Hung Nguyen

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb country iso', 'hb usa state iso', and 'hb canada province iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page).

**Nome do Software Vulnerável e Versões Afetadas** Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets versões anteriores a 4.2.3 **Descrição** A Execução Remota de Código é possível através do recurso Display Logic. O problema ocorre porque o plugin utiliza a função `eval()` em expressões de Display Logic fornecidas pelo usuário com uma blocklist/allowlist insuficiente que pode ser burlada usando `array map` com concatenação de strings. Além disso, há uma falta de imposição de autorização no atributo `extended widget opts block`. Isso permite que atacantes autenticados, com nível de acesso de Colaborador (Contributor) ou superior, executem código arbitrário no servidor. **Recomendações** Atualize para uma versão posterior a 4.2.2.

**Nome do Software Vulnerável e Versões Afetadas** Breeze Cache versões anteriores a 2.4.5 **Descrição** Um problema de upload arbitrário de arquivos existe no plugin Breeze Cache para WordPress, afetando aproximadamente 400.000 instalações ativas. A falha está localizada na função `fetch gravatar from remote()`, onde uma expressão regular incorreta permite a extração de URLs do atributo `alt` de tags de imagem, em vez de apenas do atributo `src`. Atacantes não autenticados podem explorar isso manipulando o nome de exibição de um comentário para incluir uma URL maliciosa que aponte para um arquivo PHP. A função então baixa o arquivo sem validar seu tipo ou extensão, permitindo o upload de backdoors PHP e a possível execução remota de código. Isso só pode ser explorado se a configuração "Host Files Locally - Gravatars" estiver ativada, a qual vem desativada por padrão. A exploração no mundo real começou imediatamente após a divulgação em 22 de abril de 2026, com mais de 30.000 tentativas bloqueadas por firewalls de segurança e exploração em massa observada entre 24 e 29 de abril de 2026. **Recomendações** Atualize o Breeze Cache para a versão 2.4.5 ou posterior. Desative a configuração "Host Files Locally - Gravatars" para mitigar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Download Monitor plugin for WordPress versions prior to 5.1.8 **Description** The software contains an Insecure Direct Object Reference issue in the `executePayment()` function. Missing validation on a user-controlled key allows unauthenticated attackers to complete arbitrary pending orders. This is possible due to a mismatch between the PayPal transaction `token` and the local `order id`, potentially enabling theft of paid digital goods by exploiting a payment token from a low-cost item to finalize a high-value order. **Recommendations** Update to Download Monitor plugin version 5.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** The Ultimate WordPress Toolkit – WP Extended versions prior to 3.2.4 **Description** The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is susceptible to a privilege escalation issue. This is caused by an insecure `strpos()` check within the `isDashboardOrProfileRequest()` method against the `$ SERVER['REQUEST URI']` variable, used to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` function, which is connected to the `user has cap` filter, grants elevated capabilities, including `manage options`, when this check returns true. Authenticated attackers with Subscriber-level access or higher can exploit this by adding a crafted query parameter to any admin URL, enabling them to update arbitrary WordPress options and create new Administrator accounts. **Recommendations** Update 'The Ultimate WordPress Toolkit – WP Extended' to version 3.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Aimogen Pro versions up to 2.7.5 **Description** The Aimogen Pro plugin for WordPress is susceptible to an Arbitrary Function Call, potentially leading to privilege escalation. This is due to a missing capability check within the `aiomatic call ai function realtime` function. Unauthenticated attackers can exploit this to invoke arbitrary WordPress functions, such as `update option`, to modify site settings. Specifically, attackers can update the default user role for registration to administrator, enabling them to gain administrative access to a vulnerable site. The `update option` function allows modification of WordPress options, potentially impacting site security and functionality. **Recommendations** Aimogen Pro versions prior to 2.7.5 should be updated. As a temporary workaround, consider disabling the `aiomatic call ai function realtime` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Autoptimize versions prior to 3.1.15 **Description** The Autoptimize plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `ao post preload` meta value. This is a result of inadequate input sanitization within the `ao metabox save()` function and a lack of output escaping when the value is rendered into a `<link>` tag in `autoptimizeImages.php`. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses an injected page, provided the "Image optimization" or "Lazy-load images" setting is enabled in the plugin configuration. **Recommendations** Update Autoptimize to version 3.1.15 or later.

**Name of the Vulnerable Software and Affected Versions** WP Go Maps (formerly WP Google Maps) versions through 10.0.05 **Description** The WP Go Maps plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. A missing capability check in the `admin post wpgmza save settings` hook anonymous function allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page via the `wpgmza custom js` parameter. **Recommendations** Versions prior to 10.0.06 should be updated.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions through 5.2.7 **Description** The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to privilege escalation through a flaw in the password reset functionality. The issue stems from the plugin permitting users with a LatePoint Agent role, while creating new customers, to define the `wordpress user id` field. This allows authenticated attackers possessing Agent-level access or higher to obtain elevated privileges by associating a customer with an arbitrary user ID, potentially including administrators, and subsequently resetting the password. The `wordpress user id` field is used to link a customer to a WordPress user account. **Recommendations** Versions prior to 5.2.7 should be updated to address this issue.

**Name of the Vulnerable Software and Affected Versions** Post Duplicator plugin for WordPress versions up to and including 3.0.8 **Description** The Post Duplicator plugin for WordPress is susceptible to unauthorized modification of protected post meta data. This occurs because the `duplicate post()` function utilizes `$wpdb->insert()` directly into the `wp postmeta` table, bypassing the standard `add post meta()` function and its associated `is protected meta()` check. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary protected meta keys, such as ` wp page template` and ` wp attached file`, on duplicated posts. The issue is exploitable through the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` API endpoint. **Recommendations** Update the Post Duplicator plugin to a version later than 3.0.8.

**Name of the Vulnerable Software and Affected Versions** Product Table and List Builder for WooCommerce Lite versions prior to 4.6.3 **Description** The Product Table and List Builder for WooCommerce Lite plugin for WordPress is susceptible to time-based SQL Injection. This is due to inadequate escaping of user-supplied input in the `search` parameter and insufficient preparation of the existing SQL query. This allows unauthenticated attackers to inject additional SQL queries into existing queries, potentially extracting sensitive information from the database. **Recommendations** Update to version 4.6.3 or later.

**Name of the Vulnerable Software and Affected Versions** SiteOrigin Widgets Bundle versions prior to 1.70.5 **Description** The SiteOrigin Widgets Bundle plugin for WordPress is susceptible to unauthorized arbitrary shortcode execution. This is caused by a missing capability check within the `siteorigin widget preview widget action()` function, which is registered through the `wp ajax so widgets preview` AJAX action. The function verifies a nonce (`widgets action`) but does not confirm user capabilities, allowing authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes. The necessary nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded within the `data-ajax-url` HTML attribute. Attackers can invoke the `SiteOrigin Widget Editor Widget` via the preview endpoint to exploit this issue. **Recommendations** Update SiteOrigin Widgets Bundle to version 1.70.5 or later.

**Nome do software vulnerável e versões afetadas** Plugin “The Post Grid Combo – 36+ Gutenberg Blocks” para versões do WordPress até a 2.2.68, inclusive **Descrição** A vulnerabilidade permite que invasores não autenticados extraiam dados confidenciais, incluindo rascunhos completos de postagens e postagens protegidas por senha, bem como a senha de postagens protegidas por senha, por meio do endpoint da API REST `get posts`. **Recomendações** Para versões até a 2.2.68, inclusive, considere desativar o endpoint da API REST `get posts` como uma solução temporária até que um patch esteja disponível. Restrinja o acesso a dados confidenciais para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Plugin Limit Login Attempts Reloaded para versões do WordPress até a 2.25.26, inclusive **Descrição** O problema está relacionado a Stored Cross-Site Scripting (XSS) por meio dos shortcodes do plugin, devido à sanitização insuficiente de entradas e à falta de escapamento de saídas em atributos fornecidos pelo usuário, como `attributes` dos usuários. Isso permite que invasores autenticados com permissões de nível de colaborador ou superiores injetem scripts web arbitrários em páginas que serão executados sempre que um usuário acessar uma página injetada, potencialmente por meio de `API Endpoints` como `/wp-admin/admin.php`. **Recomendações** Para versões até e incluindo a 2.25.26, atualize para uma versão superior à 2.25.26 para resolver o problema. Como solução temporária, considere restringir o acesso aos códigos de atalho do plugin até que um patch esteja disponível. Restrinja as permissões para usuários com nível de colaborador e superior para minimizar o risco de exploração.