Abu Hurayra

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.

**Name of the Vulnerable Software and Affected Versions** IdeaBox Creations PowerPack Addons for Elementor versions through 2.9.9 **Description** The software contains a flaw related to improper input handling during web page generation, specifically a cross-site scripting issue. This allows for stored cross-site scripting (XSS) attacks. The vulnerable component is `powerpack-lite-for-elementor`. **Recommendations** Versions prior to and including 2.9.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Noor Alam Magical Addons For Elementor versions through 1.4.1 **Description** A flaw exists in Noor Alam Magical Addons For Elementor that allows for Stored Cross-site Scripting (XSS). This issue is due to improper neutralization of input during web page generation. The vulnerability could allow an attacker to inject malicious scripts into web pages viewed by other users. The vulnerable component is `magical-addons-for-elementor`. **Recommendations** Versions prior to 1.4.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** WPVibes Elementor Addon Elements versions through 1.14.4 **Description** A flaw exists in WPVibes Elementor Addon Elements that allows retrieval of embedded sensitive data due to insertion of sensitive information into sent data. **Recommendations** Update WPVibes Elementor Addon Elements to a version later than 1.14.4.

**Name of the Vulnerable Software and Affected Versions** X Addons for Elementor versions through 1.0.23 **Description** An issue exists in X Addons for Elementor where incorrectly configured access control security levels can be exploited, leading to a missing authorization condition. The vulnerability allows unauthorized access. **Recommendations** Update X Addons for Elementor to a version later than 1.0.23.

**Name of the Vulnerable Software and Affected Versions** Phlox Theme Plugin for WordPress versions prior to 2.17.14 **Description** The Shortcodes and extra features for Phlox theme plugin for WordPress is susceptible to Stored Cross-Site Scripting. This occurs due to insufficient input sanitization and output escaping when handling the `tag` and `title tag` parameters. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the Phlox Theme Plugin for WordPress to version 2.17.14 or later.

**Name of the Vulnerable Software and Affected Versions** pencilwp X Addons for Elementor versions through 1.0.23 **Description** An issue exists in pencilwp X Addons for Elementor that allows for DOM-Based Cross-site Scripting (XSS). This is due to improper neutralization of input during web page generation. The issue allows an attacker to inject malicious scripts into web pages, potentially compromising user data or system security. The vulnerable component allows for the execution of arbitrary JavaScript code within the context of the user's browser. **Recommendations** Update pencilwp X Addons for Elementor to a version later than 1.0.23.

**Name of the Vulnerable Software and Affected Versions** Colibri Page Builder plugin for WordPress versions prior to 1.0.346 **Description** The Colibri Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `colibri blog posts` shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the Colibri Page Builder plugin to version 1.0.346 or later.

**Name of the Vulnerable Software and Affected Versions** PickPlugins Post Grid and Gutenberg Blocks versions through 2.3.17 **Description** A missing authorization flaw exists in PickPlugins Post Grid and Gutenberg Blocks. This issue allows exploitation of incorrectly configured access control security levels. **Recommendations** Update PickPlugins Post Grid and Gutenberg Blocks to a version later than 2.3.17.

**Name of the Vulnerable Software and Affected Versions** PostX versions through 4.1.36 **Description** An authorization issue exists in WPXPO PostX ultimate-post due to incorrectly configured access control security levels. This allows exploitation of the system. **Recommendations** Update PostX to a version later than 4.1.36.

**Name of the Vulnerable Software and Affected Versions** All In One SEO Pack versions through 4.8.6.1 **Description** The All In One SEO Pack software contains a flaw that allows the retrieval of embedded sensitive data due to insertion of sensitive information into sent data. **Recommendations** Update All In One SEO Pack to a version later than 4.8.6.1.

**Name of the Vulnerable Software and Affected Versions** The Better Elementor Addons plugin for WordPress versions up to and including 1.5.4 **Description** The software is susceptible to Stored Cross-Site Scripting through the Slider widget. This is due to inadequate input sanitization and output escaping of user-provided attributes. Authenticated attackers with contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update The Better Elementor Addons plugin to a version later than 1.5.4.

**Name of the Vulnerable Software and Affected Versions** Magical Posts Display plugin for WordPress versions through 1.2.54 **Description** The software is susceptible to Stored Cross-Site Scripting through the `mpac title tag` parameter in the Magical Posts Accordion widget. Insufficient input sanitization and output escaping of user-supplied HTML tag names allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the Magical Posts Display plugin to a version later than 1.2.54.

**Name of the Vulnerable Software and Affected Versions** Magical Products Display plugin for WordPress versions up to and including 1.1.29 **Description** The Magical Products Display plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping of user-supplied HTML tag names in the `mpdpr title tag` and `mpdpr subtitle tag` parameters within the MPD Pricing Table widget. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the Magical Products Display plugin to a version later than 1.1.29.

**Name of the Vulnerable Software and Affected Versions** HT Mega – Absolute Addons For Elementor plugin for WordPress versions prior to 3.0.0 **Description** The HT Mega – Absolute Addons For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through its Gutenberg blocks. This is caused by inadequate input validation of user-provided HTML tag names, specifically a missing tag name whitelist. Dangerous tags such as `script`, `iframe`, and `object` can be injected despite the use of `tag escape()` for sanitization. While some blocks utilize `esc html()` for content, this can be circumvented using JavaScript encoding techniques like unquoted strings, backticks, and `String.fromCharCode()`. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. **Recommendations** Update the HT Mega – Absolute Addons For Elementor plugin to version 3.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** aThemes Addons for Elementor plugin for WordPress versions through 1.1.5 **Description** The aThemes Addons for Elementor plugin for WordPress has a flaw that allows for the injection of malicious web scripts. This is due to inadequate handling of user-provided data within the Call To Action widget. Authenticated attackers with contributor-level permissions or higher can exploit this to insert arbitrary web scripts into pages. These scripts will then execute when any user visits the affected page. The issue stems from insufficient input sanitization and output escaping of user-supplied values. **Recommendations** Update aThemes Addons for Elementor plugin for WordPress to a version later than 1.1.5.

**Name of the Vulnerable Software and Affected Versions** PickPlugins Accordion versions through 2.3.14 **Description** A missing authorization issue exists in PickPlugins Accordion accordions, allowing exploitation of incorrectly configured access control security levels. **Recommendations** Versions prior to 2.3.14 are affected.

**Name of the Vulnerable Software and Affected Versions** Blockspare versions n/a through 3.2.13.2 **Description** A flaw exists in Blockspare that allows retrieval of embedded sensitive data due to insertion of sensitive information into sent data. The number of potentially affected devices worldwide is not specified. There are no reports of real-world incidents where this issue was exploited. No specific API endpoints, vulnerable parameters, or function names are mentioned in the provided information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SureForms – Drag and Drop Form Builder for WordPress versions prior to 1.12.2 **Description** The SureForms – Drag and Drop Form Builder for WordPress plugin contains a flaw in access control. Specifically, the '/wp-json/sureforms/v1/srfm-global-settings' API endpoint does not properly restrict access. This allows authenticated attackers with contributor-level access or higher to obtain sensitive information. This information includes API keys for Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha, as well as admin email addresses and security-related form settings. **Recommendations** Update SureForms – Drag and Drop Form Builder for WordPress to version 1.12.2 or later.

**Name of the Vulnerable Software and Affected Versions** Generic Elements plugin for WordPress versions prior to 1.2.4 **Description** The software is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied attributes in multiple widget fields. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update to a version newer than 1.2.4.