Anthony Cihan

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership plugin for WordPress versions prior to 5.1.6 **Description** An issue exists where the `is admin creation process()` function relies exclusively on the presence of the `action=createuser` parameter within the `$ REQUEST` superglobal without verifying authentication or user capabilities. This allows unauthenticated attackers to bypass the administrative approval requirement during the account registration process via the fallback submission path. **Recommendations** Update the plugin to a version later than 5.1.5. As a temporary workaround, restrict access to the registration fallback submission path to minimize the risk of unauthorized account creation.

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership versions prior to 5.1.5 **Description** The User Registration & Membership plugin for WordPress contains an open redirect issue. This occurs because user-supplied URLs provided through the 'redirect to on logout' GET parameter are not sufficiently validated before being processed by the `wp redirect()` function. Although `esc url raw()` is used to sanitize malformed URLs, it fails to restrict the destination to the local domain. This allows an attacker to create a link that redirects users to external malicious websites after they log out, which can be used to facilitate phishing attacks. **Recommendations** Update the plugin to a version later than 5.1.4. As a temporary workaround, restrict access to the 'redirect to on logout' parameter until the update is applied.

Name of the Vulnerable Software and Affected Versions Gravity Forms plugin for WordPress versions up to and including 2.9.30 Description The Gravity Forms plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the `form ids` parameter within the `gform get config` AJAX action. This occurs because the `GFCommon::send json()` method outputs JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp die()`, resulting in a `Content-Type: text/html` header instead of `application/json`. The `wp json encode()` function does not HTML-encode angle brackets within JSON string values, enabling the injection and execution of HTML/script tags in `form ids` array values by the browser. The `config nonce` is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This allows unauthenticated attackers to inject arbitrary web scripts into pages that execute if they can trick a user into performing an action. This issue does not affect authenticated users. Recommendations For versions up to and including 2.9.30, ensure proper input sanitization and output encoding for the `form ids` parameter in the `gform get config` AJAX action. Verify that the `Content-Type` header is set to `application/json` when returning JSON data. Consider implementing stricter nonce validation or rotating nonces more frequently.