Ayecode Ltd

**Name of the Vulnerable Software and Affected Versions** WP User Frontend WordPress plugin versions prior to 3.5.29 **Description** The issue allows an attacker to create an account with any role they want, such as admin, by exploiting a user-supplied argument called `urhidden` in the registration form. This argument contains the role for the account to be created with, encrypted via `wpuf encryption()`. An attacker having access to the `AUTH KEY` and `AUTH SALT` constant, either via an arbitrary file access issue or if the blog is using the default keys, can exploit this. **Recommendations** For WP User Frontend WordPress plugin versions prior to 3.5.29, update to version 3.5.29 or later to resolve the issue. As a temporary workaround, consider restricting access to the registration form or monitoring account creations closely to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP User Manager versions prior to 2.6.3 **Description** The issue allows any authenticated user to reset the password of another user to an arbitrary value, knowing only their ID, and gain access to their account. This is because the plugin does not ensure that the user ID to reset the password of is related to the reset key given. **Recommendations** For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RegistrationMagic WordPress plugin versions prior to 5.0.1.9 **Description** The issue concerns a Reflected Cross-Site Scripting problem. It arises because the `rm search value` parameter is not properly sanitised and escaped before being outputted back in an attribute. This lack of sanitisation and escaping can lead to malicious script execution. **Recommendations** For versions prior to 5.0.1.9, update to version 5.0.1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameter `rm search value` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RegistrationMagic WordPress plugin versions prior to 5.0.1.7 **Description** The issue allows unauthenticated users to log in as any site user, including administrators, if they know a valid username on the site. This is due to missing identity validation in the `social login using email()` function of the plugin. **Recommendations** For versions prior to 5.0.1.7, update to version 5.0.1.7 or later to resolve the issue. As a temporary workaround, consider disabling the `social login using email()` function until a patch is available. Restrict access to the social login feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin versions prior to 3.1.7.6 **Description** The issue is related to a flaw in the social login implementation, allowing an unauthenticated attacker to login as any user on the site by only knowing their `user id` or `username`. **Recommendations** For versions prior to 3.1.7.6, update to version 3.1.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to social login features until the update is applied. Avoid using the `username` or `user id` parameters in sensitive operations until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin versions prior to 3.7.1.6 Description: The issue arises from improper escaping of user data before using it in a SQL statement in the "wp-json/pie/v1/login" REST API endpoint, leading to an SQL injection. Recommendations: For versions prior to 3.7.1.6, update to version 3.7.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-json/pie/v1/login" API endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** User Registration WordPress plugin versions prior to 2.0.2 **Description** The issue arises from the improper sanitization of the `user registration profile pic url` value when submitted via the "user registration update profile details" AJAX action. This could allow any authenticated user to perform Stored Cross-Site attacks when their profile is viewed. **Recommendations** For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `user registration update profile details` AJAX action to minimize the risk of exploitation. Avoid using the `user registration profile pic url` value in the affected AJAX action until the issue is resolved.