Nguyen Ba Khanh

**Nome do Software Vulnerável e Versões Afetadas** MyCryptoCheckout versões anteriores a 2.162 **Descrição** Uma falha de autorização ausente no plugin MyCryptoCheckout permite a exploração de níveis de segurança de controle de acesso configurados incorretamente, resultando em controle de acesso quebrado. **Recomendações** Atualize para uma versão posterior a 2.161.

**Nome do Software Vulnerável e Versões Afetadas** StoreApps Smart Manager versões anteriores a 8.85.0 **Descrição** A Atribuição Incorreta de Privilégios no StoreApps Smart Manager permite a Escalação de Privilégios, uma condição na qual um usuário pode obter níveis de acesso ou permissões mais elevados do que os pretendidos. **Recomendações** Atualize para uma versão posterior a 8.85.0.

**Nome do Software Vulnerável e Versões Afetadas** YITH WooCommerce Product Add-Ons versões anteriores a 4.29.0 **Descrição** A neutralização inadequada de elementos especiais usados em um comando SQL permite a ocorrência de Blind SQL Injection. Blind SQL Injection é um tipo de ataque em que a aplicação não retorna os resultados da consulta SQL diretamente, mas o invasor ainda pode inferir dados observando a resposta da aplicação a consultas específicas. **Recomendações** Atualize para uma versão posterior a 4.29.0.

**Nome do Software Vulnerável e Versões Afetadas** SureForms Pro versões anteriores a 2.8.0 **Descrição** Uma falha de autorização ausente no Brainstorm Force SureForms Pro permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. **Recomendações** Atualize para uma versão posterior a 2.8.0.

Name of the Vulnerable Software and Affected Versions OceanWP Ocean Extra versões até 2.5.3 Description Existe uma falha de autorização no OceanWP Ocean Extra. Isso permite a exploração devido a níveis de segurança de controle de acesso configurados incorretamente. Recommendations Atualize o OceanWP Ocean Extra para uma versão posterior a 2.5.3.

**Name of the Vulnerable Software and Affected Versions** WebberZone Contextual Related Posts versions prior to 4.2.2 **Description** An authorization issue exists in WebberZone Contextual Related Posts due to incorrectly configured access control security levels. This allows for unauthorized access. **Recommendations** Update WebberZone Contextual Related Posts to version 4.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Booster for WooCommerce versions prior to 7.11.3 **Description** A missing authorization issue exists in Pluggabl Booster for WooCommerce. This allows exploitation of incorrectly configured access control security levels. The issue concerns a flaw in how access control is managed, potentially allowing unauthorized actions. **Recommendations** Update Booster for WooCommerce to version 7.11.3 or later.

**Name of the Vulnerable Software and Affected Versions** Toocheke Companion versions n/a through 1.194 **Description** The software contains a flaw related to improper input handling during web page generation, leading to a DOM-Based Cross-site Scripting (XSS) condition. This allows for the execution of malicious scripts within the context of the user's browser. The affected component is `toocheke-companion`. **Recommendations** Update Toocheke Companion to a version greater than 1.194.

**Name of the Vulnerable Software and Affected Versions** Gift Up! Gift Up Gift Cards for WordPress and WooCommerce versions through 3.1.7 **Description** The software contains a Server-Side Request Forgery (SSRF) issue. This allows for Server Side Request Forgery. The vulnerability exists due to insufficient input validation, potentially allowing an attacker to make requests to unintended locations. **Recommendations** Update to a version later than 3.1.7.

**Name of the Vulnerable Software and Affected Versions** Jordy Meow Meow Gallery versions through 5.4.4 **Description** The software contains a flaw due to improper handling of special characters within SQL commands, leading to a Blind SQL Injection issue. This allows for potential unauthorized access or manipulation of the database. The API endpoints and vulnerable parameters are not specified in the provided information. The function names are not specified in the provided information. **Recommendations** Versions prior to 5.4.4 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP EasyCart versions through 5.8.13 **Description** The software contains a flaw due to improper neutralization of special elements used in an SQL command, leading to a Blind SQL Injection issue. The vulnerability exists in the wp-easycart component. Exploitation of this flaw could allow an attacker to inject malicious SQL code. **Recommendations** Update WP EasyCart to a version later than 5.8.13.

**Name of the Vulnerable Software and Affected Versions** Brainstorm Force Astra Bulk Edit versions n/a through 1.2.10 **Description** The software contains a flaw related to improper input handling during web page generation, leading to a potential cross-site scripting (XSS) issue. Specifically, the vulnerability allows for DOM-based XSS exploitation. The affected component is `astra-bulk-edit`. **Recommendations** Update Astra Bulk Edit to a version later than 1.2.10.

**Name of the Vulnerable Software and Affected Versions** codepeople WP Time Slots Booking Form versions through 1.2.42 **Description** An authorization issue exists in codepeople WP Time Slots Booking Form, allowing exploitation of incorrectly configured access control security levels. The issue relates to missing authorization checks, potentially allowing unauthorized access to sensitive functionalities. **Recommendations** Update codepeople WP Time Slots Booking Form to a version newer than 1.2.42.

**Name of the Vulnerable Software and Affected Versions** codepeople CP Contact Form with Paypal versions through 1.3.61 **Description** The software contains a flaw due to improper neutralization of special elements used in an SQL command, leading to a Blind SQL Injection issue. The vulnerability exists in codepeople CP Contact Form with Paypal and allows for potential exploitation through SQL injection. The affected API endpoints and vulnerable parameters are not specified. **Recommendations** Update codepeople CP Contact Form with Paypal to a version later than 1.3.61.

**Name of the Vulnerable Software and Affected Versions** Josh Kohlbach Product Feed PRO for WooCommerce versions through 13.5.2 **Description** The software contains a Cross-Site Request Forgery (CSRF) issue. A Cross-Site Request Forgery attack allows an attacker to perform actions on behalf of an authenticated user without their knowledge. This can lead to unauthorized modifications or actions within the application. **Recommendations** Versions prior to and including 13.5.2 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealMag777 WOLF versions through 1.0.8.7 **Description** The RealMag777 WOLF bulk-editor is susceptible to a SQL Injection issue, specifically a Blind SQL Injection. This allows attackers to execute arbitrary SQL queries against the database. Attackers may potentially read or modify sensitive database data, which could lead to account takeover or site compromise. The issue stems from improper neutralization of special elements used in an SQL command. **Recommendations** Update the plugin to the latest patched version. Restrict access to WordPress admin endpoints. Monitor logs for suspicious SQL queries. Use a WAF or database query filtering.

**Name of the Vulnerable Software and Affected Versions** flycart UpsellWP versions through 2.2.4 **Description** The software contains an Improper Neutralization of Special Elements used in an SQL Command issue, specifically a Blind SQL Injection. This allows for potential unauthorized access or manipulation of data through crafted SQL queries. The vulnerability exists within the checkout-upsell-and-order-bumps component of the software. **Recommendations** flycart UpsellWP versions through 2.2.4 should be updated to a newer, secure version to address this issue.

**Name of the Vulnerable Software and Affected Versions** robosoft Robo Gallery versions through 5.1.2 **Description** The software contains a flaw related to improper input handling during web page generation, specifically a DOM-Based Cross-site Scripting issue. This allows for potential execution of malicious scripts within the application. **Recommendations** Update to a version later than 5.1.2.

**Name of the Vulnerable Software and Affected Versions** Rich Showcase for Google Reviews versions through 6.9.4.3 **Description** A flaw exists in the Rich Showcase for Google Reviews widget that allows for Stored Cross-site Scripting (XSS). This occurs due to improper neutralization of input during web page generation. The issue allows an attacker to inject malicious scripts into web pages, potentially compromising user data or system integrity. **Recommendations** Update Rich Showcase for Google Reviews to a version later than 6.9.4.3.

**Name of the Vulnerable Software and Affected Versions** RadiusTheme Team tlp-team versions n/a through 5.0.13 **Description** A missing authorization issue exists in RadiusTheme Team tlp-team, allowing exploitation of incorrectly configured access control security levels. The issue allows unauthorized access due to flaws in how access controls are implemented. **Recommendations** Versions prior to 5.0.13 should be updated.