Ayoub Nouri

Name of the Vulnerable Software and Affected Versions: favethemes Homey versions 2.4.5 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting', which allows Reflected XSS. This enables potential attackers to inject malicious scripts into web pages. Recommendations: For versions 2.4.5 and earlier, update to a version that contains a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Homey theme for WordPress versions prior to 2.4.5 **Description** The issue allows authenticated attackers with Subscriber-level access and above to delete arbitrary reservations and posts due to a missing capability check on the `homey reservation del()` function. **Recommendations** For versions prior to 2.4.5, update to version 2.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `homey reservation del()` function to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Homey theme for WordPress versions up to, and including, 2.4.4 **Description** The issue allows authenticated attackers with Subscriber-level access and above to delete other users' accounts due to missing validation on a user-controlled key in the `homey delete user account` action. **Recommendations** For versions up to, and including, 2.4.4, consider disabling the `homey delete user account` action until a patch is available to prevent unauthorized account deletion. Restrict access to this action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Favethemes Homey versions 2.4.1 and earlier **Description** The issue is related to an Incorrect Privilege Assignment vulnerability, which allows Privilege Escalation. This vulnerability poses substantial risks within digital spaces, emphasizing the importance of prioritizing cybersecurity solutions. **Recommendations** For versions 2.4.1 and earlier, update to a version that includes a fix for this issue, as no specific workaround or mitigation measures are provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Namaste! LMS versions 2.6.4.1 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability, which allows Cross Site Request Forgery. **Recommendations** For versions 2.6.4.1 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.