Adrian Lukita

**Name of the Vulnerable Software and Affected Versions** Printful Integration for WooCommerce versions up to and including 2.2.11 **Description** The Printful Integration for WooCommerce plugin for WordPress is susceptible to Server-Side Request Forgery via the advanced size chart REST API endpoint. Insufficient validation of user-supplied URLs before they are passed to the `download url()` function allows authenticated attackers with Contributor-level access or higher to make web requests to arbitrary locations originating from the web application. This can potentially be used to query and modify information from internal services. **Recommendations** Update Printful Integration for WooCommerce to a version later than 2.2.11.

**Name of the Vulnerable Software and Affected Versions** Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress versions up to and including 5.9.10 **Description** The Icegram Express plugin for WordPress does not properly verify user authorization when performing actions. Specifically, the `run action scheduler task` function lacks sufficient checks, allowing unauthenticated attackers to execute scheduled actions prematurely or repeatedly. This is achieved by guessing action IDs, which could trigger email sends, maintenance tasks, or other privileged operations, leading to unexpected system behavior and resource consumption. **Recommendations** Versions prior to 5.9.10 are vulnerable. Update to a version greater than 5.9.10.

**Name of the Vulnerable Software and Affected Versions** ShopEngine Elementor WooCommerce Builder Addon versions through 4.8.5 **Description** The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of missing nonce validation in the `post add to list` function and an incorrect permissions callback in the `Api/init` function. An unauthenticated attacker can add or remove products from a user's wishlist by exploiting a forged request, provided they can trick a user into performing an action. **Recommendations** Update ShopEngine Elementor WooCommerce Builder Addon to a version later than 4.8.5.

**Name of the Vulnerable Software and Affected Versions** Icegram Express versions prior to 5.9.11 **Description** The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress does not properly verify user authorization when performing actions within the `trigger mailing queue sending` function. This allows unauthenticated attackers to force immediate email sending, bypassing the schedule, potentially increasing server load, and altering plugin state, such as the `last-cron-hit` value, which could lead to abuse or denial-of-service-like effects. **Recommendations** Update Icegram Express to version 5.9.11 or later.

**Name of the Vulnerable Software and Affected Versions** Qi Blocks versions prior to 1.4.4 **Description** The Qi Blocks plugin for WordPress has a flaw that allows unauthorized access due to a missing capability check on the `resize image callback()` function. This occurs because the plugin does not verify if a user has the necessary permission to resize a specific attachment. Authenticated attackers with Contributor-level access or higher can resize media library images belonging to other users. This can lead to unintended file writes, increased disk consumption, and server resource abuse through the processing of large images. **Recommendations** Update Qi Blocks to version 1.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** Better Find and Replace – AI-Powered Suggestions plugin for WordPress versions through 1.7.7 **Description** The software is susceptible to unauthorized API usage because of a missing capability check within the `rtafar ajax()` function. This allows authenticated attackers with Subscriber-level access to initiate OpenAI API key usage, potentially leading to quota consumption and associated costs. **Recommendations** Update to a version newer than 1.7.7.

**Name of the Vulnerable Software and Affected Versions** Qi Blocks plugin for WordPress versions up to and including 1.4.3 **Description** The Qi Blocks plugin for WordPress is susceptible to a missing authorization issue. The plugin stores arbitrary CSS styles submitted through the `qi-blocks/v1/update-styles` API endpoint without sufficient sanitization within the `update global styles callback()` function. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary CSS. This CSS injection can be leveraged to hide content, overlay deceptive UI elements, or potentially steal sensitive information. **Recommendations** Update the Qi Blocks plugin to a version later than 1.4.3.