Yoschanin Pulsirivong

The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widget area' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission callback` set to ` return true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp enqueue script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.

**Name of the Vulnerable Software and Affected Versions** CMS Commander plugin for WordPress versions prior to 2.289 **Description** The CMS Commander plugin for WordPress is susceptible to SQL Injection due to insufficient input validation and query preparation. Specifically, the `or blogname`, `or blogdescription`, and `or admin email` parameters are not adequately sanitized, allowing authenticated attackers with CMS Commander API key access to inject malicious SQL queries into existing database queries during the restore workflow. This could lead to the extraction of sensitive information from the database. **Recommendations** Update the CMS Commander plugin to version 2.289 or later.

**Name of the Vulnerable Software and Affected Versions** Appmax plugin for WordPress versions up to and including 1.0.3 **Description** The software contains a flaw due to a lack of proper input validation in a public REST API webhook endpoint. The endpoint, located at `/webhook-system`, does not implement webhook signature validation, secret verification, or authentication mechanisms to confirm the origin of incoming webhook requests. The plugin processes untrusted data from the `event` and `data` parameters without verifying authenticity. This allows attackers to manipulate WooCommerce orders, including modifying their status (processing, refunded, cancelled, or pending) and creating new orders with arbitrary data. Attackers can also create new WooCommerce products with attacker-controlled details like names, descriptions, and prices, and write arbitrary values to order post metadata by spoofing legitimate webhook events. **Recommendations** Versions prior to 1.0.4 should not be used.

**Name of the Vulnerable Software and Affected Versions** RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress versions through 4.1132 **Description** The RepairBuddy plugin for WordPress is susceptible to unauthorized access. The plugin has AJAX handlers that, when used together, permit any authenticated user to change admin-level plugin settings. The `wc rb get fresh nonce()` function, accessible via `wp ajax` and `wp ajax nopriv` hooks, allows users to create a valid WordPress nonce for any action name without capability checks. The `wc rep shop settings submission()` function verifies the nonce (`wcrb main setting nonce`) but does not confirm user capabilities before updating over fifteen plugin options using `update option()`. This allows authenticated attackers with subscriber-level access or higher to modify all plugin configuration settings, including business name, email, logo, menu label, and GDPR settings, by generating a valid nonce and then calling the settings submission handler. **Recommendations** Versions prior to and including 4.1132 should be updated. As a temporary workaround, consider restricting access to the `wc rb get fresh nonce` endpoint. Avoid using the `wcrb main setting nonce` parameter in the `wc rep shop settings submission` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Stock Ticker plugin for WordPress versions prior to 3.26.1 **Description** The Stock Ticker plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue only impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update the Stock Ticker plugin to a version later than 3.26.1.