Ryan Dewhurst

**Nome do software vulnerável e versões afetadas** Versões do plugin Loginizer anteriores à 1.6.4 **Descrição** A vulnerabilidade permite a injeção de SQL, o que também pode levar a XSS, e está relacionada a `loginizer login failed` e `lz valid ip`. **Recomendações** Para versões anteriores à 1.6.4, atualize para a versão 1.6.4 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso às funções `loginizer login failed` e `lz valid ip` até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** Responsive FileManager versions prior to 9.13.3 **Description** The issue allows Directory Traversal and SSRF due to the direct use of the `url` parameter in a `curl exec` call. This can be exploited by providing a malicious value, such as `file:///etc/passwd`, to the `/filemanager/upload.php` endpoint. **Recommendations** For versions prior to 9.13.3, update to version 9.13.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/filemanager/upload.php` endpoint to minimize the risk of exploitation. Avoid using the `url` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress SEO by Yoast plugin versions 1.5.7 and earlier, 1.6.x before 1.6.4, 1.7.x before 1.7.4 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `order by` or `order` parameter in the "wpseo bulk-editor" page to "wp-admin/admin.php". This can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. **Recommendations** For WordPress SEO by Yoast plugin version 1.5.7 and earlier, update to version 1.5.7 or later. For WordPress SEO by Yoast plugin version 1.6.x before 1.6.4, update to version 1.6.4 or later. For WordPress SEO by Yoast plugin version 1.7.x before 1.7.4, update to version 1.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress SEO by Yoast plugin versions prior to 1.5.7 WordPress SEO by Yoast plugin versions 1.6.x prior to 1.6.4 WordPress SEO by Yoast plugin versions 1.7.x prior to 1.7.4 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the WordPress SEO by Yoast plugin. These vulnerabilities allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks. The `order by` and `order` parameters in the `wpseo bulk-editor` page are specifically vulnerable to such attacks. **Recommendations** For WordPress SEO by Yoast plugin versions prior to 1.5.7, update to version 1.5.7 or later. For WordPress SEO by Yoast plugin versions 1.6.x prior to 1.6.4, update to version 1.6.4 or later. For WordPress SEO by Yoast plugin versions 1.7.x prior to 1.7.4, update to version 1.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.5.1 **Description** The issue allows remote attackers to send HTTP requests to intranet servers and conduct port-scanning attacks by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. This affects the XMLRPC API. **Recommendations** For versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XMLRPC API until the update is applied.