Lana Codes

**Nome do software vulnerável e versões afetadas** Versões anteriores à 5.17.0 do plugin “Customer Reviews for WooCommerce” para WordPress **Descrição** O problema está relacionado à falha do plugin Customer Reviews for WooCommerce para WordPress em validar e escapar alguns de seus atributos de shortcode antes de exibi-los em uma página ou postagem onde o shortcode está incorporado. Isso poderia permitir que usuários com a função de colaborador ou superior realizassem ataques de Stored Cross-Site Scripting. **Recomendações** Para versões anteriores à 5.17.0, atualize para a versão 5.17.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o uso de códigos de atalho para minimizar o risco de exploração. Evite usar atributos de código de atalho não validados e não escapados em páginas ou publicações até que o problema seja resolvido.

**Nome do software vulnerável e versões afetadas** Versões do plugin Qubely para WordPress anteriores à 1.8.5 **Descrição** O problema está relacionado ao plugin Qubely para WordPress, que não valida nem escapa algumas de suas opções de bloco antes de exibi-las em uma página ou postagem onde o bloco está incorporado. Isso poderia permitir que usuários com a função de colaborador ou superior realizassem ataques de Stored Cross-Site Scripting. **Recomendações** Para versões anteriores à 1.8.5, atualize para a versão 1.8.5 ou posterior para resolver o problema. Como solução temporária, considere restringir o uso das opções de bloco vulneráveis para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Plugin UpQode Google Maps para WordPress, versões 1.0.0 a 1.0.5 **Descrição** O problema está relacionado ao fato de o plugin não validar nem escapar alguns dos atributos de seus códigos de atalho antes de exibi-los em uma página ou postagem onde o código de atalho está incorporado. Isso poderia permitir que usuários com a função de colaborador ou superior realizassem ataques de Stored Cross-Site Scripting. **Recomendações** Para as versões 1.0.0 a 1.0.5, atualize para uma versão que inclua a validação e o escape necessários dos atributos do shortcode para prevenir ataques de Stored Cross-Site Scripting. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Kebo Twitter Feed plugin versions prior to 1.5.12 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 1.5.12, update to version 1.5.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Hide Post plugin versions <= 2.0.10 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a web application. **Recommendations** For WP Hide Post plugin versions <= 2.0.10, update to a version higher than 2.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Wbcom Designs – BuddyPress Activity Social Share plugin versions <= 3.5.0 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions <= 3.5.0, update to a version higher than 3.5.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyThemeShop WP Shortcode by MyThemeShop plugin versions <= 1.4.16 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For MyThemeShop WP Shortcode by MyThemeShop plugin versions <= 1.4.16, update to a version higher than 1.4.16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Designs & Code Forget About Shortcode Buttons plugin versions <= 2.1.2 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions <= 2.1.2, update to a version higher than 2.1.2 to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as token-based validation, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Reactions Lite plugin versions 1.3.8 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue affects the WP Reactions Lite plugin. This allows an attacker to perform unintended actions on a user's behalf. **Recommendations** For WP Reactions Lite plugin versions 1.3.8 and earlier, update to a version later than 1.3.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPClever WPC Smart Wishlist for WooCommerce plugin versions <= 4.7.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions <= 4.7.1, update to a version higher than 4.7.1 to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as token-based validation, to minimize the risk of exploitation. Restrict access to sensitive functionality within the WPC Smart Wishlist for WooCommerce plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SendPress Newsletters plugin for WordPress versions up to, and including, 1.22.3.31 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode(s), allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For SendPress Newsletters plugin for WordPress versions up to, and including, 1.22.3.31, update to a version that addresses the insufficient input sanitization and output escaping issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Simple Like Page Plugin for WordPress versions up to, and including, 1.5.1 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'sfp-page-plugin' shortcode, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.5.1, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'sfp-page-plugin' shortcode. As a temporary workaround, consider restricting access to the 'sfp-page-plugin' shortcode for users with contributor-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Interact: Embed A Quiz On Your Site plugin for WordPress versions up to, and including, 3.0.7 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'interact-quiz' shortcode. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. The injected scripts will execute whenever a user accesses the injected page. **Recommendations** For versions up to, and including, 3.0.7, update to a version later than 3.0.7 to resolve the issue. As a temporary workaround, consider restricting access to the 'interact-quiz' shortcode for users with contributor-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP MapIt plugin for WordPress versions up to, and including, 2.7.1 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'wp mapit' shortcode. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. The injected scripts will execute whenever a user accesses the injected page. **Recommendations** For WP MapIt plugin for WordPress versions up to, and including, 2.7.1, update to a version that addresses the insufficient input sanitization and output escaping issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Social Feed plugin for WordPress versions up to, and including, 1.5.4.6 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the `socialfeed` shortcode. This allows authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages. The injected scripts will execute whenever a user accesses the injected page. **Recommendations** For Social Feed plugin for WordPress versions up to, and including, 1.5.4.6, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `socialfeed` shortcode for users with author-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Social Sharing Plugin - Social Warfare plugin for WordPress versions up to, and including, 4.4.3 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'social warfare' shortcode, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.4.3, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'social warfare' shortcode. As a temporary workaround, consider restricting access to the 'social warfare' shortcode for users with contributor-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** QR Code Tag plugin for WordPress versions up to, and including, 1.0 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'qrcodetag' shortcode, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For QR Code Tag plugin for WordPress versions up to, and including, 1.0, consider disabling the 'qrcodetag' shortcode until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** ImageMapper plugin for WordPress versions up to, and including, 1.2.6 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to delete arbitrary posts and pages due to a missing capability check on the `imgmap delete area ajax` function. **Recommendations** For versions up to, and including, 1.2.6, update to a version that includes a fix for the missing capability check in the `imgmap delete area ajax` function to prevent unauthorized data loss.

**Name of the Vulnerable Software and Affected Versions** ImageMapper plugin for WordPress versions up to, and including, 1.2.6 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'imagemap' shortcode, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. This enables the execution of injected scripts whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.2.6, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'imagemap' shortcode.

**Name of the Vulnerable Software and Affected Versions** Ziteboard Online Whiteboard plugin for WordPress versions up to, and including, 2.9.9 **Description** The issue arises from insufficient input sanitization and output escaping in the `ziteboard` shortcode, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. This enables the execution of injected scripts whenever a user accesses an injected page. **Recommendations** For Ziteboard Online Whiteboard plugin for WordPress versions up to, and including, 2.9.9, update to a version that addresses the insufficient input sanitization and output escaping in the `ziteboard` shortcode. At the moment, there is no information about a newer version that contains a fix for this vulnerability.