Alex Thomas

Name of the Vulnerable Software and Affected Versions The AM LottiePlayer plugin for WordPress versions up to and including 3.6.0 Description The AM LottiePlayer plugin for WordPress is susceptible to Stored Cross-Site Scripting through uploaded SVG files. Insufficient input sanitization and output escaping allow authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the affected page. Recommendations Update the AM LottiePlayer plugin to a version newer than 3.6.0.

**Name of the Vulnerable Software and Affected Versions** Houzez versions prior to 4.1.7 **Description** The Houzez theme for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the `saved-search-item.php` file. This allows authenticated attackers with Subscriber-level access or higher to inject a PHP Object. Currently, no known PHP Object Injection (POP) chain exists within the vulnerable software itself. However, if another plugin or theme containing a POP chain is installed on the same site, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code, depending on the specific POP chain present. **Recommendations** Update Houzez to version 4.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Houzez theme for WordPress versions prior to 4.1.7 **Description** The Houzez theme for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. This is due to inadequate input sanitization and output escaping within the `houzez property img upload()` and `houzez property attachment upload()` functions. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which will execute when a user accesses the SVG file. **Recommendations** Update the Houzez theme to version 4.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Everest Forms (Pro) versions up to and including 1.9.7 **Description** The Everest Forms (Pro) plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the `mime content type()` function. This allows unauthenticated attackers to inject a PHP Object when a form with a non-required signature field and an image upload field is present on the site. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain exists on the system, an attacker could potentially delete files, retrieve sensitive data, or execute code. This vulnerability is exploitable in PHP versions prior to 8. **Recommendations** Versions prior to 1.9.8 are affected. Update to a version greater than 1.9.7.

Name of the Vulnerable Software and Affected Versions: Easy Restaurant Menu Manager plugin for WordPress versions up to and including 2.0.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the `nsc eprm menu link` shortcode. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. Recommendations: For versions up to and including 2.0.1, consider disabling the `nsc eprm menu link` shortcode until a patch is available to prevent exploitation. Restrict access to the shortcode's attributes to minimize the risk of arbitrary script injection.

**Name of the Vulnerable Software and Affected Versions** Radio Player plugin for WordPress versions up to, and including, 2.0.73 **Description** The issue is related to a missing capability check on the `update player` function, allowing unauthenticated attackers to update player instances. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 2.0.73, consider disabling the `update player` function until a patch is available to prevent unauthorized data modification. Restrict access to the update functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Radio Player plugin for WordPress versions up to, and including, 2.0.73 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `update settings` function. This makes it possible for unauthenticated attackers to update plugin settings. **Recommendations** For versions up to, and including, 2.0.73, update to a version that includes a fix for the missing capability check in the `update settings` function. As a temporary workaround, consider restricting access to the `update settings` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Popup Builder plugin for WordPress (affected versions not specified) **Description** The issue allows authenticated attackers with subscriber-level access and above to perform unauthorized actions due to a missing capability check on all AJAX actions. This enables them to delete subscribers and import subscribers, potentially leading to stored cross-site scripting attacks. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Content Blocks (Custom Post Widget) plugin for WordPress versions up to, and including, 3.3.0 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's `content block` shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.3.0, update to a version that addresses the insufficient input sanitization and output escaping issue in the `content block` shortcode. As a temporary workaround, consider restricting access to the `content block` shortcode for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Shortcodes and extra features for Phlox theme plugin for WordPress versions up to, and including, 2.15.5 **Description** The issue is related to Stored Cross-Site Scripting via the `title tag` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.15.5, update to a version higher than 2.15.5 to resolve the issue. As a temporary workaround, consider restricting access to the `title tag` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HT Mega – Absolute Addons For Elementor plugin for WordPress versions up to, and including, 2.4.6 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's blocks due to insufficient input sanitization and output escaping on the `titleTag` user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.4.6, consider disabling the blocks feature in the HT Mega – Absolute Addons For Elementor plugin until a patch is available, and restrict access to the `titleTag` attribute to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Export WP Page to Static HTML/CSS plugin for WordPress versions up to, and including, 2.1.9 **Description** The issue is related to a missing capability check on multiple AJAX actions, allowing authenticated attackers with subscriber-level access and above to access and modify sensitive data. This can lead to the disclosure of sensitive information or the performance of unauthorized actions, such as saving advanced plugin settings. **Recommendations** For Export WP Page to Static HTML/CSS plugin for WordPress versions up to, and including, 2.1.9, update to a version higher than 2.1.9 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions until a patch is available. Restrict subscriber-level access and above to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to create copies of arbitrary posts due to a missing capability check on the `fnsf copy posts` function. **Recommendations** For versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf copy posts` function.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to modify data without authorization due to a missing capability check on the `fnsf af2 trigger dark mode` function. This enables them to enable or disable the dark mode plugin setting. **Recommendations** For versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf af2 trigger dark mode` function to prevent unauthorized modification of data.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to modify data without authorization. This is due to a missing capability check on the `fnsf delete category` function, enabling them to delete categories. **Recommendations** For versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf delete category` function to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to modify the Funnelforms category for a given post ID due to a missing capability check on the `fnsf update category` function. **Recommendations** For versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf update category` function to prevent unauthorized modification of data.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to and including 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to modify data without proper authorization. This is due to a missing capability check on the `fnsf delete posts` function, enabling them to delete arbitrary posts, including those of administrators and posts unrelated to the Funnelforms Free plugin. **Recommendations** For versions up to and including 3.4, consider disabling the `fnsf delete posts` function until a patch is available to prevent unauthorized post deletion. Restrict access to the Funnelforms Free plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to modify certain post values due to a missing capability check on the `fnsf af2 save post` function. The extent of modification is limited due to fixed values passed to the `wp update post` function. **Recommendations** For Funnelforms Free plugin for WordPress versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf af2 save post` function. As a temporary workaround, consider restricting access to the `fnsf af2 save post` function to prevent unauthorized modification of post values.

**Name of the Vulnerable Software and Affected Versions** Funnelforms Free plugin for WordPress versions up to, and including, 3.4 **Description** The issue allows authenticated attackers with subscriber-level permissions and above to send test emails to an arbitrary email address due to a missing capability check on the `fnsf af2 test mail` function. **Recommendations** For versions up to, and including, 3.4, update to a version that includes a fix for the missing capability check in the `fnsf af2 test mail` function to prevent unauthorized modification of data.

**Name of the Vulnerable Software and Affected Versions** HTML filter and csv-file search plugin for WordPress versions up to 2.7 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'csvsearch' shortcode, allowing authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to 2.7, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'csvsearch' shortcode to prevent Stored Cross-Site Scripting attacks.