Abhirup Konwar

**Name of the Vulnerable Software and Affected Versions** Helpfulcrowd Product Reviews versions prior to 1.3.0 **Description** The Helpfulcrowd Product Reviews plugin for WordPress allows unauthenticated authorization bypass due to PHP Type Juggling. This occurs because the `helpfulcrowd validate token()` function uses a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter. Since the REST route "/wp-json/helpfulcrowd/v1/update-settings" is registered with a `permission callback` of ` return true`, it is accessible to unauthenticated users. By submitting a JSON boolean `true` as the `token` value, the loose comparison evaluates as equal to the non-empty base64-encoded secret string, bypassing the security check. Consequently, attackers can invoke `helpfulcrowd settings endpoint()` to write arbitrary key-value pairs into the `helpfulcrowd options` WordPress database option via `update option()` without sanitization or allowlist filtering, leading to full modification of the plugin configuration. **Recommendations** Update the plugin to a version later than 1.2.9. As a temporary workaround, restrict access to the "/wp-json/helpfulcrowd/v1/update-settings" endpoint to minimize the risk of exploitation.

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar try on settings option in the database via the /wp-json/ar try on/v1/settings REST endpoint.

**Name of the Vulnerable Software and Affected Versions** GSheet For Woo Importer versions prior to 2.3.2 **Description** The GSheet For Woo Importer plugin for WordPress contains a flaw allowing unauthorized loss of data. This is caused by a missing capability check in the `process ajax restore action()` function, enabling authenticated attackers with Subscriber-level access or higher to delete the Google Sheets API token and configuration options. **Recommendations** Update to a version later than 2.3.1. As a temporary workaround, restrict access to the `process ajax restore action()` function to authorized administrative users only.

**Name of the Vulnerable Software and Affected Versions** Essential Chat Support versions prior to 1.0.2 **Description** The Essential Chat Support plugin for WordPress contains an authorization bypass. The plugin fails to properly verify if a user is authorized to perform specific actions, allowing unauthenticated attackers to reset all plugin configuration settings to their defaults. This includes general settings, display rules, custom CSS, and WooCommerce tab settings. The issue is triggered by sending a POST request containing the parameter `ecs reset settings=1`. **Recommendations** Update the plugin to a version later than 1.0.1.

**Name of the Vulnerable Software and Affected Versions** Notify Odoo versions prior to 1.0.2 **Description** The Notify Odoo plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs because the ` updateSettings()` function lacks proper nonce validation. A nonce (number used once) is a unique token used to verify that a request was intentionally sent by the user. Consequently, unauthenticated attackers can trick a site administrator into clicking a link to execute a forged request. This allows the attacker to change the Notify Odoo URL to one they control and modify settings related to notifications, tracking images, and allowed IP addresses. **Recommendations** Update the plugin to a version later than 1.0.1. As a temporary workaround, restrict access to the ` updateSettings()` function to minimize the risk of exploitation.

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save settings() function, which is registered on the admin post cccf7 save settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7 api key) via a crafted POST request to /wp-admin/admin-post.

The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission callback of ' return true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.

**Name of the Vulnerable Software and Affected Versions** HM Books Gallery versions prior to 4.8.1 **Description** The plugin is subject to missing authorization due to the absence of capability checks and nonce verification within the `admin init` hook. Specifically, the code at lines 205-209 of `wp-books-gallery.php` only verifies the presence of the `permalink structure` POST parameter before updating the `wbg cpt slug` option, failing to ensure the request originates from an authenticated administrator. This allows unauthenticated attackers to modify the custom post type slug for the books gallery, altering the URL structure for all book entries and potentially disrupting existing links and SEO rankings. **Recommendations** Update to a version later than 4.8.0.

**Name of the Vulnerable Software and Affected Versions** Emailchef versions prior to 3.5.2 **Description** The plugin is susceptible to unauthorized data modification because the `page options ajax disconnect()` function lacks a proper capability check. Authenticated users with Subscriber-level permissions or higher can exploit this by using the 'emailchef disconnect' AJAX action to delete plugin settings. **Recommendations** Update to a version newer than 3.5.1. As a temporary workaround, restrict access to the 'emailchef disconnect' AJAX action.

**Name of the Vulnerable Software and Affected Versions** Canto plugin for WordPress versions prior to 3.1.2 **Description** Missing authorization occurs due to the absence of capability checks or nonce verification in the `updateOptions()` function. This function is exposed via two AJAX hooks: 'wp ajax updateOptions' and 'wp ajax fbc updateOptions'. Because these hooks are registered under the `wp ajax ` prefix without calls to `current user can()` or `check ajax referer()`, authenticated attackers with subscriber-level access or higher can arbitrarily modify or delete plugin options that control cron scheduling behavior, specifically `fbc duplicates`, `fbc cron`, `fbc schedule`, `fbc cron time day`, `fbc cron time hour`, and `fbc cron start`. Additionally, attackers can manipulate or clear the scheduled WordPress cron event `fbc scheduled update`. **Recommendations** Update to a version later than 3.1.1. As a temporary workaround, restrict access to the `updateOptions()` function or the associated AJAX hooks until a patch is applied.

Name of the Vulnerable Software and Affected Versions Aruba HiSpeed Cache plugin for WordPress versions up to and including 3.0.4 Description The Aruba HiSpeed Cache plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by the absence of nonce verification within the `ahsc ajax reset options()` function. An unauthenticated attacker could potentially reset all plugin settings to their default values by manipulating a site administrator into performing an action, such as clicking a malicious link. Recommendations Update the Aruba HiSpeed Cache plugin to a version later than 3.0.4.

Name of the Vulnerable Software and Affected Versions Gerador de Certificados – DevApps plugin for WordPress versions up to and including 1.3.6 Description The Gerador de Certificados – DevApps plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation within the `moveUploadedFile()` function. This allows authenticated attackers with Administrator-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. Recommendations Update the Gerador de Certificados – DevApps plugin to a version later than 1.3.6.

**Name of the Vulnerable Software and Affected Versions** The Company Posts for LinkedIn plugin for WordPress versions prior to 1.0.1 **Description** The software is susceptible to a missing authorization issue. This is caused by a missing capability check within the `linkedin company post reset handler()` function, which is connected to the `admin post reset linkedin company post` action. Attackers with Subscriber-level access or higher can delete LinkedIn post data stored in the site’s options table. **Recommendations** Update The Company Posts for LinkedIn plugin for WordPress to version 1.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** ilGhera Carta Docente for WooCommerce plugin for WordPress versions up to and including 1.5.0 **Description** The software contains a path traversal flaw in all versions up to and including 1.5.0, accessible through the `cert` parameter of the 'wccd-delete-certificate' AJAX action. Insufficient validation of the file path before deletion allows authenticated attackers with Administrator-level access or higher to delete arbitrary files on the server, such as `wp-config.php`. Successful exploitation could lead to site takeover and remote code execution. **Recommendations** Update the ilGhera Carta Docente for WooCommerce plugin to a version later than 1.5.0.

**Name of the Vulnerable Software and Affected Versions** NEX-Forms – Ultimate Forms Plugin for WordPress versions up to and including 9.1.9 **Description** The NEX-Forms – Ultimate Forms Plugin for WordPress plugin is susceptible to unauthorized data modification. This is due to a missing capability check within the `deactivate license()` function. Authenticated attackers with Subscriber-level access or higher can exploit this to deactivate the plugin license. **Recommendations** Update to a version beyond 9.1.9.

**Name of the Vulnerable Software and Affected Versions** MDJM Event Management plugin for WordPress versions prior to 1.7.8.2 **Description** The MDJM Event Management plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check within the `custom fields controller` function. Unauthenticated attackers can delete arbitrary custom event fields by manipulating the 'delete custom field' and `id` parameters. **Recommendations** Update the MDJM Event Management plugin to version 1.7.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress versions up to and including 0.0.3 **Description** The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing capability check within the `winston disconnect()` function. Authenticated attackers with Subscriber-level access or higher can reset the plugin’s API connection settings by utilizing the 'winston disconnect' AJAX action. **Recommendations** Update the HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress to a version beyond 0.0.3.

**Name of the Vulnerable Software and Affected Versions** The News Element Elementor Blog Magazine plugin for WordPress versions up to and including 1.0.8 **Description** The plugin is susceptible to a missing authorization issue due to the absence of a capability check and nonce verification on the `ne clean data` AJAX action. This allows authenticated attackers with Subscriber-level access or higher to truncate eight core WordPress database tables (posts, comments, terms, term relationships, term taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, potentially leading to complete data loss. **Recommendations** Update The News Element Elementor Blog Magazine plugin to a version later than 1.0.8.

**Name of the Vulnerable Software and Affected Versions** CallbackKiller service widget plugin for WordPress versions prior to 1.3 **Description** The CallbackKiller service widget plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check within the `cbk save()` function. An unauthenticated attacker can exploit this to modify the plugin’s site ID settings through the 'cbk save v1' **API Endpoint**. **Recommendations** Update the CallbackKiller service widget plugin to version 1.3 or later.

**Name of the Vulnerable Software and Affected Versions** WaMate Confirm – Order Confirmation plugin for WordPress versions up to and including 2.0.1 **Description** The WaMate Confirm – Order Confirmation plugin for WordPress does not properly verify user authorization to perform actions. This allows authenticated attackers with subscriber-level access or higher to block and unblock phone numbers, a function restricted to administrators. **Recommendations** Update the WaMate Confirm – Order Confirmation plugin to a version later than 2.0.1.