Tom Adams

**Name of the Vulnerable Software and Affected Versions** Modern Tribe Eventbrite Tickets plugin versions prior to 3.10.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Event Import page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `error` parameter to the "wp-admin/edit.php" endpoint. **Recommendations** For versions prior to 3.10.2, update to version 3.10.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the import-eventbrite-events.php page and the wp-admin/edit.php endpoint to minimize the risk of exploitation. Avoid using the `error` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP-Ban plugin versions prior to 1.6.4 **Description** The issue allows remote attackers to bypass the IP blacklist via a crafted `X-Forwarded-For` header when running in certain configurations. **Recommendations** For WP-Ban plugin versions prior to 1.6.4, update to version 1.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `X-Forwarded-For` header to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Twitget plugin versions prior to 3.3.3 **Description** The issue allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors. This can be demonstrated by the `twitget consumer key` parameter to "wp-admin/options-general.php". **Recommendations** For Twitget plugin versions prior to 3.3.3, update to version 3.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/options-general.php" page to minimize the risk of exploitation. Avoid using the `twitget consumer key` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Featured Comments plugin version 1.2.1 for WordPress **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that change the buried or featured status of a comment. This is achieved via a request to "wp-admin/admin-ajax.php". **Recommendations** For Featured Comments plugin version 1.2.1, update to a version that addresses the CSRF vulnerabilities to prevent authentication hijacking.