Abhishek Bhoir

**Name of the Vulnerable Software and Affected Versions** Enqueue Anything WordPress plugin versions 1.0.0 through 1.0.1 **Description** The issue is related to the lack of authorization and CSRF checks in the `remove asset` AJAX action. This allows low-privilege users, such as subscribers, to delete arbitrary assets and put arbitrary posts in the trash. The problem also stems from the failure to verify that the item to be deleted is actually an asset. **Recommendations** For Enqueue Anything WordPress plugin versions 1.0.0 through 1.0.1, consider disabling the `remove asset` AJAX action until a patch is available to add proper authorization and CSRF checks. Restrict access to the `remove asset` function to prevent low-privilege users from exploiting this issue.

**Name of the Vulnerable Software and Affected Versions** The Simple Quotation WordPress plugin versions 1.3.2 and earlier **Description** The issue is related to the lack of CSRF check when creating or editing a quote and the failure to sanitise and escape quotes. This allows an attacker to make a logged-in admin create or edit arbitrary quotes and put Cross-Site Scripting payloads in them. **Recommendations** For versions 1.3.2 and earlier, update to a version that includes a CSRF check and proper sanitization and escaping of quotes to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Simple Quotation WordPress plugin versions 1.3.2 and earlier **Description** The issue concerns a lack of authorization and CSRF checks in various AJAX actions, as well as insufficient escaping of user data in SQL statements. This allows any authenticated user to perform SQL injection attacks. **Recommendations** For versions 1.3.2 and earlier, update to a version that includes proper authorization checks and user data escaping in SQL statements to prevent SQL injection attacks.