Ning1022

**Name of the Vulnerable Software and Affected Versions** Etoile Ultimate Product Catalog plugin version 4.2.11 **Description** The issue concerns SQL injection in the Etoile Ultimate Product Catalog plugin for WordPress. Specifically, the vulnerability is triggered by various POST actions in the wp-admin/admin-ajax.php endpoint, including catalogue update order `list-item`, video update order `video-item`, image update order `list-item`, tag group update order `list item`, category products update order `category-product-item`, custom fields update order `field-item`, categories update order `category-item`, subcategories update order `subcategory-item`, and tags update order `tag-list-item`. **Recommendations** For Etoile Ultimate Product Catalog plugin version 4.2.11, update the plugin to a version that addresses the SQL injection issue, as using outdated versions poses a significant risk. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Etoile Ultimate Product Catalog plugin version 4.2.11 **Description** The issue concerns a problem with the Add Product Manually component, where there is XSS. **Recommendations** For version 4.2.11, update to a version that fixes this issue, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Event List plugin version 0.7.9 **Description** The issue concerns a problem with the slug array parameter in the `wp-admin/admin.php` endpoint, specifically in the `el admin categories` `delete bulk` action, allowing for XSS. **Recommendations** For Event List plugin version 0.7.9, avoid using the `delete bulk` action in the `el admin categories` until a fix is available. As a temporary workaround, consider restricting access to the `wp-admin/admin.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easy Testimonials plugin version 3.0.4 **Description** The issue concerns a security problem where an attacker can execute malicious scripts. This is demonstrated through the Default Testimonials Width, View More Testimonials Link, and Testimonial Excerpt Options screens in the include/settings/display.options.php file. **Recommendations** For Easy Testimonials plugin version 3.0.4, consider updating to a newer version that addresses this issue, as no specific fix is provided for this version. As a temporary workaround, restrict access to the include/settings/display.options.php file to minimize the risk of exploitation. Avoid using the vulnerable screens until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.