Prajalkulkarni

**Nome do software vulnerável e versões afetadas** Plugin ultimate-weather versão 1.0 **Descrição** A vulnerabilidade afeta o plugin ultimate-weather para WordPress, permitindo ataques de script entre sites (XSS). **Recomendações** Para a versão 1.0, atualize para uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Swipe Checkout for WP e-Commerce plugin versions 3.1.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `api key`, `payment page url`, `merchant id`, `api url`, or `currency` parameter in the test-plugin.php file. This can be exploited by injecting malicious code through these parameters. **Recommendations** For versions 3.1.0 and earlier, consider disabling the test-plugin.php file or restricting access to it until a patch is available. Avoid using the `api key`, `payment page url`, `merchant id`, `api url`, or `currency` parameters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Swipe Checkout for WooCommerce plugin versions 2.7.1 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `api url` parameter. **Recommendations** For Swipe Checkout for WooCommerce plugin versions 2.7.1 and earlier, update to a version later than 2.7.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Shortcode Ninja plugin versions 1.4 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `shortcode` parameter. This can be exploited by injecting malicious code into the `shortcode` parameter, potentially leading to unauthorized actions on the affected website. **Recommendations** For Shortcode Ninja plugin versions 1.4 and earlier, update to a version later than 1.4 to resolve the issue. As a temporary workaround, consider restricting access to the `preview-shortcode-external.php` file to minimize the risk of exploitation. Avoid using the `shortcode` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Podcast Channels plugin versions 0.20 and earlier for WordPress **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `Filename` parameter to "getid3/demos/demo.write.php" API endpoint. This is a cross-site scripting (XSS) issue. **Recommendations** For Podcast Channels plugin versions 0.20 and earlier, avoid using the `Filename` parameter in the "getid3/demos/demo.write.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Movies plugin versions 0.6 and earlier for WordPress **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `filename` parameter to "getid3/demos/demo.mimeonly.php". **Recommendations** For Movies plugin versions 0.6 and earlier, avoid using the `filename` parameter in the "getid3/demos/demo.mimeonly.php" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Infusionsoft Gravity Forms plugin versions prior to 1.5.6 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `go`, `contactId`, or `campaignId` parameters. **Recommendations** For versions prior to 1.5.6, update to version 1.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters `go`, `contactId`, and `campaignId` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** jRSS Widget plugin version 1.2 and earlier for WordPress **Description** A server-side request forgery (SSRF) issue allows remote attackers to trigger outbound requests and enumerate open ports via the `url` parameter. **Recommendations** For jRSS Widget plugin version 1.2 and earlier, update to a version later than 1.2 to resolve the issue. As a temporary workaround, consider restricting access to the `proxy.php` file to minimize the risk of exploitation. Avoid using the `url` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CBI Referral Manager plugin versions 1.2.1 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `searchString` parameter in the getNetworkSites.php file. **Recommendations** For versions 1.2.1 and earlier, update to a version later than 1.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the getNetworkSites.php file or avoiding the use of the `searchString` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP Easy Post Types plugin versions prior to 1.4.4 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML via the `ref` parameter in the `media.php` file. **Recommendations** For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Style It plugin versions 1.0 and earlier for WordPress **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `mode` parameter in the fonts/font-form.php file. **Recommendations** For Style It plugin versions 1.0 and earlier, avoid using the `mode` parameter in the fonts/font-form.php file until a patch is available. As a temporary workaround, consider restricting access to the fonts/font-form.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HTML5 Video Player with Playlist plugin versions 2.4.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `theme` or `playlistmod` parameter in the videoplayer/autoplay.php file. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For HTML5 Video Player with Playlist plugin versions 2.4.0 and earlier, consider disabling the vulnerable parameters `theme` and `playlistmod` in the videoplayer/autoplay.php file until a patch is available. Restrict access to the videoplayer/autoplay.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flash Photo Gallery plugin versions 0.7 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `path` parameter in the fpg preview.php file. **Recommendations** For Flash Photo Gallery plugin versions 0.7 and earlier, update to a version later than 0.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** EnvialoSimple: Email Marketing and Newsletters plugin versions prior to 1.98 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `FormID` or `AdministratorID` parameters in the paginas/vista-previa-form.php file. **Recommendations** For EnvialoSimple: Email Marketing and Newsletters plugin versions prior to 1.98, update to version 1.98 or later to resolve the issue. As a temporary workaround, consider restricting access to the paginas/vista-previa-form.php file to minimize the risk of exploitation. Avoid using the `FormID` and `AdministratorID` parameters in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ooorl plugin for WordPress (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `url` parameter in the redirect.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Swipe Checkout for Jigoshop plugin versions 3.1.0 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `api url` parameter. **Recommendations** For Swipe Checkout for Jigoshop plugin versions 3.1.0 and earlier, update to a version later than 3.1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** URL Cloak & Encrypt plugin versions 2.0 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `url` parameter in the go.php file. **Recommendations** For URL Cloak & Encrypt plugin versions 2.0 and earlier, update to a version later than 2.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** verweise-wordpress-twitter plugin versions 1.0.2 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `base` parameter in the res/fake twitter/frame.php file. **Recommendations** For verweise-wordpress-twitter plugin versions 1.0.2 and earlier, consider updating to a version that is not affected by this issue, as no specific fix is provided for these versions. As a temporary workaround, restrict access to the res/fake twitter/frame.php file to minimize the risk of exploitation. Avoid using the `base` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Votecount for Balatarin plugin versions 0.1.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML via the `url` or `bvcurl` parameters in the bvc.php file. **Recommendations** For Votecount for Balatarin plugin versions 0.1.1 and earlier, consider disabling access to the bvc.php file until a patch is available. Avoid using the `url` and `bvcurl` parameters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WebEngage plugin versions prior to 2.0.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `height` parameter in the resize.php file. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the resize.php file to minimize the risk of exploitation. Avoid using the `height` parameter in the affected API endpoint until the issue is resolved.