Satoo Nakano

**Nome do Software Vulnerável e Versões Afetadas** Poll Maker – Versus Polls, Anonymous Polls, Image Polls versões anteriores a 6.3.8 **Description** Controles de acesso insuficientes na ação AJAX 'ays poll get user information' permitem que atacantes autenticados com nível de acesso de assinante ou superior recuperem dados confidenciais de conta. O sistema serializa e retorna o objeto `WP User` completo sem verificação de nonce ou verificações de capacidade além de validar se o usuário está logado. Os dados expostos incluem o `user pass` (hash de senha bcrypt), `user email`, `user login`, `user registered`, funções e todas as capacidades. Essas informações, particularmente o hash da senha, podem ser usadas para ataques de quebra de senha offline. **Recommendations** Atualize para uma versão posterior a 6.3.7. Como medida paliativa temporária, restrinja o acesso à ação AJAX 'ays poll get user information' para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Scott Reilly Get Custom Field Values plugin versions <= 4.0.1 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin+ privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For Scott Reilly Get Custom Field Values plugin versions <= 4.0.1, update to a version higher than 4.0.1 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields versions 6.1.0 through 6.1.7 Advanced Custom Fields Pro versions 6.1.0 through 6.1.7 **Description** A cross-site scripting vulnerability allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with administrative privilege. This issue potentially affects approximately 1 million sites. **Recommendations** For Advanced Custom Fields versions 6.1.0 through 6.1.7, update to a version later than 6.1.7 to resolve the issue. For Advanced Custom Fields Pro versions 6.1.0 through 6.1.7, update to a version later than 6.1.7 to resolve the issue. As a temporary workaround, consider restricting access to administrative privileges until a patch is applied.