Big Tiger

**Name of the Vulnerable Software and Affected Versions** Mitsol Social Post Feed WordPress plugin versions prior to 1.11 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks. This is possible because some settings are not properly escaped before being outputted back in attributes, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 1.11, update to version 1.11 or later to resolve the issue. As a temporary workaround, consider restricting administrative access to trusted users only until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Random Banner WordPress plugin versions up to and including 4.1.4 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient escaping via the `category` parameter found in the ~/include/models/model.php file. This allows attackers with administrative user access to inject arbitrary web scripts. The issue affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled. **Recommendations** For versions up to and including 4.1.4, update to a version that includes the necessary security fixes to address the insufficient escaping issue in the `category` parameter. As a temporary workaround, consider restricting access to the ~/include/models/model.php file or disabling the `category` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** User Registration, Login & Landing Pages WordPress plugin versions up to and including 1.2.7 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient escaping via the `loader text` parameter found in the ~/includes/templates/landing-page.php file. This allows attackers with administrative user access to inject arbitrary web scripts. The issue affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled. **Recommendations** For versions up to and including 1.2.7, update to a version that includes the necessary security fixes to address the insufficient escaping of the `loader text` parameter. As a temporary workaround, consider restricting access to the ~/includes/templates/landing-page.php file or disabling the use of the `loader text` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin versions up to and including 1.2.7 **Description** The issue arises from insufficient escaping via the `pm user avatar` and `pm cover image` parameters in the ~/admin/class-profile-magic-admin.php file, allowing attackers with authenticated user access to inject arbitrary web scripts into their profile. **Recommendations** For versions up to and including 1.2.7, update to a version that includes the necessary escaping for the `pm user avatar` and `pm cover image` parameters to prevent Stored Cross-Site Scripting. As a temporary workaround, consider restricting access to the ~/admin/class-profile-magic-admin.php file to minimize the risk of exploitation.