Aitor F

**Name of the Vulnerable Software and Affected Versions** 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin versions up to 4.6 **Description** The issue arises from missing file type validation in the `r3dfb save thumbnail callback` function, allowing authenticated attackers with Author-level access and above to upload arbitrary files on the affected site's server. This may make remote code execution possible. **Recommendations** For versions up to 4.6, update the plugin to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the `r3dfb save thumbnail callback` function until a patch is available. Restrict file uploads to only necessary file types to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Extra Product Options Builder for WooCommerce plugin for WordPress versions up to, and including, 1.2.133 **Description** The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages via the `RednaoSerializedFields` parameter during the creation of a signature file. This enables the execution of injected scripts whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.2.133, consider disabling the `RednaoSerializedFields` parameter until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.