Aurélien Bourdois

**Name of the Vulnerable Software and Affected Versions** Time Sheets plugin for WordPress versions through 2.1.3 **Description** The Time Sheets plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is caused by a lack of, or incorrect, nonce validation on several endpoints. An unauthenticated attacker could potentially perform actions on behalf of a site administrator if they can trick the administrator into clicking a malicious link. **Recommendations** Update the Time Sheets plugin to a version newer than 2.1.3.

**Name of the Vulnerable Software and Affected Versions** The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress versions prior to 27.0.4 **Description** The software is susceptible to CSV Injection through gallery submissions. This allows unauthenticated attackers to embed untrusted input into exported CSV files. Opening these files on a local system with a vulnerable configuration can lead to code execution. **Recommendations** Update to version 27.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress versions prior to 27.0.3 **Description** The software is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied attributes. This allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The issue affects multiple form field parameters. **Recommendations** Update The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress to version 27.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** The File Manager, Code Editor, and Backup by Managefy plugin for WordPress versions prior to 1.6.2 **Description** The plugin is susceptible to a sensitive information exposure issue due to publicly exposed log files. This allows unauthenticated attackers to view information such as full paths and full paths to backup files contained within these logs. **Recommendations** Update to version 1.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Zephyr Project Manager plugin for WordPress versions prior to 3.3.203 **Description** The Zephyr Project Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. This issue only impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update the Zephyr Project Manager plugin to version 3.3.203 or later.

**Name of the Vulnerable Software and Affected Versions** Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress versions up to and including 3.7.19 **Description** The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is susceptible to Server-Side Template Injection. This is caused by inadequate input sanitization and a lack of access control when processing custom Twig templates in the Model panel. Authenticated attackers with author-level access or higher can potentially execute arbitrary PHP code and commands on the server. The vulnerability resides in how the plugin handles custom Twig templates, allowing for code execution through insufficient input validation. **Recommendations** Update the Advanced Views – Display Posts, Custom Fields, and More plugin to a version beyond 3.7.19.

**Name of the Vulnerable Software and Affected Versions** BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security versions prior to 4.6 **Description** The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is susceptible to sensitive information exposure. The `bitfire *` directory, created by the plugin, stores potentially sensitive files without access restrictions, allowing unauthenticated attackers to extract data from files such as `config.ini` and `debug.log`. **Recommendations** Update to version 4.6 or later.

**Name of the Vulnerable Software and Affected Versions** Terms descriptions plugin for WordPress versions prior to 3.4.9 **Description** The Terms descriptions plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. This issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** Update the Terms descriptions plugin to version 3.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** B1.lt plugin for WordPress versions up to and including 2.2.56 **Description** The B1.lt plugin for WordPress is susceptible to SQL Injection due to a missing capability check on the `b1 run query` API endpoint. This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary SQL commands. **Recommendations** Update the B1.lt plugin to a version later than 2.2.56.

**Name of the Vulnerable Software and Affected Versions** B1.lt plugin for WordPress versions through 2.2.56 **Description** The B1.lt plugin for WordPress is susceptible to SQL Injection via the `id` parameter. Insufficient escaping of user-supplied input and inadequate SQL query preparation allow authenticated attackers with Subscriber-level access or higher to inject additional SQL queries, potentially extracting sensitive information from the database. **Recommendations** Update the B1.lt plugin to a version later than 2.2.56.

**Name of the Vulnerable Software and Affected Versions:** Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress versions through 26.0.8 **Description:** The WordPress plugin is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations:** Versions prior to 26.0.9 are vulnerable. Update to version 26.0.9 or later to address the issue.

**Name of the Vulnerable Software and Affected Versions** EasyVirt DC NetScope versions 8.6.4 and earlier **Description** Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary JavaScript or HTML code via vulnerable parameters. The affected parameters include `smtp server`, `smtp account`, `smtp password`, and `email recipients` in the `/smtp/update` endpoint, `ntp` or `dns` in the `/proxy/ntp/change` endpoint, and `newVcenterAddress` in the `/process new vcenter` endpoint. **Recommendations** For EasyVirt DC NetScope versions 8.6.4 and earlier, update to a version later than 8.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the `/smtp/update`, `/proxy/ntp/change`, and `/process new vcenter` endpoints until a patch is available. Avoid using the vulnerable parameters `smtp server`, `smtp account`, `smtp password`, `email recipients`, `ntp`, `dns`, and `newVcenterAddress` in the affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier **Description** The issue allows remote unauthenticated attackers to execute arbitrary code. This can be done through the `/api/license/sendlicense/` API endpoint. **Recommendations** For EasyVirt DCScope versions 8.6.0 and earlier, update to a version later than 8.6.0 to resolve the issue. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version later than 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/api/license/sendlicense/` API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier **Description** The issue allows remote authenticated attackers with low privileges to perform various actions, including adding admin users, modifying users, deleting users, getting users, adding root groups, modifying groups, deleting groups, getting groups, adding admin roles, modifying roles, deleting roles, and getting roles. This is achieved through SQL injection vulnerabilities in several API endpoints, such as `/api/user/addalias`, `/api/user/updatealias`, `/api/user/delalias`, `/api/user/aliases`, `/api/user/adduser`, `/api/user/updateuser`, `/api/user/deluser`, `/api/user/users`, `/api/user/addrole`, `/api/user/updaterole`, `/api/user/delrole`, and `/api/user/roles`. Additionally, the AES encryption keys used to encrypt passwords are not stored securely. **Recommendations** For EasyVirt DCScope versions 8.6.0 and earlier, update to a version that fixes the SQL injection vulnerabilities and securely stores AES encryption keys. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version that fixes the SQL injection vulnerabilities and securely stores AES encryption keys. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Restrict access to the `/api/user` module to minimize the risk of exploitation. Avoid using the vulnerable API endpoints in the affected versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier **Description** The issue allows remote authenticated attackers with low privileges to perform various unauthorized actions. This includes adding an admin user via the "/api/user/addalias" route, modifying a user via the "/api/user/updatealias" route, deleting users via the "/api/user/delalias" route, and getting users via the "/api/user/aliases" route. Additionally, attackers can add a root group via the "/api/user/adduser" route, modify a group via the "/api/user/updateuser" route, delete a group via the "/api/user/deluser" route, and get groups via the "/api/user/users" route. They can also add an admin role via the "/api/user/addrole" route, modify a role via the "/api/user/updaterole" route, delete a role via the "/api/user/delrole" route, and get roles via the "/api/user/roles" route. **Recommendations** For EasyVirt DCScope versions 8.6.0 and earlier, update to a version later than 8.6.0 to resolve the issue. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version later than 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/api/user/addalias", "/api/user/updatealias", "/api/user/delalias", "/api/user/aliases", "/api/user/adduser", "/api/user/updateuser", "/api/user/deluser", "/api/user/users", "/api/user/addrole", "/api/user/updaterole", "/api/user/delrole", and "/api/user/roles", until a patch is available.