Angelo Delicato

**Name of the Vulnerable Software and Affected Versions** Meris WordPress theme versions 1.1.2 and earlier **Description** The issue is related to Reflected Cross-Site Scripting, which occurs because the theme does not properly sanitise and escape certain parameters before outputting them back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For Meris WordPress theme versions 1.1.2 and earlier, consider updating to a newer version that addresses the sanitisation and escaping of parameters to prevent Reflected Cross-Site Scripting. As a temporary workaround, restrict access to sensitive pages and parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SearchWP Live Ajax Search WordPress plugin versions prior to 1.6.2 **Description** The issue allows unauthenticated users to make a crafted query, disclosing private, draft, and pending post titles along with their permalinks, because it does not limit live search results to published posts only. **Recommendations** For versions prior to 1.6.2, update to version 1.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the live search functionality until the update is applied.