Bee-K

**Name of the Vulnerable Software and Affected Versions** WP Maintenance plugin versions <= 6.0.7 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. It affects the WP Maintenance plugin at WordPress, allowing for potential exploitation. **Recommendations** For WP Maintenance plugin versions <= 6.0.7, update to a version greater than 6.0.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Sygnoos Popup Builder plugin versions <= 4.1.0 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability, which can lead to a change in popup status. This type of vulnerability allows an attacker to perform actions on a user's behalf without their knowledge or consent. **Recommendations** For Sygnoos Popup Builder plugin versions <= 4.1.0, update to a version greater than 4.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Image Slider by NextCode plugin versions <= 1.1.2 **Description** The issue concerns multiple Cross-Site Request Forgery (CSRF) vulnerabilities. CSRF is a type of attack where an attacker tricks a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For Image Slider by NextCode plugin versions <= 1.1.2, update to a version higher than 1.1.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Image Slider by NextCode plugin versions <= 1.1.2 **Description** The issue is an Authenticated Persistent Cross-Site Scripting (XSS) vulnerability. This means that an attacker with at least author-level access can inject malicious scripts into the website, which will be executed by other users' browsers. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Image Slider by NextCode plugin versions <= 1.1.2, update to a version higher than 1.1.2 to resolve the issue. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Private Messages For WordPress plugin versions <= 2.1.10 **Description** A Cross-Site Request Forgery (CSRF) issue exists, allowing attackers to send messages. **Recommendations** For Private Messages For WordPress plugin versions <= 2.1.10, update to a version higher than 2.1.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Advanced Contact form 7 DB plugin versions <= 1.8.7 **Description** The issue is related to a Persistent Cross-Site Scripting (XSS) vulnerability. This means that an attacker could potentially inject malicious scripts into the website, which would then be executed by other users' browsers. **Recommendations** For Advanced Contact form 7 DB plugin versions <= 1.8.7, update to a version higher than 1.8.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** KubiQ CPT base plugin versions <= 5.8 **Description** A Cross-Site Request Forgery (CSRF) issue allows an attacker to delete the CPT base. This can be exploited by an attacker to manipulate requests, potentially leading to unauthorized actions on the affected system. **Recommendations** For KubiQ CPT base plugin versions <= 5.8, update to a version higher than 5.8 to resolve the issue. As a temporary workaround, consider implementing additional validation checks for requests to prevent unauthorized actions. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KubiQ's PNG to JPG plugin versions prior to 4.1 **Description** The issue is related to a Cross-Site Scripting (XSS) vulnerability that can be exploited via Cross-Site Request Forgery (CSRF). The `&jpg quality` parameter is vulnerable. **Recommendations** For versions prior to 4.1, update to version 4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameter `&jpg quality` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Counter Box plugin versions prior to 1.1.2 **Description** The issue is related to an Authenticated Local File Inclusion (LFI) vulnerability. This means that an attacker with administrator or higher role access can potentially include and execute local files on the server, which could lead to sensitive data exposure or code execution. **Recommendations** For versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Code Snippets plugin versions <= 2.14.3 **Description** The issue is a Reflected Cross-Site Scripting (XSS) vulnerability. It occurs via the `orderby` vulnerable parameter. **Recommendations** For Code Snippets plugin versions <= 2.14.3, update to a version greater than 2.14.3 to resolve the issue. As a temporary workaround, consider restricting access to the `orderby` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Code Snippets Extended plugin versions <= 1.4.7 **Description** A Cross-Site Request Forgery (CSRF) issue allows an attacker to perform actions such as deleting or toggling snippets on or off. **Recommendations** For Code Snippets Extended plugin versions <= 1.4.7, update to a version higher than 1.4.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Code Snippets Extended plugin versions 1.4.7 and earlier **Description** The issue is related to a Persistent Cross-Site Scripting (XSS) vulnerability. It can be exploited via Cross-Site Request Forgery (CSRF) and involves vulnerable parameters `title` and `snippet code`. **Recommendations** For Code Snippets Extended plugin versions 1.4.7 and earlier, update to a version later than 1.4.7 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation. Avoid using the parameters `title` and `snippet code` in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Rara One Click Demo Import plugin version 1.2.9 and earlier **Description** The issue allows attackers to trick logged-in admin users into uploading dangerous files into the /wp-content/uploads/ directory through a Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability. **Recommendations** For Rara One Click Demo Import plugin version 1.2.9 and earlier, update to a version later than 1.2.9 to resolve the issue. As a temporary workaround, consider restricting access to the /wp-content/uploads/ directory to minimize the risk of exploitation.