Williwollo

**Name of the Vulnerable Software and Affected Versions** User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration versions prior to 4.2.9 **Description** The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress has a flaw related to improper file type validation. This allows authenticated users with Author-level access or higher to upload arbitrary files to the server. The issue resides in the `WPUF Admin Settings::check filetype and ext` function and the `Admin Tools::check filetype and ext` function. Successful exploitation may lead to remote code execution. **Recommendations** Update the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin to version 4.2.9 or later.

**Name of the Vulnerable Software and Affected Versions** WP FOFT Loader plugin for WordPress versions through 2.1.39 **Description** The WP FOFT Loader plugin for WordPress is susceptible to arbitrary file uploads because of inadequate file type validation within the `WP FOFT Loader Mimes::file and ext` function. This allows authenticated attackers with Author-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. **Recommendations** Update the WP FOFT Loader plugin to a version later than 2.1.39.

**Name of the Vulnerable Software and Affected Versions** OS DataHub Maps plugin for WordPress versions through 1.8.3 **Description** The OS DataHub Maps plugin for WordPress has a flaw allowing arbitrary file uploads. This is due to insufficient file type validation within the `OS DataHub Maps Admin::add file and ext` function. Attackers with Author-level access or higher can upload any file type to the server, potentially leading to remote code execution. **Recommendations** Update the OS DataHub Maps plugin to a version later than 1.8.3.

**Name of the Vulnerable Software and Affected Versions** Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to and including 7.8.9.2 **Description** The Hustle plugin for WordPress is affected by a file upload issue. Incorrect file type validation within the `action import module()` function allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the server. Successful exploitation requires an administrator to grant the attacker Hustle module permissions or module edit access to obtain a necessary nonce. This could potentially lead to remote code execution. **Recommendations** Versions prior to and including 7.8.9.2 should be updated.