Niclo

**Name of the Vulnerable Software and Affected Versions** Simply Excerpts WordPress plugin version 1.4 and earlier **Description** The Simply Excerpts WordPress plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For Simply Excerpts WordPress plugin version 1.4 and earlier, update to a version that sanitizes and escapes fields in the plugin settings to prevent arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Simple Table Manager WordPress plugin versions 1.5.6 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions 1.5.6 and earlier, update to a version that addresses the sanitization and escaping of settings to prevent Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeCMS version 5.7.109 **Description** A critical issue was found in DedeCMS, affecting an unknown functionality of the file co do.php. The manipulation of the `rssurl` argument leads to server-side request forgery. **Recommendations** For DedeCMS version 5.7.109, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HadSky version 7.11.8 **Description** A problematic issue has been found in the User Handler component, leading to cross-site request forgery. The manipulation can be launched remotely. **Recommendations** For HadSky version 7.11.8, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple and Beautiful Shopping Cart System version 1.0 **Description** A critical issue has been found in the file uploadera.php, allowing for unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public. **Recommendations** For Simple and Beautiful Shopping Cart System version 1.0, consider disabling the file upload functionality in uploadera.php until a patch is available. Restrict access to the uploadera.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Dental Clinic Appointment Reservation System version 1.0 **Description** A critical issue affects the processing of the file /APR/login.php, specifically the POST Parameter Handler component. The manipulation of the `username` argument leads to SQL injection. This issue can be exploited remotely. **Recommendations** For SourceCodester Dental Clinic Appointment Reservation System version 1.0, consider restricting access to the /APR/login.php file until a fix is available, and avoid using the `username` argument in the affected POST parameter handler to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Dental Clinic Appointment Reservation System version 1.0 **Description** A vulnerability was found in the Dental Clinic Appointment Reservation System, affecting the file /APR/signup.php, specifically the POST Parameter Handler component. The issue arises from the manipulation of the `firstname` argument, leading to cross-site scripting. This can be initiated remotely. **Recommendations** For version 1.0, consider disabling the `firstname` parameter in the /APR/signup.php file until a patch is available to prevent cross-site scripting attacks. Restrict access to the signup.php file to minimize the risk of exploitation. Avoid using the `firstname` parameter in the affected POST request until the issue is resolved.