Athiwat Tiprasaharn

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress versions prior to 2.1.0 **Description** Insufficient input sanitization and output escaping in the Anchor block allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This enables the injection of arbitrary web scripts into pages, which execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 2.0.9.

**Name of the Vulnerable Software and Affected Versions** Recipe Card Blocks Lite versions prior to 3.4.14 **Description** The Recipe Card Blocks Lite plugin for WordPress contains a Stored Cross-Site Scripting issue. The `WPZOOM Helpers::deserialize block attributes()` function converts unicode-encoded sequences back into HTML characters after sanitization is performed. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts through the `summary` and `notes` attributes of the recipe block. These scripts execute when a user views the published post or the print view of the affected recipe. **Recommendations** Update the plugin to a version later than 3.4.13.

**Name of the Vulnerable Software and Affected Versions** Master Addons For Elementor versions prior to 3.1.1 **Description** The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. Authenticated attackers with author-level access or higher can inject arbitrary web scripts into pages. This is achieved by bypassing UI-level restrictions and sending a crafted POST request to the endpoint "admin-ajax.php?action=elementor ajax" to manipulate the `jtlma custom js` page setting. The scripts execute whenever a user visits the affected page. **Recommendations** Update the plugin to a version later than 3.1.0. As a temporary mitigation, restrict author-level users from making POST requests to the "admin-ajax.php?action=elementor ajax" endpoint.

**Name of the Vulnerable Software and Affected Versions** GutenBee – Gutenberg Blocks versions prior to 2.20.2 **Description** The plugin is subject to arbitrary file upload due to a flawed substring check in the `gutenbee file and ext json()` function. The `strpos()` function only verifies if the filename contains the string '.json' instead of ensuring the file ends with that extension. This allows authenticated attackers with author-level access or higher to bypass validation using double-extension filenames, such as 'shell.json.php', to upload executable files and achieve remote code execution. **Recommendations** Update to a version newer than 2.20.1.

**Name of the Vulnerable Software and Affected Versions** Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns versions prior to 2.5.1 **Description** The plugin for WordPress is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The issue exists in the '/wp-json/agwp/v1/tokens/save' endpoint within the kit title parameter due to insufficient input sanitization and output escaping in an admin attribute context. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user accesses the affected page. **Recommendations** Update to a version later than 2.5.0. Avoid using the kit title parameter in the '/wp-json/agwp/v1/tokens/save' endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Draft List plugin for WordPress versions prior to 2.6.4 **Description** Insufficient input sanitization and output escaping allow authenticated attackers with author-level access or higher to perform Stored Cross-Site Scripting. This occurs when arbitrary web scripts are injected into draft post titles using attribute-breakout techniques. These scripts execute when a user accesses the affected page, specifically when the viewing user does not have edit capabilities, impacting unauthenticated users and subscribers. **Recommendations** Update the plugin to a version later than 2.6.3.

**Name of the Vulnerable Software and Affected Versions** Quick Playground versions prior to 1.3.4 **Description** The Quick Playground plugin for WordPress contains a path traversal flaw. This occurs because the `qckply zip theme()` function fails to properly validate the `stylesheet` parameter, which is appended to the theme root directory path without sanitizing directory traversal sequences. Consequently, unauthenticated attackers can trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem, such as the `wp-config` file. **Recommendations** Update the plugin to a version later than 1.3.3. As a temporary workaround, restrict access to the `qckply zip theme()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Envira Gallery Lite versions prior to 1.12.5 **Description** Stored Cross-Site Scripting is possible via the REST API due to insufficient input sanitization in the `update gallery data()` function and improper output escaping in the `gallery init()` function. Specifically, the `sanitize config values()` function fails to sanitize the `arrows` parameter, only processing `justified gallery theme` and `justified row height`. When the `arrows` value is output in the inline JavaScript configuration, the use of `esc attr()`—which is intended for HTML attributes rather than JavaScript contexts—allows for JavaScript expression injection. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page. **Recommendations** Update to a version later than 1.12.4. As a temporary workaround, restrict access to the REST API or limit user permissions to prevent users with Author-level access from modifying gallery data.

**Name of the Vulnerable Software and Affected Versions** Essential Addons for Elementor versions prior to 6.5.14 **Description** Insufficient role validation in the `register user()` function allows authenticated attackers with author level access or higher to create new user accounts with elevated privileges, such as editor. The issue occurs because the function only blocks the 'administrator' role from being assigned. **Recommendations** Update to a version later than 6.5.13. As a temporary workaround, restrict access to the `register user()` function to minimize the risk of privilege escalation.

**Name of the Vulnerable Software and Affected Versions** LifePress versions prior to 2.2.3 **Description** The LifePress plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `wp ajax nopriv lp update mds` function is registered without capability checks or nonce verification (a unique token used to prevent cross-site request forgery), and fails to properly sanitize input and escape output when rendering the series name in the admin settings page. Unauthenticated attackers can exploit this by sending arbitrary web scripts through the 'n' parameter of the 'lp update mds' AJAX action, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 2.2.2. As a temporary workaround, restrict access to the 'lp update mds' AJAX action or the 'n' parameter until the update is applied.

The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update agent action, which writes attacker-supplied PHP code to the agent file.

**Name of the Vulnerable Software and Affected Versions** Sky Addons versions prior to 3.3.3 **Description** The Sky Addons plugin for WordPress allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts. This occurs because the `sky-custom-scripts` custom post type is registered with `capability type => 'post'` and `show in rest => true`, while the `sky script content` meta field lacks sufficient input sanitization and output escaping during frontend rendering. These scripts are executed on every frontend page for all site visitors via the REST API. **Recommendations** Update the plugin to a version later than 3.3.2. As a temporary workaround, restrict access to the REST API or limit user permissions to prevent Author-level users from modifying the `sky script content` meta field.

**Name of the Vulnerable Software and Affected Versions** Appointment Booking Calendar versions prior to 1.6.10.7 **Description** Flawed authorization logic in the `nonce permissions check()` method, combined with the public exposure of a site-wide reusable nonce, allows unauthenticated attackers to view, delete, or modify any appointment. The plugin exposes a `public nonce` value through the '/wp-json/ssa/v1/embed-inner' endpoint. The appointment deletion endpoints '/wp-json/ssa/v1/appointments/{id}/delete' and '/wp-json/ssa/v1/appointments/bulk' accept requests containing an `X-WP-Nonce` header and an `X-PUBLIC-Nonce` header. If the `X-WP-Nonce` validation fails, the system falls back to validating the `X-PUBLIC-Nonce` without properly rejecting the request. Because the `public nonce` is accessible to all visitors and is not user-specific, it can be used to access the `public edit url` or delete appointments by ID, leading to sensitive data disclosure and loss of booking records. **Recommendations** Update to a version later than 1.6.10.6.

**Name of the Vulnerable Software and Affected Versions** Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem versions prior to 3.5.4 **Description** Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This is achieved by injecting arbitrary web scripts through the `separatorIconSVG` parameter, which execute when a user visits the affected page. **Recommendations** Update to a version newer than 3.5.3. Avoid using the `separatorIconSVG` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Maxi Blocks versions prior to 2.2.0 **Description** The Maxi Blocks plugin for WordPress contains a stored cross-site scripting issue. This occurs due to insufficient input sanitization and output escaping of the `sc styles` parameter within the '/wp-json/maxi-blocks/v1.0/style-card' REST API endpoint. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including the entire WordPress admin panel. **Recommendations** Update the plugin to a version later than 2.1.9. As a temporary workaround, restrict access to the '/wp-json/maxi-blocks/v1.0/style-card' endpoint or avoid using the `sc styles` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Timeline Blocks for Gutenberg versions prior to 1.1.11 **Description** Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts through the `titleTag` attribute of the 'timeline-blocks/tb-timeline-blocks' block. These scripts execute whenever a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.1.10.

**Name of the Vulnerable Software and Affected Versions** Bread & Butter versions prior to 8.2.0.26 **Description** Stored Cross-Site Scripting is possible via the 'breadbutter-customevent-button' shortcode. The `customEventShortCodeButton()` function fails to apply proper input sanitization and output escaping on the `event` shortcode attribute, directly interpolating the value into a JavaScript string within an onclick HTML attribute. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when a user clicks the injected button. **Recommendations** Update to a version newer than 8.2.0.25.

**Name of the Vulnerable Software and Affected Versions** Zypento Blocks versions prior to 1.0.7 **Description** The Zypento Blocks plugin for WordPress contains a Stored Cross-Site Scripting issue within the Table of Contents block. The front-end TOC rendering script reads heading text via `innerText` and inserts it into the page using `innerHTML` without proper sanitization. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.0.6.

**Name of the Vulnerable Software and Affected Versions** Gutentools versions prior to 1.1.4 **Description** The Gutentools plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because of insufficient input sanitization and output escaping, combined with a custom unescaping routine that reintroduces dangerous characters. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts via the `block id` attribute of the Post Slider block, which execute when a user visits the affected page. **Recommendations** Update to a version newer than 1.1.3.