Alexis Lafontaine

**Name of the Vulnerable Software and Affected Versions** Smartcat Translator for WPML versions prior to 3.1.78 **Description** The plugin is subject to unauthorized data modification because of a missing capability check on the 'routeData' REST endpoint. This flaw allows unauthenticated attackers to overwrite API credentials, including `account ID`, `API secret key`, `hub key`, `API host`, and `hub host`. Such an action can lead to the hijacking of the translation service or a denial of service. **Recommendations** Update to a version later than 3.1.77. As a temporary workaround, restrict access to the 'routeData' REST endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iPOSpays Gateways WC versions prior to 1.3.8 **Description** The plugin contains a missing authorization flaw due to the REST API endpoint "/wp-json/ipospays/v1/save settings" having its `permission callback` set to ` return true`. This configuration allows unauthenticated access without capability checks or nonce verification, enabling attackers to update plugin settings. Specifically, critical payment gateway settings, including live API keys, secret keys, and payment tokens stored in the `woocommerce ipospays settings` option, can be overwritten. **Recommendations** Update the plugin to a version later than 1.3.7. As a temporary workaround, restrict access to the "/wp-json/ipospays/v1/save settings" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pix for WooCommerce versions up to and including 1.5.0 **Description** The Pix for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads. This is due to a missing capability check and a lack of file type validation within the `lkn pix for woocommerce c6 save settings` function. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. The `lkn pix for woocommerce c6 save settings` function is the point of entry for this issue. **Recommendations** Versions up to and including 1.5.0 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the `lkn pix for woocommerce c6 save settings` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Agile Logix Post Timeline versions through 2.4.1 **Description** A missing authorization flaw exists in Agile Logix Post Timeline’s `post-timeline` component. This issue stems from incorrectly configured access control security levels, potentially allowing unauthorized access. The `post-timeline` component is susceptible to exploitation due to this flaw. **Recommendations** Update Agile Logix Post Timeline to a version newer than 2.4.1.