Lukasz Sobanski

**Name of the Vulnerable Software and Affected Versions** JetBackup – Backup, Restore & Migrate versões anteriores a 3.1.19.9 **Description** A validação insuficiente de entrada no parâmetro `fileName` no manipulador de upload de arquivos permite a travessia de diretório (path traversal). O plugin utiliza `sanitize text field()`, que remove tags HTML, mas não bloqueia sequências de travessia de caminho como '../'. A função `Upload::getFileLocation()` concatena esse nome de arquivo não sanitizado sem utilizar `basename()` ou verificar se o caminho resolvido permanece dentro do diretório pretendido. Consequentemente, quando um arquivo inválido é enviado, a lógica de limpeza aplica `dirname()` ao caminho atravessado e o passa para `Util::rm()`, que exclui recursivamente o diretório resolvido. Atacantes autenticados com acesso de nível de administrador podem usar isso para excluir diretórios críticos do WordPress, como 'wp-content/plugins', causando interrupção grave no site. **Recommendations** Atualize o plugin para uma versão posterior à 3.1.19.8.

Name of the Vulnerable Software and Affected Versions Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress versões até e incluindo 3.6.3 Description O plugin Kadence Blocks para WordPress não verifica corretamente a capacidade `upload files` para usuários acessando o endpoint da API `process pattern`. Isso permite que invasores autenticados com acesso de nível de colaborador ou superior carreguem imagens para a Biblioteca de Mídia do WordPress fornecendo URLs de imagens remotas, que o servidor então baixa e cria como anexos de mídia. Recommendations Atualize o plugin Kadence Blocks — Page Builder Toolkit for Gutenberg Editor para WordPress para uma versão posterior a 3.6.3.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions through 5.2.7 **Description** The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by insufficient or incorrect nonce validation within the `reload preview()` function. An unauthenticated attacker could potentially update settings and inject malicious web scripts by forging a request, provided they can mislead a site administrator into performing an action. **Recommendations** Update LatePoint – Calendar Booking Plugin for Appointments and Events to a version later than 5.2.7.

**Name of the Vulnerable Software and Affected Versions** Seraphinite Accelerator plugin for WordPress versions up to and including 2.28.14 **Description** The Seraphinite Accelerator plugin for WordPress is susceptible to sensitive information disclosure. This is due to the `OnAdminApi GetData()` function lacking proper capability checks. Authenticated attackers with Subscriber-level access or higher can retrieve sensitive operational data through the `seraph accel api` AJAX action with the `fn=GetData` parameter. This data includes cache status, scheduled task information, and external database state. The `GetData` parameter is used in the `seraph accel api` API endpoint. **Recommendations** Update the Seraphinite Accelerator plugin to a version later than 2.28.14.

**Name of the Vulnerable Software and Affected Versions** The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin versions prior to 7.0.0.4 **Description** The plugin is susceptible to Server-Side Request Forgery (SSRF). This allows authenticated attackers with Administrator-level access or higher to make web requests to arbitrary locations from the web application. This can be used to query and modify information from internal services. The plugin also stores the contents of remote files on the server, potentially enabling the upload of arbitrary files and remote code execution. The vulnerable function is `download url()`. **Recommendations** Update The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin to version 7.0.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Responsive Lightbox & Gallery plugin for WordPress versions prior to 2.7.2 **Description** The software is susceptible to Server-Side Request Forgery. This is caused by using `strpos()` for hostname validation instead of strict host comparison within the `ajax upload image()` function. Authenticated attackers with Author-level access or higher can make web requests to arbitrary locations from the web application, potentially allowing them to query and modify information from internal services. **Recommendations** Update the Responsive Lightbox & Gallery plugin to version 2.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress versions up to and including 1.4.2 **Description** The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is because of a lack of nonce validation in the `showPageContent()` function. An unauthenticated attacker could potentially add arbitrary URLs to the blocked redirects list by forging a request, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Disable Admin Notices – Hide Dashboard Notifications plugin to a version newer than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** Smart Forms plugin for WordPress versions prior to 2.7.0 **Description** The Smart Forms plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the 'rednao smart forms get campaigns' AJAX action. Attackers with Subscriber-level access or higher can retrieve donation campaign data, including campaign IDs and names. The affected API endpoint is `rednao smart forms get campaigns`. **Recommendations** Update the Smart Forms plugin to version 2.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** The Menu Icons by ThemeIsle plugin for WordPress versions up to and including 0.13.20 **Description** The software is susceptible to a Stored Cross-Site Scripting issue due to inadequate input sanitization and output escaping. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The vulnerable parameter is ` wp attachment image alt` post meta. **Recommendations** Update The Menu Icons by ThemeIsle plugin to a version later than 0.13.20.