Aly Khaled

**Name of the Vulnerable Software and Affected Versions** The-wound WordPress theme version 0.0.1 **Description** The issue concerns the failure to validate certain parameters before using them to generate paths passed to include functions, allowing unauthenticated users to perform Local File Inclusion (LFI) attacks and download arbitrary files from the server. This enables attackers to access sensitive information on the server. **Recommendations** For The-wound WordPress theme version 0.0.1, consider updating to a newer version that addresses this issue, as the current version does not validate parameters properly, leading to LFI vulnerabilities. If an update is not available, as a temporary workaround, consider restricting access to include functions or validating parameters manually to prevent LFI attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** aoa-downloadable WordPress plugin version 0.1.0 **Description** The issue allows unauthenticated attackers to download arbitrary files from the server due to a lack of validation for a parameter in the download function. **Recommendations** For version 0.1.0, consider disabling the download function until a patch is available to prevent exploitation. Restrict access to sensitive files on the server to minimize the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** aoa-downloadable WordPress plugin versions 0.1.0 and earlier **Description** The issue concerns a lack of authorization and authentication for requests to the "download.php" endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. **Recommendations** For versions 0.1.0 and earlier, consider disabling access to the "download.php" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint in unauthenticated contexts until the issue is resolved.