10.14.12 **Description** The Booking Calendar plugin for WordPress is susceptible to an authorization issue that can lead to the disclosure of sensitive information. Attackers with Subscriber-level access or higher can view all booking records in the database. This includes personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. **Recommendations** Update to version 10.14.12 or later.

**Name of the Vulnerable Software and Affected Versions** MailerLite - WooCommerce integration plugin for WordPress versions up to and including 3.1.3 **Description** The MailerLite - WooCommerce integration plugin for WordPress is susceptible to unauthorized data modification and deletion. This is caused by a lack of appropriate capability checks within the `resetIntegration()` function. Authenticated attackers possessing Subscriber-level access or higher can reset the plugin’s integration settings, delete all plugin options, and remove the plugin’s database tables (`woo mailerlite carts` and `woo mailerlite jobs`). This can lead to a complete loss of plugin data, including customer abandoned cart information and synchronization job history. **Recommendations** Update the MailerLite - WooCommerce integration plugin to version 3.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to and including 1.3.9.2 **Description** The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to unauthorized modification of data. This is due to a missing ownership check within the `dnd codedropz upload delete()` function. This allows unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. **Recommendations** Update to a version beyond 1.3.9.2.

**Name of the Vulnerable Software and Affected Versions** WP-Members Membership Plugin versions up to and including 3.5.4.3 **Description** The WP-Members Membership Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Multiple Checkbox and Multiple Select user profile fields. Insufficient input sanitization and output escaping allow authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update WP-Members Membership Plugin to a version later than 3.5.4.3.

**Name of the Vulnerable Software and Affected Versions** Simply Schedule Appointments Booking Plugin for WordPress versions prior to 1.6.9.9 **Description** The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to a blind SQL injection issue. This is due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Specifically, the `order` and `append where sql` parameters are vulnerable. This allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database. **Recommendations** Update to a version newer than 1.6.9.9

**Name of the Vulnerable Software and Affected Versions** Brevo for WooCommerce versions up to and including 4.0.49 **Description** The Brevo for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `user connection id` parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update Brevo for WooCommerce to a version later than 4.0.49.

**Name of the Vulnerable Software and Affected Versions** Customer Reviews for WooCommerce plugin for WordPress versions prior to 5.93.2 **Description** The Customer Reviews for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `displayName` parameter. Insufficient input sanitization and output escaping allows authenticated attackers with customer-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. While invoking the AJAX action typically requires authentication, an attacker could potentially bypass this requirement if guest checkout is enabled and a valid form ID is obtained through placing an order. **Recommendations** Update the Customer Reviews for WooCommerce plugin to version 5.93.2 or later.