Yuki Haruma

**Nome do software vulnerável e versões afetadas** Acato Branded Social Images, versões 1.1.0 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização, que permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. **Recomendações** Para as versões 1.1.0 e anteriores do Acato Branded Social Images, atualize para uma versão que corrija o problema de falta de autorização. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Exibição de campos personalizados no front-end – Post and User Profile Fields, versões 1.2.0 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização, que permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. Isso pode levar a acesso não autorizado devido à ausência de verificações de segurança. **Recomendações** Para o recurso “Exibir campos personalizados no front-end – Campos de postagem e perfil do usuário” nas versões 1.2.0 e anteriores, considere restringir o acesso aos campos personalizados no front-end até que um mecanismo de autorização adequado seja implementado. Como solução temporária, revise e configure manualmente os níveis de segurança do controle de acesso para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** NervyThemes SKU Label Changer For WooCommerce, versões 3.0 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização. Essa vulnerabilidade afeta o NervyThemes SKU Label Changer For WooCommerce, permitindo o acesso não autorizado. **Recomendações** Para as versões 3.0 e anteriores, atualize para uma versão que inclua uma correção para este problema, pois não há solução alternativa específica disponível para essas versões. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do Imran Sayed Headless CMS de n/a a 2.0.3 **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização. **Recomendações** Para as versões de n/a a 2.0.3, atualize para uma versão posterior à 2.0.3 para resolver o problema.

**Nome do software vulnerável e versões afetadas** Plugin File Manager para versões do WordPress até a 7.2.1, inclusive **Descrição** O problema está relacionado à exposição de informações confidenciais devido à aleatoriedade insuficiente nos nomes dos arquivos de backup, que são gerados usando um carimbo de data/hora mais 4 dígitos aleatórios. Isso permite que invasores não autenticados extraiam dados confidenciais, incluindo backups do site, em configurações nas quais o arquivo .htaccess não bloqueia o acesso ao diretório. **Recomendações** Para versões até a 7.2.1, inclusive, atualize para uma versão posterior à 7.2.1 para resolver o problema. Como solução temporária, considere restringir o acesso ao diretório de backup configurando o arquivo .htaccess para bloquear o acesso não autorizado.

**Name of the Vulnerable Software and Affected Versions** Foxskav Easy Bet versions 1.0.2 and earlier **Description** The issue is related to an Improper Neutralization of Special Elements used in an SQL Command, also known as 'SQL Injection'. This allows attackers to inject malicious SQL code, potentially leading to unauthorized access or modification of data. **Recommendations** For versions 1.0.2 and earlier, update to a version that fixes the SQL Injection vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cleverwise Daily Quotes versions 3.2 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, potentially leading to the execution of malicious scripts stored on the server. **Recommendations** For versions 3.2 and earlier, update to a version that includes a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Marios Alexandrou Enhanced Plugin Admin plugin versions <= 1.16 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For Marios Alexandrou Enhanced Plugin Admin plugin versions <= 1.16, update to a version higher than 1.16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Robin Phillips Mobile Banner plugin versions 1.5 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For Robin Phillips Mobile Banner plugin versions 1.5 and earlier, update to a version later than 1.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LOKALYZE CALL ME NOW plugin versions <= 3.0 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions <= 3.0, update to a version higher than 3.0 to resolve the issue. At the moment, there is no information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** JoomSky JS Job Manager plugin versions <= 2.0.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For JoomSky JS Job Manager plugin versions <= 2.0.0, update to a version greater than 2.0.0 to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as token-based validation, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Faraz Quazi Floating Action Button plugin versions 1.2.1 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions 1.2.1 and earlier, update to a version later than 1.2.1 to resolve the issue. As a temporary workaround, consider implementing CSRF token validation to prevent unauthorized requests. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Brett Shumaker Simple Staff List plugin versions 2.2.3 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability can be exploited by authenticated users with editor or higher privileges. **Recommendations** For versions 2.2.3 and earlier, update to a version later than 2.2.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XootiX Side Cart Woocommerce (Ajax) plugin versions prior to 2.3 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** David Artiss Plugins List plugin versions <= 2.5 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin or higher privileges. **Recommendations** For David Artiss Plugins List plugin versions <= 2.5, update to a version higher than 2.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** All My Web Needs Logo Scheduler plugin versions 1.2.0 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects authenticated administrators. This vulnerability allows for malicious scripts to be stored on the server and executed when accessed by other users, potentially leading to unauthorized actions or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions 1.2.0 and earlier, update to a version later than 1.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's administrative interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dave's WordPress Live Search plugin versions prior to 4.8.1 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 4.8.1, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** M Williams Cab Grid plugin versions prior to 1.5.16 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 1.5.16, update to version 1.5.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Slider Revolution plugin versions prior to 1.0.0 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability. This type of vulnerability allows an attacker to inject malicious scripts into a website, which can then be executed by other users. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For versions prior to 1.0.0, update to a version that contains a fix for this issue. If no specific fix is provided for the version, consider disabling the plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPRADAR Woocommerce Tip/Donation plugin versions <= 1.2 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects authenticated users with shop manager or higher privileges. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to unauthorized access or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For PHPRADAR Woocommerce Tip/Donation plugin versions <= 1.2, update to a version higher than 1.2 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.