Alyudin Nafiie

**Name of the Vulnerable Software and Affected Versions** s2Member versions prior to 260128 **Description** The s2Member plugin for WordPress is susceptible to privilege escalation via account takeover. The plugin does not properly validate a user’s identity before allowing password updates. This allows unauthenticated attackers to change passwords for any user account, including administrator accounts, potentially leading to full site takeover. A compiled exploit for this issue is being sold, with builds available for Windows and macOS. **Recommendations** Versions prior to 260128 should be updated to version 260128 or later. As a temporary workaround, monitor for unauthorized password changes.

**Name of the Vulnerable Software and Affected Versions** Lizza LMS Pro plugin for WordPress versions prior to 1.0.4 **Description** The Lizza LMS Pro plugin for WordPress is susceptible to a privilege escalation issue. The `lizza lms pro register user front end` function does not adequately restrict the user roles that can be assigned during registration. This allows unauthenticated attackers to register with the 'administrator' role, gaining unauthorized administrative access to the WordPress site. **Recommendations** Update the Lizza LMS Pro plugin to version 1.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Clasifico Listing plugin for WordPress versions prior to 2.1 **Description** The Clasifico Listing plugin for WordPress allows users registering new accounts to set their own role using the `listing user role` parameter. This can allow unauthenticated attackers to gain elevated privileges, including administrator access, by registering an account with a higher role. **Recommendations** Update to version 2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Truelysell Core plugin for WordPress versions prior to 1.8.7 **Description** The Truelysell Core plugin for WordPress is subject to a privilege escalation issue. Insufficient validation of the `user role` parameter during user registration allows unauthenticated attackers to create accounts with elevated privileges, potentially including administrator access. **Recommendations** Update the Truelysell Core plugin to a version greater than 1.8.7.

**Name of the Vulnerable Software and Affected Versions** EduKart Pro plugin for WordPress versions up to and including 1.0.3 **Description** The EduKart Pro plugin for WordPress is susceptible to a privilege escalation issue. The `edukart pro register user front end` function does not adequately restrict the user roles that can be assigned during registration. This allows unauthenticated attackers to register with the 'administrator' role, gaining unauthorized administrative access to the WordPress site. **Recommendations** Versions prior to 1.0.4 should be updated. As a temporary workaround, consider disabling the `edukart pro register user front end` function until a patch is available. Monitor user roles for any unauthorized administrator accounts.

**Name of the Vulnerable Software and Affected Versions** Doccure Core plugin for WordPress versions prior to 1.5.4 **Description** The Doccure Core plugin for WordPress allows privilege escalation in versions prior to 1.5.4. This occurs because the plugin permits users creating new accounts to define their own role, specifically through the `user type` field. This enables unauthenticated attackers to obtain elevated privileges by registering an account with administrator rights. **Recommendations** Update the Doccure Core plugin to version 1.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Lisfinity Core plugin versions prior to 1.4.1 **Description** The Lisfinity Core plugin for the pebas® Lisfinity WordPress theme is susceptible to privilege escalation. This is a result of the plugin assigning the editor role by default without restricting API usage. This issue can be combined with another to gain administrator privileges. **Recommendations** Update the Lisfinity Core plugin to version 1.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Lisfinity Core plugin for WordPress versions prior to 1.4.1 **Description** The Lisfinity Core plugin for WordPress is susceptible to privilege escalation. An authenticated attacker with Subscriber-level access or higher can modify passwords for any user, including administrators. This occurs because the plugin does not adequately verify a user’s identity before allowing password updates. The vulnerable component is the password update functionality. **Recommendations** Update the Lisfinity Core plugin to version 1.4.1 or later.

Name of the Vulnerable Software and Affected Versions: Resideo Plugin for Resideo - Real Estate WordPress Theme versions prior to 2.5.5 Description: The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is susceptible to privilege escalation via account takeover. The plugin does not properly validate a user’s identity before allowing updates to user details, such as email addresses. This allows authenticated attackers with Subscriber-level access or higher to modify arbitrary user email addresses, including those of administrators, and subsequently reset passwords to gain account access. Recommendations: Update the Resideo Plugin for Resideo - Real Estate WordPress Theme to version 2.5.5 or later.

Name of the Vulnerable Software and Affected Versions: Real Spaces - WordPress Properties Directory Theme versions prior to 3.6 Description: The Real Spaces - WordPress Properties Directory Theme for WordPress is susceptible to privilege escalation through the `change role member` parameter during profile updates. This occurs due to insufficient restrictions on the profile update role, allowing unauthenticated attackers to arbitrarily select their role, including Administrator. Recommendations: Update Real Spaces - WordPress Properties Directory Theme to version 3.6 or later.

Name of the Vulnerable Software and Affected Versions: Real Spaces - WordPress Properties Directory Theme versions prior to 3.7 Description: The Real Spaces - WordPress Properties Directory Theme for WordPress is susceptible to privilege escalation through the `imic agent register` function. This issue stems from a lack of restrictions on the registration role, allowing unauthenticated attackers to arbitrarily select their role, including Administrator, during user registration. Recommendations: Real Spaces - WordPress Properties Directory Theme versions prior to 3.7: Upgrade to version 3.7 or later to address the unrestricted registration role issue and prevent privilege escalation. As a temporary workaround, consider restricting access to the `imic agent register` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Reveal Listing plugin for WordPress versions up to and including 3.3 **Description** The Reveal Listing plugin for WordPress allows users registering new accounts to set their own role via the `listing user role` field. This enables unauthenticated attackers to gain elevated privileges, potentially achieving site takeover, by creating an account with administrator privileges. **Recommendations** Update to a version of the Reveal Listing plugin for WordPress later than 3.3.

Name of the Vulnerable Software and Affected Versions: Opal Estate Pro – Property Management and Submission plugin for WordPress versions up to, and including, 1.7.5 Description: The issue is due to a lack of role restriction during registration in the `on regiser user` function, making it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering. Recommendations: For Opal Estate Pro – Property Management and Submission plugin for WordPress versions up to, and including, 1.7.5, consider disabling the `on regiser user` function until a patch is available to prevent privilege escalation. Restrict access to the registration process to minimize the risk of exploitation. Avoid using the registration feature in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IMITHEMES Listing plugin versions up to, and including, 3.3 **Description** The issue is related to privilege escalation via account takeover. This is due to the plugin not properly validating a verification code value prior to updating a user's password through the `imic reset password init()` function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators, if the user's email is known. **Recommendations** For IMITHEMES Listing plugin versions up to, and including, 3.3, consider disabling the `imic reset password init()` function until a patch is available to prevent unauthenticated attackers from changing user passwords. Restrict access to password reset functionality to minimize the risk of exploitation. Avoid using the password reset feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Service Finder Bookings plugin for WordPress versions up to and including 5.1 **Description** The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation due to a lack of restriction on user role in the `nsl registration store extra input` function. This allows unauthenticated attackers to register an account on the site with an arbitrary role, including Administrator, when registering via a social login. The Nextend Social Login plugin must be installed and configured to exploit this issue. **Recommendations** For versions up to and including 5.1, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `nsl registration store extra input` function until a patch is available. Restrict access to social login features to minimize the risk of exploitation. Avoid using social login for registration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UrbanGo Membership plugin for WordPress versions up to, and including, 1.0.4 **Description** The issue is related to privilege escalation due to the plugin allowing users who are registering new accounts to set their own role or by supplying the `user register role` field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role. **Recommendations** For versions up to, and including, 1.0.4, consider disabling the user registration feature or restricting the `user register role` field to prevent unauthenticated attackers from gaining elevated privileges until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Vehica Core plugin for WordPress versions up to and including 1.0.97 **Description** The issue arises from the plugin not properly validating user meta fields before updating them in the database. This allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator. **Recommendations** For versions up to and including 1.0.97, update to a version higher than 1.0.97 to resolve the issue.