Anantshri

**Name of the Vulnerable Software and Affected Versions** prettyPhoto versions prior to 3.1.6 **Description** The issue is related to an XSS in the js/jquery.prettyPhoto.js file. **Recommendations** For versions prior to 3.1.6, update to version 3.1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-football plugin version 1.1 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters and files, including the `league` parameter to files such as "football classification.php", "football criteria.php", "templates/template default preview.php", or "templates/template worldCup preview.php"; the `f` parameter to "football-functions.php"; the `id` parameter in an "action" action to files like "football groups list.php", "football matches list.php", "football matches phase.php", or "football phases list.php"; or the `id league` parameter in a delete action to "football matches load.php". **Recommendations** For wp-football plugin version 1.1 and earlier, update to a version later than 1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HDW Player Plugin (hdw-player-video-player-video-gallery) version 2.4.2 **Description** The issue allows remote authenticated administrators to execute arbitrary SQL commands. This is achieved via the `id` parameter in the edit action to "wp-admin/admin.php". **Recommendations** For HDW Player Plugin (hdw-player-video-player-video-gallery) version 2.4.2, consider restricting access to the `id` parameter in the edit action to minimize the risk of exploitation. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Last.fm Rotation (lastfm-rotation) plugin version 1.0 for WordPress **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `snode` parameter. This is a directory traversal vulnerability in the lastfm-proxy.php file. **Recommendations** For version 1.0, consider restricting access to the lastfm-proxy.php file until a patch is available. As a temporary workaround, avoid using the `snode` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** yawpp plugin version 1.2 **Description** The issue allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands. This can be achieved via vectors related to admin functions.php or admin update.php. For example, the `id` parameter in the update action to "wp-admin/admin.php" is vulnerable. **Recommendations** For yawpp plugin version 1.2, consider disabling the vulnerable `id` parameter in the update action to "wp-admin/admin.php" until a patch is available. Restrict access to admin functions.php and admin update.php to minimize the risk of exploitation. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BookX plugin version 1.7 for WordPress **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files by using a .. (dot dot) in the `file` parameter. **Recommendations** For BookX plugin version 1.7, update to a newer version that contains a fix for this issue to prevent directory traversal attacks.

**Name of the Vulnerable Software and Affected Versions** Walk Score plugin versions 0.5.5 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `s` or `o` parameters in the frame-maker.php file. **Recommendations** For Walk Score plugin versions 0.5.5 and earlier, consider disabling the frame-maker.php file or restricting access to it until a patch is available. Avoid using the `s` and `o` parameters in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZdStatistics (zdstats) plugin versions 2.0.1 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `lang` parameter in the cal/test.php file. **Recommendations** For ZdStatistics (zdstats) plugin versions 2.0.1 and earlier, update to a version later than 2.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP App Maker plugin versions 1.0.16.4 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `uid` parameter in the asset-studio/icons-launcher.php file. **Recommendations** For WP App Maker plugin versions 1.0.16.4 and earlier, avoid using the `uid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Appointments Scheduler plugin versions 1.5 and earlier for WordPress **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `lang` parameter in the js/test.php file. **Recommendations** For Appointments Scheduler plugin versions 1.5 and earlier, update to a version later than 1.5 to resolve the issue. As a temporary workaround, consider restricting access to the js/test.php file or avoiding the use of the `lang` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP BlipBot plugin versions 3.0.9 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `BlipBotID` parameter in the blipbot.ajax.php file. **Recommendations** For WP BlipBot plugin versions 3.0.9 and earlier, update to a version later than 3.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the blipbot.ajax.php file to minimize the risk of exploitation. Avoid using the `BlipBotID` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP Consultant plugin version 1.0 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `dialog id` parameter in the admin/admin show dialogs.php file. **Recommendations** For WP Consultant plugin version 1.0 and earlier, avoid using the `dialog id` parameter in the affected admin/admin show dialogs.php file until a fix is available. Consider temporarily restricting access to this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wikipop plugin versions 2.0 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `s` parameter in the js/window.php file. **Recommendations** For Wikipop plugin versions 2.0 and earlier, update to a version later than 2.0 to resolve the issue.