Rahul Pratap Singh

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-601 B1 version 2.00NA **Description** The issue is related to the lack of an anti-CSRF token, making the device susceptible to CSRF attacks. A remote attacker could potentially exploit this, in conjunction with other vulnerabilities, to enable remote router management and compromise the device. **Recommendations** For D-Link DIR-601 B1 version 2.00NA, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-601 B1 version 2.00NA **Description** The issue is related to authentication bypass in the D-Link DIR-601 router. It does not perform authentication checks on the server side, instead relying on client-side validation, which can be bypassed. This allows a remote attacker to potentially elevate their privileges. **Recommendations** For D-Link DIR-601 B1 version 2.00NA, consider disabling remote access to the device until a fix is available, as this is an end-of-life product and no official patch may be released. Restrict access to the router's administration interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** persian-woocommerce-sms plugin versions prior to 3.3.4 **Description** The issue concerns an XSS vulnerability in the `ps sms numbers` component. **Recommendations** For versions prior to 3.3.4, update to version 3.3.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** echosign plugin for WordPress versions prior to 1.2 **Description** The issue allows for XSS via the `id` parameter in the "templates/add templates.php" endpoint. **Recommendations** For versions prior to 1.2, update to version 1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** tweet-wheel plugin versions prior to 1.0.3.3 **Description** The issue allows for XSS attacks via the `consumer key`, `consumer secret`, `access token`, and `access token secret` variables. **Recommendations** For versions prior to 1.0.3.3, update to version 1.0.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** echosign plugin for WordPress versions prior to 1.2 **Description** The issue concerns a problem with the echosign plugin, where there is a possibility of XSS (Cross-Site Scripting) attack. This attack can occur via the "page" parameter in the inc.php file. **Recommendations** For echosign plugin for WordPress versions prior to 1.2, update to version 1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPML plugin versions prior to 3.6.4 **Description** The issue concerns an XSS vulnerability. It can be exploited via any `locale file name ` parameter, such as `locale file name en`, in an authenticated `theme-localization.php` request to "wp-admin/admin.php". **Recommendations** For WPML plugin versions prior to 3.6.4, update to version 3.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `theme-localization.php` page in the wp-admin section until the update is applied. Avoid using the `locale file name ` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Belkin N150 F9K1009 v1 router with firmware before 1.00.08 **Description** The issue is related to an absolute path traversal vulnerability in the webproc cgi module. This allows remote attackers to read arbitrary files by providing a full pathname in the `getpage` parameter. **Recommendations** For firmware versions before 1.00.08, update the firmware to version 1.00.08 or later to resolve the issue.