Angus Girvan

**Name of the Vulnerable Software and Affected Versions** Loco Translate versions prior to 2.8.3 **Description** The Loco Translate plugin for WordPress contains a path traversal flaw. Authenticated attackers with Translator-level access or higher (requiring the `loco admin` capability) can read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem, excluding `wp-config.php`. This occurs because the `findSourceFile()` function fails to validate that the resolved path remains within the intended directory when processing the `ref` variable via the 'fsReference' AJAX route, allowing the use of `../` sequences to access files outside the translation directory. **Recommendations** Update the plugin to a version later than 2.8.2. As a temporary workaround, restrict access to the 'fsReference' AJAX route or limit users with the `loco admin` capability.

**Name of the Vulnerable Software and Affected Versions** WP Customer Area versions prior to 8.3.5 **Description** Insufficient file path validation in the `ajax attach file()` function allows authenticated attackers with roles granted by an administrator, such as Subscriber, to read or delete arbitrary files on the server. Reading files may expose sensitive information, while deleting files, such as 'wp-config.php', can lead to remote code execution. **Recommendations** Update to a version newer than 8.3.4. As a temporary workaround, restrict access to the `ajax attach file()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder versions prior to 3.35.8 **Description** The Elementor Website Builder plugin for WordPress is susceptible to a flaw that allows unauthorized access to sensitive information. This is caused by a permission check error in the `is allowed to read template()` function, which incorrectly allows reading of non-published templates without proper edit capability verification. Authenticated attackers with contributor-level access or higher can read private or draft Elementor template content by manipulating the `template id` parameter within the `get template data` action of the `elementor ajax` endpoint. **Recommendations** Update Elementor Website Builder to version 3.35.8 or later.

**Name of the Vulnerable Software and Affected Versions** WP DSGVO Tools (GDPR) plugin for WordPress versions through 3.1.38 **Description** The WP DSGVO Tools (GDPR) plugin for WordPress is susceptible to unauthorized account destruction. The `super-unsubscribe` AJAX action allows unauthenticated users to bypass the email-confirmation process and immediately trigger irreversible account anonymization by submitting a victim's email address with the `process now` parameter set to 1. This results in password randomization, username/email overwriting, role stripping, comment anonymization, and the wiping of sensitive user metadata. The required nonce for the request is publicly available on any page containing the `[unsubscribe form]` shortcode. The vulnerable parameter is `process now`. The affected API endpoint is the `super-unsubscribe` AJAX action. **Recommendations** Update to version 3.1.39 or later.

**Name of the Vulnerable Software and Affected Versions** Restrict Content versions prior to 3.2.21 **Description** The Restrict Content plugin for WordPress has a flaw that allows unauthorized privilege escalation. The `rcp setup registration init()` function improperly handles the `rcp level` POST parameter, failing to verify membership level activity or payment requirements. This, combined with the `add user role()` method, enables attackers to register with any membership level, potentially gaining privileged WordPress roles like Administrator, or triggering charges for paid levels. A partial fix was implemented in version 3.2.18, but the issue persisted up to and including version 3.2.20. **Recommendations** Update to version 3.2.21 or later.

**Name of the Vulnerable Software and Affected Versions** weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress versions through 2.0.7 **Description** The weMail plugin for WordPress is affected by a flaw allowing unauthorized deletion of forms. The `Forms::permission()` function inadequately validates the `X-WP-Nonce` header, failing to verify user capabilities. The REST nonce is accessible to unauthenticated visitors through the `weMail` JavaScript object on pages containing weMail forms. This allows any unauthenticated user to permanently delete all weMail forms by obtaining the nonce from the page source and sending a DELETE request to the forms endpoint: `/wp-json/wemail/v1/forms`. The vulnerable parameter is the `X-WP-Nonce` header. **Recommendations** Update to a version of the weMail plugin later than 2.0.7.

**Name of the Vulnerable Software and Affected Versions** The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress versions through 21.0.9 **Description** The Shield Security plugin for WordPress is susceptible to unauthorized data modification. A missing capability check on the `MfaEmailDisable` action allows authenticated attackers with Subscriber-level access or higher to disable the global Email 2FA setting for the entire site. **Recommendations** Update The Shield Security plugin to a version later than 21.0.9.

**Name of the Vulnerable Software and Affected Versions** Zarinpal Gateway for WooCommerce plugin versions prior to 5.0.17 **Description** The Zarinpal Gateway for WooCommerce plugin for WordPress has an issue with Improper Access Control to Payment Status Update. The payment callback handler `Return from ZarinPal Gateway` does not properly validate the authority token provided in the callback URL, ensuring it belongs to the specific order being marked as paid. This allows unauthenticated attackers to mark orders as paid without completing a legitimate payment by reusing a valid authority token from a different transaction of the same amount. **Recommendations** Update the Zarinpal Gateway for WooCommerce plugin to version 5.0.17 or later.

**Name of the Vulnerable Software and Affected Versions** Super Page Cache versions prior to 5.2.3 **Description** The Super Page Cache plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Activity Log. Insufficient input sanitization and output escaping allows unauthenticated attackers to inject arbitrary web scripts into pages. When a user accesses an injected page, the script will execute. **Recommendations** Update Super Page Cache to version 5.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress versions through 7.8.1 **Description** The Ajax Load More plugin for WordPress has a flaw where data access isn’t properly controlled. Specifically, the `parse custom args()` function lacks correct authorization checks. This allows attackers who haven’t logged in to view titles and excerpts of posts that are private, drafts, pending publication, scheduled, or in the trash. **Recommendations** Update to a version newer than 7.8.1.

**Name of the Vulnerable Software and Affected Versions** Dokan versions up to and including 4.2.4 **Description** The Dokan plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the `/wp-json/dokan/v1/settings` API endpoint. Authenticated attackers possessing customer-level permissions or higher can potentially read or modify store settings belonging to other vendors. This includes sensitive data such as PayPal email addresses, bank account details, routing numbers, IBANs, SWIFT codes, phone numbers, and addresses. Exploitation could allow attackers to redirect marketplace payouts to accounts they control, resulting in financial theft. The vulnerable parameter is a user-controlled key. **Recommendations** Update Dokan to a version beyond 4.2.4.

**Name of the Vulnerable Software and Affected Versions** weMail versions prior to 2.0.8 **Description** The weMail plugin for WordPress has a flaw where the REST API relies on the `x-wemail-user` HTTP header for user identification without confirming a valid WordPress session. This allows unauthenticated attackers, who can determine an administrator's email address (through the `/wp-json/wp/v2/users` endpoint), to act as that user. Successful exploitation grants access to CSV subscriber endpoints, potentially leading to the theft of Personally Identifiable Information (PII) like emails, names, and phone numbers from imported CSV files. **Recommendations** Update weMail to version 2.0.8 or later.

**Name of the Vulnerable Software and Affected Versions** Awesome Support - WordPress HelpDesk & Support Plugin versions prior to 6.3.7 **Description** The Awesome Support plugin for WordPress is affected by an authorization bypass. This is due to insufficient capability checks within the `wpas do mr activate user` function, which does not properly verify user permissions when modifying roles. A nonce reuse issue exists where nonces intended for public registration are also valid for privileged actions because all actions share the same nonce namespace. An unauthenticated attacker can exploit this by submitting a request to the 'wpas-do=mr activate user' action with a user-controlled `user id` parameter, provided they have access to a valid nonce from the public registration or submit ticket page. This allows them to demote administrators to lower-privilege roles. **Recommendations** Update to version 6.3.7 or later.

**Name of the Vulnerable Software and Affected Versions** Booking Calendar versions prior to 10.14.12 **Description** The Booking Calendar plugin for WordPress is susceptible to an authorization issue that can lead to the disclosure of sensitive information. Attackers with Subscriber-level access or higher can view all booking records in the database. This includes personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. **Recommendations** Update to version 10.14.12 or later.

**Name of the Vulnerable Software and Affected Versions** MailerLite - WooCommerce integration plugin for WordPress versions up to and including 3.1.3 **Description** The MailerLite - WooCommerce integration plugin for WordPress is susceptible to unauthorized data modification and deletion. This is caused by a lack of appropriate capability checks within the `resetIntegration()` function. Authenticated attackers possessing Subscriber-level access or higher can reset the plugin’s integration settings, delete all plugin options, and remove the plugin’s database tables (`woo mailerlite carts` and `woo mailerlite jobs`). This can lead to a complete loss of plugin data, including customer abandoned cart information and synchronization job history. **Recommendations** Update the MailerLite - WooCommerce integration plugin to version 3.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to and including 1.3.9.2 **Description** The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to unauthorized modification of data. This is due to a missing ownership check within the `dnd codedropz upload delete()` function. This allows unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. **Recommendations** Update to a version beyond 1.3.9.2.

**Name of the Vulnerable Software and Affected Versions** WP-Members Membership Plugin versions up to and including 3.5.4.3 **Description** The WP-Members Membership Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Multiple Checkbox and Multiple Select user profile fields. Insufficient input sanitization and output escaping allow authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update WP-Members Membership Plugin to a version later than 3.5.4.3.

**Name of the Vulnerable Software and Affected Versions** Simply Schedule Appointments Booking Plugin for WordPress versions prior to 1.6.9.9 **Description** The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to a blind SQL injection issue. This is due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Specifically, the `order` and `append where sql` parameters are vulnerable. This allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database. **Recommendations** Update to a version newer than 1.6.9.9

**Name of the Vulnerable Software and Affected Versions** Brevo for WooCommerce versions up to and including 4.0.49 **Description** The Brevo for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `user connection id` parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update Brevo for WooCommerce to a version later than 4.0.49.

**Name of the Vulnerable Software and Affected Versions** Customer Reviews for WooCommerce plugin for WordPress versions prior to 5.93.2 **Description** The Customer Reviews for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `displayName` parameter. Insufficient input sanitization and output escaping allows authenticated attackers with customer-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. While invoking the AJAX action typically requires authentication, an attacker could potentially bypass this requirement if guest checkout is enabled and a valid form ID is obtained through placing an order. **Recommendations** Update the Customer Reviews for WooCommerce plugin to version 5.93.2 or later.