Everett Griffiths

**Name of the Vulnerable Software and Affected Versions** iMember360 plugin versions 3.8.012 through 3.9.001 for WordPress **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests with an unspecified impact via the `i4w trace` parameter. **Recommendations** For iMember360 plugin versions 3.8.012 through 3.9.001, avoid using the `i4w trace` parameter in affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to the iMember360 plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iMember360 plugin versions 3.8.012 through 3.9.001 **Description** The issue allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the `i4w trace` parameter. This can potentially be leveraged to allow remote attackers to execute code. **Recommendations** For iMember360 plugin versions 3.8.012 through 3.9.001, consider restricting access to the `i4w trace` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `i4w trace` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iMember360 plugin versions 3.8.012 through 3.9.001 **Description** The issue allows remote attackers to delete arbitrary users due to improper access restriction. This can be achieved by sending a request with a `user name` in the `Email` parameter and the API key in the `i4w clearuser` parameter. **Recommendations** For iMember360 plugin versions 3.8.012 through 3.9.001, consider restricting access to the API endpoint that processes the `i4w clearuser` parameter until a patch is available. Avoid using the `Email` parameter with arbitrary user names in requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iMember360 plugin versions 3.8.012 through 3.9.001 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `decrypt` or `encrypt` parameter, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For iMember360 plugin versions 3.8.012 through 3.9.001, avoid using the `decrypt` and `encrypt` parameters in affected API endpoints until the issue is resolved.