Adrián M. F

**Name of the Vulnerable Software and Affected Versions** NewStatPress plugin versions prior to 0.9.9 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by exploiting the `where1` parameter in the `nsp search` page to `wp-admin/admin.php`. **Recommendations** For versions prior to 0.9.9, update to version 0.9.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `nsp search` page in `wp-admin/admin.php` to minimize the risk of exploitation. Avoid using the `where1` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NewStatPress plugin versions prior to 0.9.9 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote authenticated users to inject arbitrary web script or HTML via the `where1` parameter in the nsp search page to 'wp-admin/admin.php'. **Recommendations** For versions prior to 0.9.9, update to version 0.9.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the nsp search page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the `where1` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Landing Pages plugin versions prior to 1.8.5 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `post` parameter in an `edit delete-variation` action to "wp-admin/post.php". **Recommendations** For versions prior to 1.8.5, update to version 1.8.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Landing Pages plugin versions prior to 1.8.5 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML. The injection can be done via the `post` parameter to the "/wp-admin/post-new.php" API endpoint. **Recommendations** For versions prior to 1.8.5, update to version 1.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/post-new.php" endpoint to minimize the risk of exploitation. Avoid using the `post` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GigPress plugin versions prior to 2.3.9 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `show artist id` or `show venue id` parameter in an add action in the gigpress.php page to wp-admin/admin.php. This is a result of multiple SQL injection vulnerabilities in admin/handlers.php. **Recommendations** For GigPress plugin versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/handlers.php file and the gigpress.php page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the `show artist id` and `show venue id` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FeedWordPress plugin versions prior to 2015.0514 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `link ids[]` parameter in an Update action in the "syndication.php" page to "wp-admin/admin.php". **Recommendations** For FeedWordPress plugin versions prior to 2015.0514, update to version 2015.0514 or later to resolve the issue. As a temporary workaround, consider restricting access to the syndication.php page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the `link ids[]` parameter in the affected API endpoint until the issue is resolved.