Aymane Mazguiti

**Name of the Vulnerable Software and Affected Versions** User Activity Log WordPress plugin versions prior to 1.6.3 **Description** The issue arises from the improper sanitization and escaping of the `txtsearch` parameter in SQL statements on certain admin pages, leading to a SQL injection that can be exploited by high-privilege users, such as administrators. **Recommendations** For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin pages that use the `txtsearch` parameter in SQL statements until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Product Catalog WordPress plugin versions prior to 5.2.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. The problem arises because some settings are not properly sanitised and escaped. **Recommendations** For versions prior to 5.2.6, update to version 5.2.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify settings that could lead to Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** CodeColorer WordPress plugin versions prior to 0.10.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For versions prior to 0.10.1, update to version 0.10.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Custom Base Terms WordPress plugin versions prior to 1.0.3 **Description** The issue allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Dashboard WordPress plugin versions prior to 3.7.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, even when the unfiltered html capability is disallowed, for example in multisite setups. **Recommendations** For versions prior to 3.7.6, update to version 3.7.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify settings that could be used for Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Get your number WordPress plugin versions 1.1.3 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For Get your number WordPress plugin versions 1.1.3 and earlier, update to a version that addresses the sanitization and escaping of its settings to prevent Stored Cross-Site Scripting attacks.