Tran Dinh Tien

**Name of the Vulnerable Software and Affected Versions** Simple Ads Manager plugin versions prior to 2.5.96 **Description** The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the `sam-ajax-admin.php` file, and then accessing it via a direct request to the file in the directory specified by the `path` parameter. **Recommendations** For versions prior to 2.5.96, update to version 2.5.96 or later to resolve the issue. As a temporary workaround, consider restricting access to the `sam-ajax-admin.php` file to minimize the risk of exploitation. Avoid using the `path` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Free Reprintables ArticleFR version 3.0.5 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `q` parameter to the "search/v/" API endpoint. **Recommendations** For version 3.0.5, avoid using the `q` parameter in the "search/v/" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the search functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Free Reprintables ArticleFR version 3.0.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `getProfile` function in `system/profile.functions.php` via the `username` parameter to the "register/" endpoint. **Recommendations** For version 3.0.5, consider restricting access to the `getProfile` function or the "register/" endpoint until a patch is available. As a temporary workaround, avoid using the `username` parameter in the affected endpoint to minimize the risk of exploitation.