Bashu

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions through 5.2.7 **Description** The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to privilege escalation through a flaw in the password reset functionality. The issue stems from the plugin permitting users with a LatePoint Agent role, while creating new customers, to define the `wordpress user id` field. This allows authenticated attackers possessing Agent-level access or higher to obtain elevated privileges by associating a customer with an arbitrary user ID, potentially including administrators, and subsequently resetting the password. The `wordpress user id` field is used to link a customer to a WordPress user account. **Recommendations** Versions prior to 5.2.7 should be updated to address this issue.

**Name of the Vulnerable Software and Affected Versions** Product Table and List Builder for WooCommerce Lite versions prior to 4.6.3 **Description** The Product Table and List Builder for WooCommerce Lite plugin for WordPress is susceptible to time-based SQL Injection. This is due to inadequate escaping of user-supplied input in the `search` parameter and insufficient preparation of the existing SQL query. This allows unauthenticated attackers to inject additional SQL queries into existing queries, potentially extracting sensitive information from the database. **Recommendations** Update to version 4.6.3 or later.

**Name of the Vulnerable Software and Affected Versions** SiteOrigin Widgets Bundle versions prior to 1.70.5 **Description** The SiteOrigin Widgets Bundle plugin for WordPress is susceptible to unauthorized arbitrary shortcode execution. This is caused by a missing capability check within the `siteorigin widget preview widget action()` function, which is registered through the `wp ajax so widgets preview` AJAX action. The function verifies a nonce (`widgets action`) but does not confirm user capabilities, allowing authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes. The necessary nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded within the `data-ajax-url` HTML attribute. Attackers can invoke the `SiteOrigin Widget Editor Widget` via the preview endpoint to exploit this issue. **Recommendations** Update SiteOrigin Widgets Bundle to version 1.70.5 or later.