Arvandy

**Name of the Vulnerable Software and Affected Versions** IT Path Solutions Contact Form to Any API versions 1.1.6 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploitation of incorrectly configured access control security levels. **Recommendations** For IT Path Solutions Contact Form to Any API versions 1.1.6 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TextMe SMS versions 1.9.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For TextMe SMS versions 1.9.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting versions 1.12.8 and earlier **Description** The issue is related to an Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection. This allows for potential exploitation by injecting malicious SQL code. **Recommendations** For versions 1.12.8 and earlier, update to a version later than 1.12.8 to resolve the issue. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Bravo Translate versions 1.2 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential exploitation by injecting malicious SQL code. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Bravo Translate versions 1.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form to Any API versions 1.1.2 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions 1.1.2 and earlier, update to a version that contains a fix for this issue, as using an outdated version poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Creative Solutions Contact Form Generator plugin versions <= 2.5.5 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in the Creative Solutions Contact Form Generator plugin. This vulnerability exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting attack. **Recommendations** For versions <= 2.5.5, update to a version greater than 2.5.5 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ERP WordPress plugin versions prior to 1.12.4 **Description** The issue concerns a SQL injection problem. It occurs because the `type` parameter in the "erp/v1/accounting/v1/people" REST API endpoint is not properly sanitized and escaped before being used in a SQL statement. This can be exploited by high-privilege users, such as admins. **Recommendations** For versions prior to 1.12.4, update to version 1.12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "erp/v1/accounting/v1/people" API endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** KiviCare WordPress plugin versions prior to 3.2.1 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.5.4 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, affecting the /EditEventTypes.php endpoint through the `EN tyid` POST parameter. **Recommendations** For ChurchCRM version 4.5.4, as a temporary workaround, consider restricting access to the /EditEventTypes.php endpoint until a patch is available. Avoid using the `EN tyid` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NotrinosERP version 0.7 **Description** The issue is a SQL injection vulnerability that can be exploited via the `OrderNumber` parameter at the "/NotrinosERP/sales/customer delivery.php" API endpoint. This allows for potential unauthorized access to database information. **Recommendations** For NotrinosERP version 0.7, as a temporary workaround, consider restricting access to the "/NotrinosERP/sales/customer delivery.php" API endpoint to minimize the risk of exploitation. Avoid using the `OrderNumber` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.