Alex Tselevich

Name of the Vulnerable Software and Affected Versions YML for Yandex Market WordPress plugin versions prior to 5.0.26 Description The YML for Yandex Market WordPress plugin is susceptible to Remote Code Execution through its feed generation process. Recommendations Update to version 5.0.26 or later.

**Name of the Vulnerable Software and Affected Versions** Responsive Plus WordPress plugin versions prior to 3.4.3 **Description** The software allows unauthenticated users to execute the `update responsive woo free shipping left shortcode` AJAX action without proper validation of the `content rech data` parameter. This can lead to arbitrary shortcode execution. The vulnerable action processes the `content rech data` parameter as a shortcode. **Recommendations** Update to version 3.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** User Activity Log WordPress plugin versions through 2.2 **Description** The User Activity Log WordPress plugin does not correctly manage unsuccessful login attempts. This allows individuals without authorization to modify plugin settings, such as enabling User Registration even when it is disabled. **Recommendations** Update the User Activity Log WordPress plugin to a version later than 2.2.

**Name of the Vulnerable Software and Affected Versions** The Team WordPress plugin versions prior to 5.0.11 **Description** The Team WordPress plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action. This allows unauthenticated users to potentially execute SQL injection attacks. The issue is related to insufficient input validation before utilizing data within a SQL query. The vulnerable action is accessible through an AJAX request. A specific parameter is not adequately sanitized, leading to the potential for malicious code execution. **Recommendations** Update The Team WordPress plugin to version 5.0.11 or later.

**Name of the Vulnerable Software and Affected Versions** Logo Slider WordPress plugin versions prior to 4.9.0 **Description** The software does not properly validate and escape slider options before displaying them in the dashboard. This could allow users with contributor access or higher to perform Stored Cross-Site Scripting attacks. **Recommendations** Update to version 4.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** YaMaps for WordPress Plugin versions prior to 0.6.40 **Description** The YaMaps for WordPress Plugin does not properly validate and escape shortcode attributes before displaying them on a page or post. This could allow users with contributor roles or higher to execute Stored Cross-Site Scripting attacks. The issue involves improper handling of user-supplied data within shortcode attributes, potentially leading to malicious script injection. **Recommendations** Update the YaMaps for WordPress Plugin to version 0.6.40 or later.

**Name of the Vulnerable Software and Affected Versions** Plugin Organizer versions prior to 10.2.4 **Description** The Plugin Organizer WordPress plugin does not properly sanitize and escape a parameter before using it in a SQL statement. This allows subscribers to potentially execute SQL injection attacks. **Recommendations** Update Plugin Organizer to version 10.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Ocean Modal Window WordPress plugin versions prior to 2.3.3 **Description** The Ocean Modal Window WordPress plugin is affected by a Remote Code Execution issue. The issue is related to the modal display logic, where user-controlled conditions set by Editors and Administrators (with `edit pages` capability) are executed as part of an `eval` statement on every site page. This can lead to remote code execution. **Recommendations** Update the Ocean Modal Window WordPress plugin to version 2.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 **Description** The HandL UTM Grabber / Tracker WordPress plugin does not properly sanitize and escape a parameter before displaying it, resulting in a Reflected Cross-Site Scripting issue. This could potentially be exploited against users with high privileges, such as administrators. **Recommendations** Update the HandL UTM Grabber / Tracker WordPress plugin to version 2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 **Description** The HandL UTM Grabber / Tracker WordPress plugin is susceptible to a Reflected Cross-Site Scripting issue. This occurs because a parameter is not properly sanitized and escaped before being displayed on the page. Successful exploitation could potentially target users with high privileges, such as administrators. The issue involves improper handling of user-supplied input, allowing malicious scripts to be injected and executed within the context of a legitimate user's session. **Recommendations** Update the HandL UTM Grabber / Tracker WordPress plugin to version 2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** WPeMatico RSS Feed Fetcher WordPress plugin versions prior to 2.8.13 **Description** The WPeMatico RSS Feed Fetcher WordPress plugin does not properly sanitize and escape certain settings. This could allow users with high privileges, such as contributors, to carry out Stored Cross-Site Scripting (XSS) attacks. Stored XSS occurs when malicious scripts are persistently stored on the target server, and then delivered to other users. **Recommendations** Update to version 2.8.13 or later.