Ananda Dhakal

**Name of the Vulnerable Software and Affected Versions** GetPaid versions prior to 2.8.50 **Description** An issue in Stiofan GetPaid involves the insertion of sensitive information into sent data, which allows for the retrieval of embedded sensitive data. **Recommendations** Update to a version newer than 2.8.49.

**Name of the Vulnerable Software and Affected Versions** Templately versions prior to 3.6.2 **Description** An issue in WPDeveloper Templately involves the insertion of sensitive information into sent data, which allows for the retrieval of embedded sensitive data. **Recommendations** Update to a version newer than 3.6.1.

**Name of the Vulnerable Software and Affected Versions** Userpro versions prior to 5.1.11 **Description** A Cross-Site Request Forgery (CSRF) flaw in DeluxeThemes Userpro allows an attacker to induce a user to perform actions they did not intend to. CSRF is a technique where a malicious site tricks a user's browser into sending an unauthorized request to a web application where the user is authenticated. **Recommendations** Update to version 5.1.11.

**Name of the Vulnerable Software and Affected Versions** TieLabs Jannah versions through 7.6.3 **Description** The software contains an improper control of filename handling for include/require statements, leading to a PHP Local File Inclusion issue. This allows for the inclusion of local PHP files. **Recommendations** Update to a version later than 7.6.3.

**Name of the Vulnerable Software and Affected Versions** UpSolution Core versions through 8.41 **Description** The software contains a flaw due to improper neutralization of input during web page generation, leading to a Reflected Cross-Site Scripting (XSS) condition. This allows for the execution of malicious scripts within the context of a user's browser. The vulnerability exists in UpSolution Core. **Recommendations** Update to a version later than 8.41.

**Name of the Vulnerable Software and Affected Versions** Flatsome versions through 3.19.6 **Description** An authorization issue exists in UX-themes Flatsome, allowing exploitation of incorrectly configured access control security levels. **Recommendations** Update Flatsome to a version newer than 3.19.6.

**Name of the Vulnerable Software and Affected Versions** Astoundify Listify versions through 3.2.5 **Description** A flaw exists in Astoundify Listify that allows for Reflected Cross-site Scripting (XSS). This issue is due to improper neutralization of input during web page generation. The vulnerability could potentially allow an attacker to inject malicious scripts into web pages viewed by other users. The affected component is not specified. **Recommendations** Update Astoundify Listify to a version later than 3.2.5.

**Name of the Vulnerable Software and Affected Versions** WpEstate Wpresidence Core versions through 5.4.0 **Description** The software contains a flaw due to improper neutralization of input during web page generation, leading to a Cross-site Scripting (XSS) issue. This specific instance allows for Stored XSS attacks. The issue affects the `wpresidence-core` component. **Recommendations** Update WpEstate Wpresidence Core to a version newer than 5.4.0.

**Name of the Vulnerable Software and Affected Versions** sizam REHub Framework versions prior to 19.9.9.4 **Description** A flaw exists in the sizam REHub Framework, specifically in the rehub-framework component, that allows for the retrieval of embedded sensitive data. This results in the exposure of sensitive system information to an unauthorized control sphere. **Recommendations** Update to version 19.9.9.4 or later.

**Name of the Vulnerable Software and Affected Versions** ThimPress Thim Core versions through 2.3.3 **Description** A Cross-Site Request Forgery (CSRF) issue exists in ThimPress Thim Core. This allows attackers to potentially perform actions on behalf of authenticated users without their knowledge. **Recommendations** Update ThimPress Thim Core to a version later than 2.3.3.

**Name of the Vulnerable Software and Affected Versions** DeluxeThemes Userpro versions through 5.1.9 **Description** A missing authorization issue exists in DeluxeThemes Userpro, allowing exploitation due to incorrectly configured access control security levels. **Recommendations** Update DeluxeThemes Userpro to a version newer than 5.1.9.

**Name of the Vulnerable Software and Affected Versions** miniOrange's Google Authenticator versions through 6.1.1 **Description** The software contains a missing authorization issue related to incorrectly configured access control security levels. This allows for exploitation of the system. **Recommendations** Update miniOrange's Google Authenticator to a version later than 6.1.1.

**Name of the Vulnerable Software and Affected Versions** Astoundify Listify versions through 3.2.5 **Description** A Cross-Site Request Forgery (CSRF) issue exists in Astoundify Listify, potentially allowing attackers to perform actions on behalf of authenticated users without their knowledge. This occurs because the application does not adequately protect against forged requests originating from malicious websites. **Recommendations** Versions prior to 3.2.5 are affected.

Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0.

**Name of the Vulnerable Software and Affected Versions** JNews Paywall versions prior to 12.0.1 **Description** A Cross-Site Request Forgery (CSRF) issue exists in JNews Paywall. This allows attackers to perform actions on behalf of an authenticated user without their knowledge. **Recommendations** Update JNews Paywall to version 12.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** sizam Rehub rehub-theme versions through 19.9.9.1 **Description** A flaw exists in sizam Rehub rehub-theme that allows the retrieval of embedded sensitive data, leading to exposure of sensitive system information to an unauthorized control sphere. **Recommendations** Update to a version newer than 19.9.9.1.

**Name of the Vulnerable Software and Affected Versions** jegtheme JNews Gallery versions prior to 12.0.1 **Description** The JNews Gallery software contains a flaw related to improper input handling during web page creation, which allows for Stored Cross-site Scripting (XSS). This means an attacker could inject malicious scripts into web pages viewed by other users. The affected component is the jnews-gallery. **Recommendations** Update jegtheme JNews Gallery to version 12.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Icegram Email Subscribers & Newsletters versions through 5.9.10 **Description** A flaw exists in Icegram Email Subscribers & Newsletters related to the deserialization of untrusted data, which can lead to object injection. This issue impacts the `email-subscribers` component. **Recommendations** Update Icegram Email Subscribers & Newsletters to a version later than 5.9.10.

Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laborator Kalium kalium allows Reflected XSS.This issue affects Kalium: from n/a through <= 3.18.3.