Quốc Huy

**Nome do Software Vulnerável e Versões Afetadas** Blocksy versões anteriores a 2.1.36 **Description** A sanitização insuficiente de entrada na função `blocksy sanitize post meta options()` permite que atacantes autenticados com nível de acesso de contribuidor ou superior armazenem strings de objetos PHP serializados em metadados de postagens. A função bloqueia apenas valores que contenham '<' ou '>', falhando em prevenir a injeção de objetos serializados. Quando a migração de banco de dados V200 é executada, a função `SearchReplacer::run recursively()` desserializa incondicionalmente todos os valores de string usando `@unserialize()` sem restringir as classes permitidas. Esse processo pode acionar a função `RaiiPattern:: destruct()` de um objeto `BlocksyRaiiPattern` injetado, resultando em execução remota de código ao executar callables PHP arbitrários via `call user func()`. Este problema é acessível através do campo da API REST 'blocksy meta'. **Recommendations** Atualize para a versão 2.1.36 ou posterior. Como mitigação temporária, restrinja o acesso ao campo da API REST 'blocksy meta' para usuários com permissões de nível de contribuidor.

**Nome do Software Vulnerável e Versões Afetadas** Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder versões anteriores a 3.4.8 **Description** O plugin está suscetível ao envio não autorizado de e-mails porque a função `send test email()` carece de uma verificação de capacidade adequada. Isso permite que usuários autenticados com permissões de nível Assinante (Subscriber) ou superior enviem e-mails de teste para qualquer endereço arbitrário a partir do servidor. **Recommendations** Atualize para uma versão posterior a 3.4.7. Como medida paliativa temporária, restrinja o acesso à função `send test email()` para evitar que usuários não autorizados disparem transmissões de e-mail.

Name of the Vulnerable Software and Affected Versions Plugin Optimole – Optimize Images para WordPress versões até 4.2.2 Description O plugin Optimole – Optimize Images para WordPress é suscetível a Cross-Site Scripting Persistente. Isso é causado por sanitização e escape de saída inadequados do parâmetro `s` (descritor srcset) dentro do endpoint REST /wp-json/optimole/v1/optimizations não autenticado. O endpoint emprega validação de assinatura HMAC e timestamp, mas esses valores são expostos no HTML do frontend. O plugin utiliza sanitize text field() que remove tags HTML, mas não escapa aspas duplas, e o descritor envenenado é armazenado em transients e injetado no atributo srcset sem escape adequado. Recommendations Atualize para uma versão superior a 4.2.2

Nome do Software Vulnerável e Versões Afetadas Plugin Database for Contact Form 7, WPforms, Elementor forms para WordPress versões até 1.4.9, inclusive Descrição O plugin Database for Contact Form 7, WPforms, Elementor forms para WordPress é vulnerável a acesso não autorizado de dados devido a uma verificação de capacidade ausente na função `entries shortcode()`. Atacantes autenticados, com acesso de nível Colaborador e superior, podem extrair todos os envios de formulário, incluindo nomes, endereços de e-mail e números de telefone. Recomendações Versões anteriores a 1.5.0 devem ser atualizadas.

**Name of the Vulnerable Software and Affected Versions** WordPress Download Manager plugin versions up to and including 3.3.49 **Description** The Download Manager plugin for WordPress is susceptible to unauthorized data access. A missing capability check on the `reviewUserStatus()` function allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive user information. This information includes email addresses, display names, and registration dates. **Recommendations** Update WordPress Download Manager plugin to a version later than 3.3.49.

**Name of the Vulnerable Software and Affected Versions** Royal Addons for Elementor – Addons and Templates Kit for Elementor versions prior to 1.7.1049 **Description** The Royal Addons for Elementor plugin for WordPress is susceptible to Information Exposure due to insufficient restrictions on post inclusion within the `get main query args()` function. This allows unauthenticated attackers to extract contents from non-public custom post types, including Contact Form 7 submissions and WooCommerce coupons. **Recommendations** Update Royal Addons for Elementor – Addons and Templates Kit for Elementor to version 1.7.1049 or later.

**Name of the Vulnerable Software and Affected Versions** GetGenie plugin for WordPress versions through 4.3.2 **Description** The GetGenie plugin for WordPress is susceptible to an Insecure Direct Object Reference issue due to missing validation on a user-controlled key within the `action` function. This allows authenticated attackers with Author-level access or higher to modify post metadata for any post. The lack of input sanitization, combined with this issue, can lead to Stored Cross-Site Scripting when a user with higher privileges, such as an Administrator, views the "Competitor" tab in the GetGenie sidebar of an affected post. The vulnerable parameter is a user-controlled key used in the `action` function. **Recommendations** Update the GetGenie plugin to a version later than 4.3.2.

**Name of the Vulnerable Software and Affected Versions** WP ULike versions up to and including 5.0.1 **Description** The WP ULike plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `[wp ulike likers box]` shortcode `template` attribute. This occurs because `html entity decode()` is used on shortcode attributes without proper output sanitization, bypassing WordPress’s `wp kses post()` content filtering. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute when a user accesses the affected page, but only if the post has at least one like. The vulnerable parameter is `template`. **Recommendations** Update WP ULike to a version newer than 5.0.1.

**Name of the Vulnerable Software and Affected Versions** Greenshift – animation and page builder blocks versions through 12.8.3 **Description** The Greenshift plugin for WordPress is susceptible to exposure of sensitive information. This occurs due to the automated Settings Backup being stored in a publicly accessible file, allowing unauthenticated attackers to extract data. Compromised data includes API keys for OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile. **Recommendations** Versions prior to 12.8.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** WP-Members Membership Plugin versions up to and including 3.5.5.1 **Description** The WP-Members Membership Plugin for WordPress is susceptible to SQL Injection through the `order by` attribute of the [wpmem user membership posts] shortcode. This is caused by inadequate escaping of user-supplied parameters and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can append additional SQL queries to existing queries, potentially allowing them to extract sensitive information from the database. **Recommendations** Versions prior to and including 3.5.5.1 should be updated.

**Nome do Software Vulnerável e Versões Afetadas** Tema Blocksy para WordPress versões até e incluindo a 2.1.30 **Descrição** O tema Blocksy para WordPress está suscetível a Cross-Site Scripting Armazenado (Stored XSS) através dos campos de metadados `blocksy meta`. A sanitização de entrada e o escape de saída insuficientes permitem que atacantes autenticados com acesso de nível de Contribuidor ou superior injetem scripts web arbitrários nas páginas. Esses scripts serão executados quando um usuário acessar a página injetada. O parâmetro vulnerável é `blocksy meta`. **Recomendações** Atualize para uma versão do tema Blocksy para WordPress posterior à 2.1.30.

**Name of the Vulnerable Software and Affected Versions** WP Mail Logging versions prior to 1.15.1 **Description** The WP Mail Logging plugin for WordPress is susceptible to PHP Object Injection in versions up to and including 1.15.0. This occurs due to the deserialization of untrusted input from the email log message field. The `BaseModel` class constructor uses `maybe unserialize()` on database properties without proper validation, allowing attackers to inject a PHP Object through a double-serialized payload. This payload can be submitted through any public-facing form that sends email, such as Contact Form 7. When an administrator views the logged email, the malicious payload is deserialized. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed, which could allow actions like file deletion, data retrieval, or code execution. **Recommendations** Update WP Mail Logging to version 1.15.1 or later.

**Name of the Vulnerable Software and Affected Versions** WP Accessibility plugin for WordPress versions prior to 2.3.2 **Description** The WP Accessibility plugin for WordPress is susceptible to Stored DOM-Based Cross-Site Scripting through the 'alt' attribute of images processed by the "Long Description UI" feature. The issue arises because the plugin’s JavaScript retrieves the alt attribute using `getAttribute()` and concatenates it into `innerHTML` and `insertAdjacentHTML` calls without sufficient sanitization or escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description." **Recommendations** Update the WP Accessibility plugin to version 2.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** WP Recipe Maker versions prior to 10.3.3 **Description** The software is susceptible to an Insecure Direct Object Reference (IDOR) issue. The `/wp-json/wp-recipe-maker/v1/integrations/instacart` API endpoint has a permission check set to always return true, and lacks authorization checks on the `recipeId` parameter provided by the user. This allows unauthenticated attackers to modify arbitrary post metadata (`wprm instacart combinations`) using the `recipeId` parameter. **Recommendations** Update WP Recipe Maker to version 10.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress versions through 6.4.7 **Description** The software contains a flaw due to insufficient verification of data authenticity. The plugin decrypts and trusts attacker-controlled `email data` in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This allows attackers to manipulate form email routing and redirection values, potentially triggering unauthorized email relay and redirection via the `email data` parameter. The affected component is an AJAX handler. **Recommendations** Update to version 6.4.8 or later.