Bassem Essam

**Name of the Vulnerable Software and Affected Versions** Read More & Accordion plugin for WordPress versions up to, and including, 3.4.5 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `addNewButtons()` function. This allows unauthenticated attackers to include and execute arbitrary PHP files via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 3.4.5, update to a version that includes the fix for the nonce validation issue in the `addNewButtons()` function. As a temporary workaround, consider restricting access to the `addNewButtons()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.83 Description: The issue is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file, making it possible for unauthenticated attackers to include and execute arbitrary files on the server. This allows the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Recommendations: For versions up to, and including, 0.1.0.83, update to a version that includes proper nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the '/migrate/templates/main.php' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The WordPress Portfolio Builder – Portfolio Gallery plugin versions up to, and including, 1.1.7 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'pfhub portfolio' and 'pfhub portfolio portfolio' shortcodes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For The WordPress Portfolio Builder – Portfolio Gallery plugin version 1.1.7 and earlier, update to a version later than 1.1.7 to resolve the issue. As a temporary workaround, consider restricting access to the 'pfhub portfolio' and 'pfhub portfolio portfolio' shortcodes to prevent arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** The Modal Window plugin for WordPress versions up to, and including, 6.1.5 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 6.1.5, update to a version later than 6.1.5 to resolve the issue. As a temporary workaround, consider disabling the `iframeBox` shortcode until a patch is available. Restrict access to the shortcode to minimize the risk of exploitation. Avoid using the `iframeBox` shortcode in pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress versions up to, and including, 2.6.9 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'better messages live chat button' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.6.9, update to a version that fixes the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the 'better messages live chat button' shortcode to minimize the risk of exploitation. Avoid using the `better messages live chat button` shortcode in pages until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Nested Pages plugin for WordPress versions up to, and including, 3.2.7 Description: The issue is due to missing or incorrect nonce validation on the `settingsPage` function and missing sanitization of the `tab` parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. Attackers can exploit this flaw to execute unauthorized actions via manipulated requests. Recommendations: For Nested Pages plugin for WordPress versions up to, and including, 3.2.7: As a temporary workaround, consider disabling the `settingsPage` function until a patch is available. Restrict access to the `tab` parameter to minimize the risk of exploitation. Avoid using the `tab` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Page and Post Clone plugin for WordPress versions up to, and including, 6.0 Description: The issue allows authenticated attackers with Author-level access and above to clone and read private posts due to missing validation on a user-controlled key in the `content clone` function. This enables them to access sensitive information they should not have access to. Recommendations: For versions up to, and including, 6.0, consider disabling the `content clone` function until a patch is available to prevent exploitation. Restrict access to private posts and limit user privileges to minimize the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Yoast SEO plugin for WordPress versions up to and including 22.5 **Description** The issue is related to Reflected Cross-Site Scripting via URLs due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability affects over 5 million active installations worldwide. **Recommendations** For versions up to and including 22.5, update to a version higher than 22.5 to resolve the issue. As a temporary workaround, consider restricting access to URLs that may be used for Cross-Site Scripting attacks until a patch is available. Avoid using URLs that can be manipulated by attackers in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP ULike – Most Advanced WordPress Marketing Toolkit plugin versions up to, and including, 4.6.9 **Description** The issue allows authenticated attackers with contributor-level access and above to perform SQL Injection via the `status` and `id` attributes of the `wp ulike counter` and `wp ulike` shortcodes. This is due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries, making it possible to extract sensitive information from the database. **Recommendations** For versions up to, and including, 4.6.9, update to a version higher than 4.6.9 to resolve the issue. As a temporary workaround, consider restricting access to the `wp ulike counter` and `wp ulike` shortcodes to minimize the risk of exploitation. Avoid using the `status` and `id` attributes in the affected shortcodes until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.5.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode(s). This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.5.1, update to a version later than 3.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's shortcode(s) to minimize the risk of exploitation. Additionally, limiting contributor-level and above permissions can help reduce the attack surface until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** HUSKY – Products Filter for WooCommerce Professional plugin for WordPress versions up to, and including, 1.3.5.1 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'woof' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes such as `swoof slug`. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.3.5.1, consider disabling the 'woof' shortcode until a patch is available to prevent exploitation. Restrict access to pages that use the 'woof' shortcode to minimize the risk of arbitrary web script execution. Avoid using the `swoof slug` attribute in the 'woof' shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HUSKY – Products Filter for WooCommerce Professional plugin for WordPress versions up to, and including, 1.3.5.2 **Description** The issue allows authenticated attackers with contributor-level access and above to perform SQL Injection via the `name` parameter in the "woof" shortcode. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.3.5.2, consider disabling the `name` parameter in the "woof" shortcode as a temporary workaround until a patch is available. Restrict access to the "woof" shortcode to minimize the risk of exploitation. Avoid using the `name` parameter in the affected shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Metform Elementor Contact Form Builder plugin for WordPress versions up to, and including, 3.8.3 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode(s), allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.8.3, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the shortcode(s) feature to minimize the risk of exploitation, or limit permissions to prevent contributors and above from injecting malicious scripts.

**Name of the Vulnerable Software and Affected Versions** The Social Sharing Plugin – Sassy Social Share plugin for WordPress versions up to, and including, 3.3.58 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's `Sassy Social Share` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes such as `url`. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.3.58, consider disabling the `Sassy Social Share` shortcode until a patch is available to prevent exploitation. Restrict access to the shortcode for users with contributor-level and above permissions to minimize the risk of arbitrary web script injection. Avoid using the `url` attribute in the affected shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Master Slider – Responsive Touch Slider plugin for WordPress versions up to, and including, 3.9.5 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's `ms slide` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.9.5, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `ms slide` shortcode for users with contributor-level and above permissions until a patch is available.