Muqsith Barru

**Name of the Vulnerable Software and Affected Versions** Weaver Show Posts plugin for WordPress versions up to and including 1.8.1 **Description** The software is susceptible to Stored Cross-Site Scripting through the `add class` parameter. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page, primarily impacting multisite installations where Administrators lack the unfiltered html capability. **Recommendations** Update the Weaver Show Posts plugin to a version beyond 1.8.1.

**Name of the Vulnerable Software and Affected Versions** AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress versions through 1.0.49 **Description** The software is susceptible to Stored Cross-Site Scripting through the AMP Custom CSS setting due to inadequate input sanitization and output escaping of user-provided attributes. This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue only impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress to a version later than 1.0.49.