Amrawad

**Name of the Vulnerable Software and Affected Versions** MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress versions up to, and including, 1.5.9 **Description** The issue concerns unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `hubwoo save updates()` function. This allows authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access to a vulnerable site. **Recommendations** For versions up to, and including, 1.5.9, update to a version higher than 1.5.9 to resolve the issue. As a temporary workaround, consider restricting access to the `hubwoo save updates()` function until a patch is available. Additionally, restrict user registration and ensure that only trusted users have Contributor-level access or above to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flexmls® IDX Plugin versions up to, and including, 3.14.26 **Description** The issue is related to Stored Cross-Site Scripting via the `api key` and `api secret` parameters due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.14.26, update to a version later than 3.14.26 to fully resolve the issue, as version 3.14.25 only partially patches the vulnerability. As a temporary workaround, consider restricting access to the `api key` and `api secret` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress versions up to, and including, 13.2 **Description** The issue is related to insufficient file type validation in the `upload file()` function, which allows authenticated attackers with Subscriber-level access and above to upload files on the affected site's server. This may make remote code execution possible and is confirmed to make Cross-Site Scripting possible. **Recommendations** For versions up to, and including, 13.2, update to a version that includes a fix for the insufficient file type validation in the `upload file()` function. As a temporary workaround, consider disabling the `upload file()` function until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Post Grid Master plugin for WordPress versions up to, and including, 3.4.12 **Description** The issue allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The file included must have a .php extension. The `locate template` function is vulnerable to Local File Inclusion. **Recommendations** For versions up to, and including, 3.4.12, update to a version later than 3.4.12 to resolve the issue. As a temporary workaround, consider restricting access to the `locate template` function until a patch is available. Avoid using the `locate template` function to include files with a .php extension in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to, and including, 3.7.6 **Description** The issue concerns unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `updateWcWarrantySettings()` function. This allows authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access. The exploitation requires the woocommerce-warranty plugin to be installed. **Recommendations** For versions up to, and including, 3.7.6, consider disabling the `updateWcWarrantySettings()` function until a patch is available to prevent unauthorized modification of data. As a temporary workaround, restrict access to the woocommerce-warranty plugin to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Accessibility by AllAccessible plugin for WordPress versions up to, and including, 1.3.4 **Description** The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `AllAccessible save settings` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. **Recommendations** For versions up to, and including, 1.3.4, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `AllAccessible save settings` function until a patch is available. Restrict access to the WordPress site to minimize the risk of exploitation. Avoid using the Accessibility by AllAccessible plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Product Input Fields for WooCommerce plugin for WordPress versions up to, and including, 1.9 **Description** The issue allows authenticated attackers with Contributor-level access and above to read the contents of arbitrary files on the server, potentially containing sensitive information, due to insufficient file path validation/sanitization in the `handle downloads()` function. **Recommendations** For versions up to, and including, 1.9, consider disabling the `handle downloads()` function as a temporary workaround until a patch is available. Restrict access to sensitive files on the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS plugin for WordPress versions up to, and including, 2.7.6 **Description** The issue is due to a missing check for the `users can register` option in the `register instructor` function, allowing unauthenticated attackers to register as the default role on the site, even if registration is disabled. **Recommendations** For versions up to, and including, 2.7.6, consider disabling the `register instructor` function until a patch is available to prevent unauthorized user registration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.3.6 **Description** The issue is related to a missing capability check on the `pm remove file attachment()` function, allowing authenticated attackers with subscriber-level access and above to delete arbitrary user meta. This can potentially deny an administrator's access to their site. **Recommendations** For versions up to, and including, 5.9.3.6, consider disabling the `pm remove file attachment()` function until a patch is available to prevent unauthorized modification of data. Restrict access to user meta to minimize the risk of exploitation. Avoid using the affected function to delete file attachments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tainacan plugin for WordPress versions up to, and including, 0.21.7 **Description** The issue is related to a missing capability check on the `get file` function, which is also vulnerable to directory traversal. This allows authenticated attackers with Subscriber-level access and above to read the contents of arbitrary files on the server, potentially containing sensitive information. **Recommendations** For versions up to, and including, 0.21.7, consider disabling the `get file` function until a patch is available to prevent unauthorized access and directory traversal attacks. Restrict access to sensitive files on the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Mobile Menu plugin for WordPress versions up to, and including, 2.8.4.4 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `save menu item icon` function. This makes it possible for unauthenticated attackers to add the ` mobmenu icon` post meta to arbitrary posts with an arbitrary (but sanitized) value. **Recommendations** For versions up to, and including, 2.8.4.4, consider updating to a version that fully addresses this issue, as version 2.8.4.4 only contains a partial fix. As a temporary workaround, consider disabling the `save menu item icon` function until a fully patched version is available.

**Name of the Vulnerable Software and Affected Versions** The Wallet for WooCommerce plugin for WordPress versions up to, and including, 1.5.4 **Description** The issue allows authenticated attackers with Subscriber-level access and above to perform SQL Injection via the `search[value]` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For versions up to, and including, 1.5.4, update to a version that includes a fix for this issue to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the `search[value]` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** InPost for WooCommerce plugin versions 1.4.0 and earlier InPost PL plugin for WordPress versions 1.4.4 and earlier **Description** The issue is related to a missing capability check on the `parse request` function, allowing unauthorized access and deletion of data. This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers, while on Linux servers, only files within the WordPress install will be deleted, but all files can be read. Over 10,000 WordPress sites are at risk due to this critical file deletion flaw. **Recommendations** For InPost for WooCommerce plugin versions 1.4.0 and earlier, update to version 1.4.5 or later. For InPost PL plugin for WordPress versions 1.4.4 and earlier, update to a version later than 1.4.4. As a temporary workaround, consider disabling the `parse request` function until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress versions up to, and including, 2.4.9 **Description** The issue is related to a missing capability check on the `tag subscriber` function, allowing unauthenticated attackers to subscribe users to tags. This could lead to financial damages for site owners if their API quota is exceeded due to unauthorized modifications. **Recommendations** For versions up to, and including, 2.4.9, update to a version higher than 2.4.9 to resolve the issue. As a temporary workaround, consider disabling the `tag subscriber` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to, and including, 7.4.1 **Description** The issue allows authenticated attackers with subscriber-level access and above to extract sensitive information from the database due to insufficient escaping on the user supplied `b2sSortPostType` parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries. **Recommendations** For versions up to, and including, 7.4.1, consider restricting access to the `b2sSortPostType` parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, limiting subscriber-level access and above may also help reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Advanced Contact form 7 DB plugin for WordPress versions up to, and including, 2.0.2 **Description** The issue allows unauthorized access to data due to a missing capability check on the `vsz cf7 export to excel` function. This makes it possible for unauthenticated attackers to download the entry data for submitted forms. **Recommendations** For versions up to, and including, 2.0.2, consider disabling the `vsz cf7 export to excel` function until a patch is available to prevent unauthorized access to form entry data.

**Name of the Vulnerable Software and Affected Versions** CF7 Google Sheets Connector plugin for WordPress versions up to, and including, 5.0.9 **Description** The issue is related to a missing capability check on the `execute post data cg7 free` function, allowing unauthenticated attackers to modify data. This makes it possible for attackers to toggle site configuration settings, including `WP DEBUG`, `WP DEBUG LOG`, `SCRIPT DEBUG`, and `SAVEQUERIES`. **Recommendations** For CF7 Google Sheets Connector plugin for WordPress versions up to, and including, 5.0.9, update to a version higher than 5.0.9 to resolve the issue. As a temporary workaround, consider disabling the `execute post data cg7 free` function until a patch is available. Restrict access to site configuration settings to minimize the risk of exploitation. Avoid using the vulnerable function in unauthenticated contexts until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress versions 2.7.1 through 2.7.2 **Description** The issue is related to a missing capability check on the `import settings` function, allowing authenticated attackers with Subscriber-level access and above to modify arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. **Recommendations** For versions 2.7.1 through 2.7.2, update to a version that includes a fix for the missing capability check on the `import settings` function. As a temporary workaround, consider disabling the `import settings` function until a patch is available. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GP Premium plugin for WordPress versions up to, and including, 2.4.0 **Description** The issue is related to Reflected Cross-Site Scripting via the `message` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For GP Premium plugin for WordPress versions up to, and including, 2.4.0, update to a version later than 2.4.0 to resolve the issue. As a temporary workaround, consider restricting the use of the `message` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Email Subscribers by Icegram Express plugin for WordPress versions up to, and including, 5.7.20 Description: The issue is related to insufficient escaping on the user-supplied `hash` parameter and lack of sufficient preparation on the existing SQL query, making it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. With over 90,000 active installations, the potential impact of this bug is significant. Recommendations: For versions up to, and including, 5.7.20, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the `hash` parameter to minimize the risk of exploitation. Avoid using the `hash` parameter in existing SQL queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.