Phat Rio

**Nome do Software Vulnerável e Versões Afetadas** NanoCare versões anteriores a 1.2.2 **Description** Uma falha de autorização ausente no Linethemes NanoCare permite a exploração de níveis de segurança de controle de acesso configurados incorretamente, resultando em controle de acesso quebrado. **Recommendations** Atualizar para a versão 1.2.2.

**Nome do Software Vulnerável e Versões Afetadas** B2BKing versões anteriores a 5.2.10 **Descrição** Uma falha de autorização ausente permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. Trata-se de uma falha de controle de acesso interrompido onde o sistema não verifica adequadamente se um usuário possui as permissões necessárias para realizar uma ação. **Recomendações** Atualize para a versão 5.2.10 ou posterior.

**Name of the Vulnerable Software and Affected Versions** ThemeGoods Photography versions through 7.7.5 **Description** The software contains a flaw related to unrestricted file uploads with dangerous file types, which can lead to path traversal. This allows for potential unauthorized access or manipulation of files on the system. **Recommendations** Update ThemeGoods Photography to a version later than 7.7.5.

**Name of the Vulnerable Software and Affected Versions** ThimPress BuilderPress versions through 2.0.1 **Description** The software contains a flaw due to improper control of filenames in PHP program, leading to PHP Local File Inclusion. This allows attackers to potentially read arbitrary files. The issue is identified as a PHP Remote File Inclusion. **Recommendations** Update ThimPress BuilderPress to a version later than 2.0.1.

**Name of the Vulnerable Software and Affected Versions** Shinetheme Traveler versions prior to 3.2.8.1 **Description** The Shinetheme Traveler software contains a flaw related to the deserialization of untrusted data, which can lead to object injection. This issue allows for potential remote code execution. **Recommendations** Update Shinetheme Traveler to version 3.2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** xtemos WoodMart versions through 8.3.9 **Description** A flaw exists in xtemos WoodMart that could allow unauthorized retrieval of embedded sensitive data, potentially exposing sensitive system information. The issue involves exposure of sensitive system information to an unauthorized control sphere. **Recommendations** Update to a version of xtemos WoodMart newer than 8.3.9.

**Name of the Vulnerable Software and Affected Versions** Nanosoft versions prior to 1.3.2 **Description** A missing authorization flaw exists in Nanosoft, allowing exploitation of incorrectly configured access control security levels. **Recommendations** Update Nanosoft to version 1.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** linethemes SmartFix versions prior to 1.2.4 **Description** A missing authorization check in linethemes SmartFix allows for exploitation of incorrectly configured access control security levels. The issue allows unauthorized access due to inadequate security measures. **Recommendations** Update to a version newer than 1.2.4.

**Name of the Vulnerable Software and Affected Versions** WebGeniusLab BigHearts versions n/a through 3.1.14 **Description** An authorization issue exists in WebGeniusLab BigHearts. The issue involves exploiting incorrectly configured access control security levels. **Recommendations** Versions prior to 3.1.15 should be updated.

**Name of the Vulnerable Software and Affected Versions** Crocoblock JetEngine versions prior to 3.8.4.1 **Description** A flaw exists in Crocoblock JetEngine that allows for Object Injection due to deserialization of untrusted data. This issue impacts the `jet-engine` component. **Recommendations** Update to a version newer than 3.8.4.1.

**Name of the Vulnerable Software and Affected Versions** linethemes GLB versions through 1.2.2 **Description** A missing authorization flaw exists in linethemes GLB. This issue allows exploitation of incorrectly configured access control security levels. **Recommendations** Versions prior to 1.2.3 should be updated.

Nome do Software Vulnerável e Versões Afetadas Plugin Tutor LMS Pro para WordPress, versões até 3.9.5 Descrição O plugin Tutor LMS Pro para WordPress é suscetível a contorno de autenticação por meio do complemento Social Login. O plugin não valida corretamente se o endereço de e-mail fornecido durante a autenticação corresponde ao endereço de e-mail associado ao token OAuth validado. Isso permite que atacantes façam login como qualquer usuário, incluindo administradores, utilizando um token OAuth válido de sua própria conta e o endereço de e-mail de um usuário-alvo. Relata-se que esse problema está sendo explorado ativamente no ambiente real. Aproximadamente 50.000 instalações de LMS WordPress podem ser afetadas. O ataque envolve o uso de um token OAuth válido juntamente com o endereço de e-mail da vítima para obter acesso não autorizado. Recomendações Atualize para a versão 3.9.6 ou posterior.

**Name of the Vulnerable Software and Affected Versions** WeDesignTech Ultimate Booking Addon versions through 1.0.1 **Description** An authentication bypass issue exists in designthemes WeDesignTech Ultimate Booking Addon. This allows for authentication abuse by utilizing an alternate path or channel. The `wedesigntech-ultimate-booking-addon` is affected. **Recommendations** Update WeDesignTech Ultimate Booking Addon to a version later than 1.0.1.

**Name of the Vulnerable Software and Affected Versions** WeDesignTech Ultimate Booking Addon versions through 1.0.1 **Description** An authentication bypass issue exists in the WeDesignTech Ultimate Booking Addon, allowing authentication abuse through an alternate path or channel. The issue allows bypassing normal authentication mechanisms. **Recommendations** Update WeDesignTech Ultimate Booking Addon to a version later than 1.0.1.

**Name of the Vulnerable Software and Affected Versions** Directory Pro versions through 2.5.6 **Description** The software contains a missing authorization issue related to incorrectly configured access control security levels. This allows for potential exploitation. **Recommendations** Update Directory Pro to a version newer than 2.5.6.

**Name of the Vulnerable Software and Affected Versions** DesignThemes Directory Addon versions n/a through 1.8 **Description** An issue exists in the DesignThemes Directory Addon related to incorrectly configured access control security levels, potentially allowing unauthorized access. The issue involves a missing authorization check. **Recommendations** Update DesignThemes Directory Addon to a version later than 1.8.

**Name of the Vulnerable Software and Affected Versions** DesignThemes Booking Manager versions prior to 2.1 **Description** An authorization issue exists in DesignThemes Booking Manager that allows exploitation of incorrectly configured access control security levels. **Recommendations** Update DesignThemes Booking Manager to version 2.1 or later.

**Name of the Vulnerable Software and Affected Versions** kamleshyadav WP Bakery Autoresponder Addon versions through 1.0.6 **Description** The kamleshyadav WP Bakery Autoresponder Addon contains a flaw related to improper input handling during web page creation, which allows for Stored Cross-site Scripting (XSS). This means that malicious scripts can be injected into web pages viewed by other users. The affected component is the 'vc-autoresponder-addon'. **Recommendations** Update kamleshyadav WP Bakery Autoresponder Addon to a version later than 1.0.6.

**Name of the Vulnerable Software and Affected Versions** kamleshyadav WP Bakery Autoresponder Addon versions through 1.0.6 **Description** The kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon has a flaw related to incorrectly configured access control security levels, leading to a missing authorization issue. This allows for exploitation of the access control settings. **Recommendations** Update kamleshyadav WP Bakery Autoresponder Addon to a version later than 1.0.6.

**Name of the Vulnerable Software and Affected Versions** vanquish WooCommerce Order Details versions n/a through 3.1 **Description** An authorization issue exists in vanquish WooCommerce Order Details, allowing exploitation of incorrectly configured access control security levels. The issue is related to missing authorization checks. **Recommendations** Update vanquish WooCommerce Order Details to a version greater than 3.1.