Sarawut Poolkhet

**Nome do Software Vulnerável e Versões Afetadas** Advanced Custom Fields versões anteriores a 6.8.2 **Description** O plugin Advanced Custom Fields para WordPress contém um problema de bypass de autorização porque não verifica adequadamente se um usuário está autorizado a realizar ações específicas. Atacantes não autenticados podem sobrescrever o `post title` e o `post content` de qualquer post vinculado a uma instância `acf form()` publicamente acessível. Isso é feito injetando valores nos parâmetros ` post title` e ` post content` durante uma requisição de envio de formulário. **Recommendations** Atualize para a versão 6.8.2 ou posterior. Como mitigação temporária, restrinja o acesso público às instâncias `acf form()`.

**Name of the Vulnerable Software and Affected Versions** MC4WP: Mailchimp for WordPress plugin versions prior to 4.11.2 **Description** The MC4WP: Mailchimp for WordPress plugin for WordPress is susceptible to unauthorized access. The plugin improperly validates the ` mc4wp action` POST parameter, allowing unauthenticated attackers to manipulate form processing. Specifically, attackers can force unsubscribe actions instead of subscribe actions. This allows arbitrary email addresses to be unsubscribed from the connected Mailchimp audience if the attacker can determine the form ID, which is exposed in the HTML source. The vulnerable parameter is ` mc4wp action`. **Recommendations** Update MC4WP: Mailchimp for WordPress plugin to version 4.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** JAY Login & Register plugin for WordPress versions prior to 2.6.04 **Description** The JAY Login & Register plugin for WordPress is susceptible to a privilege escalation issue. The plugin permits a user to modify arbitrary user meta data via the `jay panel ajax update profile` function. This allows authenticated attackers with Subscriber-level access or higher to gain administrator privileges. **Recommendations** Update the JAY Login & Register plugin to version 2.6.04 or later.

**Name of the Vulnerable Software and Affected Versions** Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress versions prior to 1.5. **Description** The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `orderform data` AJAX action. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into order records. These scripts will execute when an administrator views the Orders page within the admin dashboard. **Recommendations** Update to a version newer than 1.5.

**Name of the Vulnerable Software and Affected Versions** Snow Monkey Forms versions up to and including 12.0.3 **Description** The Snow Monkey Forms plugin for WordPress is susceptible to arbitrary file deletion. Insufficient file path validation within the `generate user dirpath` function allows unauthenticated attackers to delete arbitrary files on the server. Successful deletion of specific files, such as wp-config.php, could lead to remote code execution. **Recommendations** Versions prior to and including 12.0.3 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the `generate user dirpath` function until a patch is available.

**Nome do Software Vulnerável e Versões Afetadas** WP Directory Kit versões anteriores a 1.4.9 **Descrição** O plugin WP Directory Kit para WordPress apresenta uma vulnerabilidade que permite que atacantes não autenticados obtenham endereços de e-mail de usuários com papéis de usuário específicos do Directory Kit. Isso é possível por meio do manipulador AJAX `wdk public action`. **Recomendações** Atualize o WP Directory Kit para uma versão posterior a 1.4.9.

**Name of the Vulnerable Software and Affected Versions** KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions through 3.6.15 **Description** The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is susceptible to unauthorized file uploads. This is due to a lack of proper authorization checks within the `uploadMedicalReport()` function. This allows unauthenticated attackers to upload text files and PDF documents to the server. Successful exploitation could lead to hosting malicious content or phishing pages through uploaded PDF files. **Recommendations** Update KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress to a version later than 3.6.15.

**Name of the Vulnerable Software and Affected Versions** Melapress Role Editor plugin for WordPress versions prior to 1.1.2 **Description** The Melapress Role Editor plugin for WordPress is subject to a privilege escalation issue. An attacker with Subscriber-level access or higher can assign themselves additional roles, including Administrator, due to a misconfigured capability check within the `save secondary roles field` function. **Recommendations** Update the Melapress Role Editor plugin to version 1.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress versions up to and including 1.1.12 **Description** The Creator LMS plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. An attacker with contributor-level access or higher can update arbitrary WordPress options due to a missing capability check within the `get items permissions check` function. **Recommendations** Update to version 1.1.13 or later.

**Name of the Vulnerable Software and Affected Versions** WP Duplicate Page plugin for WordPress versions prior to 1.9 **Description** The WP Duplicate Page plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to missing capability checks within the `duplicateBulkHandle` and `duplicateBulkHandleHPOS` functions. Authenticated attackers with Contributor-level access or higher can duplicate posts, pages, and WooCommerce HPOS orders, even if their user role is not permitted in the plugin’s settings. This could lead to the exposure of sensitive information and the potential for duplicate fulfillment of WooCommerce orders. **Recommendations** Update the WP Duplicate Page plugin to version 1.9 or later.

**Name of the Vulnerable Software and Affected Versions** Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress versions up to and including 4.0.51 **Description** The Eventin plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check on the `post settings` function. This allows unauthenticated attackers to alter plugin settings. Additionally, inadequate input sanitization and output escaping of the `etn primary color` setting allows unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses a page with Eventin styles loaded. The API endpoint is not specified. The vulnerable parameter is `etn primary color`. **Recommendations** Versions prior to 4.0.51 should be updated.

**Name of the Vulnerable Software and Affected Versions** BuddyPress Xprofile Custom Field Types plugin versions through 1.2.8 **Description** The BuddyPress Xprofile Custom Field Types plugin for WordPress has a flaw that allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This is due to inadequate file path validation within the `delete field` function. Deleting specific files, such as wp-config.php, could lead to remote code execution. **Recommendations** Update BuddyPress Xprofile Custom Field Types plugin to a version later than 1.2.8.

**Nome do Software Vulnerável e Versões Afetadas** LearnPress – Plugin LMS para WordPress versões anteriores à 4.3.2 **Descrição** O plugin LearnPress – WordPress LMS é suscetível a acesso não autorizado a dados devido à falta de uma verificação de capacidade na função de estatísticas. Isso permite que atacantes não autenticados visualizem as estatísticas de pedidos do plugin, que incluem resumos de receita total e contagens de status de pedidos. **Recomendações** Atualize para a versão 4.3.2 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** O Image Optimizer da wps.sk, versões anteriores à 1.2.1 **Descrição** O plugin Image Optimizer para WordPress é suscetível a Falsificação de Solicitação Entre Sites (CSRF). Isso é causado por validação insuficiente de nonce na função `imagopby ajax optimize gallery()`. Um atacante não autenticado poderia potencialmente acionar a otimização em massa ao induzir um administrador do site a realizar uma ação. **Recomendações** Atualize o plugin Image Optimizer para a versão 1.2.1 ou posterior.