Ashkan Moghaddas

**Name of the Vulnerable Software and Affected Versions** PeproDev Ultimate Invoice WordPress plugin versions through 2.2.5 **Description** The plugin allows for the bulk download of invoices, generating ZIP archives containing exported invoice PDFs. The ZIP file names are predictable, potentially allowing an attacker to brute force and retrieve Personally Identifiable Information (PII). **Recommendations** Update PeproDev Ultimate Invoice WordPress plugin to a version later than 2.2.5.

**Name of the Vulnerable Software and Affected Versions** Testa version 3.5.1 **Description** The software contains a reflected cross-site scripting issue in the `login.php` file. Specifically, the `redirect` parameter is susceptible to malicious script injection. An attacker can craft a specially encoded payload within this parameter to execute arbitrary JavaScript code in a victim’s browser. The vulnerable API endpoint is `/login.php` and the vulnerable parameter is `redirect`. **Recommendations** Apply any available updates to address the issue in Testa version 3.5.1.