Rafael Aristodimou

**Nome do software vulnerável e versões afetadas** Versões do plugin Wp-Adv-Quiz para WordPress anteriores à 1.0.3 **Descrição** A vulnerabilidade permite que usuários com privilégios elevados, como administradores, realizem ataques de Cross-Site Scripting, mesmo quando a opção `unfiltered html` está desativada, devido ao fato de o plugin não sanitizar e escapar algumas de suas configurações. **Recomendações** Para versões anteriores à 1.0.3, atualize para a versão 1.0.3 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso administrativo apenas a usuários confiáveis até que a atualização possa ser aplicada.

**Name of the Vulnerable Software and Affected Versions** Popup box WordPress plugin versions prior to 3.8.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asgaros Forum WordPress plugin versions prior to 2.7.1 **Description** The issue allows forum administrators to set insecure configuration, enabling unauthenticated users to upload dangerous files, such as .php or .phtml, potentially leading to remote code execution. **Recommendations** For versions prior to 2.7.1, update to version 2.7.1 or later to resolve the issue. As a temporary workaround, consider restricting file upload capabilities to authenticated users only, and limit the types of files that can be uploaded to prevent dangerous files from being uploaded.

**Name of the Vulnerable Software and Affected Versions** Popup box WordPress plugin versions prior to 3.7.9 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks, even when unfiltered html is disallowed, due to the plugin's failure to sanitise and escape some of its settings. **Recommendations** For versions prior to 3.7.9, update to version 3.7.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.