Brian Sans-Souci

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions prior to 4.5.1 Description: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is susceptible to unauthorized data modification. This is due to the absence of a capability check within the `give update payment status()` function. Authenticated attackers possessing GiveWP Worker-level access or higher can exploit this to alter donation statuses. This functionality is not accessible through the user interface. Recommendations: Update GiveWP – Donation Plugin and Fundraising Platform to version 4.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions prior to 4.5.1 **Description** The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `donor notes` parameter. Insufficient input sanitization and output escaping allow authenticated attackers with GiveWP worker-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page, requiring the attacker to trick an administrator into visiting the legacy version of the site. **Recommendations** Update GiveWP – Donation Plugin and Fundraising Platform to version 4.5.1 or later.

**Name of the Vulnerable Software and Affected Versions:** WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions up to and including 6.7.16 **Description:** The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check on the `wcfm redirect to setup` function, potentially allowing unauthenticated attackers to view and modify plugin settings, including payment details and API keys. **Recommendations:** Update WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress to a version later than 6.7.16.

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 4.3.0 **Description** The issue allows authenticated attackers with Contributor-level access and above to view or delete fundraising campaigns, view donors' data, and modify campaign events due to an insufficient capability check on the permissionsCheck functions. **Recommendations** For versions up to, and including, 4.3.0, update to a version higher than 4.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the permissionsCheck functions to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Download Manager plugin for WordPress versions up to, and including, 3.3.18 **Description** The issue is related to Stored Cross-Site Scripting in the Download Manager plugin for WordPress. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wpdm user dashboard` shortcode. Authenticated attackers with author-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.3.18, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `wpdm user dashboard` shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress versions up to, and including, 3.4.11 **Description** The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user-supplied key. This allows authenticated attackers with Subscriber-level access and above to change arbitrary users' passwords, including administrators, through the password reset functionality. This can be leveraged to reset the user's password and gain access to their account. **Recommendations** For versions up to, and including, 3.4.11, update to a version that properly validates user-supplied keys to prevent privilege escalation. As a temporary workaround, consider restricting access to the password reset functionality to minimize the risk of exploitation. Restrict access to the plugin's settings and functionality to trusted users only, to reduce the potential for account takeover.

**Name of the Vulnerable Software and Affected Versions** The Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1020 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages via the ` elementor data` parameter. The injected scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.7.1020, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the ` elementor data` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.17.5 **Description** The issue allows authenticated attackers with Subscriber-level access and above to create new posts due to a missing capability check on the `create blog` function. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 4.17.5, update to a version that includes a fix for the missing capability check on the `create blog` function to prevent unauthorized data modification.

Name of the Vulnerable Software and Affected Versions: MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress versions prior to 4.2.22 Description: The issue allows authenticated attackers with Contributor-level access and above to delete arbitrary posts, pages, attachments, and products due to a misconfigured capability check on the `delete fpm product` function. Recommendations: For versions prior to 4.2.22, update to a version that fully patches the vulnerability, as version 4.2.22 only partially addresses the issue. As a temporary workaround, consider restricting access to the `delete fpm product` function until a fully patched version is available.

**Name of the Vulnerable Software and Affected Versions** MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.17.4 **Description** The issue is related to limited privilege escalation due to a lack of restriction of role when registering, allowing unauthenticated attackers to register with the `wcfm vendor` role. This role is associated with the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, and the vulnerability can only be exploited if this plugin is installed and activated. **Recommendations** For versions up to, and including, 4.17.4, update to a version that includes the necessary security patches to restrict role registration. As a temporary workaround, consider restricting access to the registration process to prevent unauthenticated attackers from exploiting the lack of role restrictions.

**Name of the Vulnerable Software and Affected Versions** Download Manager plugin for WordPress versions up to, and including, 3.3.12 **Description** The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the `savePackage` function. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as `wp-config.php`. **Recommendations** For versions up to, and including, 3.3.12, update to a version that fixes the `savePackage` function issue to prevent arbitrary file deletion. As a temporary workaround, consider disabling the `savePackage` function until a patch is available. Restrict access to the Download Manager plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Password Protected plugin versions up to, and including, 2.7.7 **Description** The issue allows unauthenticated attackers to extract sensitive data, including all protected site content, if the 'Use Transient' setting is enabled. This is possible due to sensitive information exposure via the `password protected cookie` function. **Recommendations** For Password Protected plugin versions up to, and including, 2.7.7, consider disabling the `password protected cookie` function until a patch is available. Additionally, disabling the 'Use Transient' setting may help minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WPFront User Role Editor versions up to 4.2.1 Description: The issue is related to Cross-Site Request Forgery, caused by missing or incorrect nonce validation in the `whitelist options()` function. This allows unauthenticated attackers to update the default role option, which can be used for privilege escalation via a forged request. Attackers must trick a site administrator into performing an action, such as clicking on a link. This issue is only exploitable on multisite instances. Recommendations: For versions up to 4.2.1, update to a version higher than 4.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the `whitelist options()` function until a patch is available. Additionally, be cautious when clicking on links from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The MultiVendorX plugin for WordPress versions up to, and including, 4.2.19 **Description** The issue is related to a missing capability check on the `delete table rate shipping row` function, which allows unauthorized loss of data. This makes it possible for unauthenticated attackers to delete Table Rates, potentially impacting shipping cost calculations. **Recommendations** For versions up to, and including, 4.2.19, update to a version that includes a fix for the missing capability check on the `delete table rate shipping row` function to prevent unauthorized data loss. As a temporary workaround, consider restricting access to the `delete table rate shipping row` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress versions up to, and including, 6.0.4.3 **Description** The issue is related to Stored Cross-Site Scripting via the `payment method` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 6.0.4.3, consider disabling the `payment method` parameter until a patch is available to prevent exploitation. Restrict access to pages that use this parameter to minimize the risk of arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.22.1 **Description** The issue allows authenticated attackers with Subscriber-level access and above to extract sensitive data, including reports detailing donors and donation amounts, due to a misconfigured capability check in the `permissionsCheck` function. **Recommendations** For versions up to, and including, 3.22.1, update to a version that contains a fix for this issue to prevent sensitive information exposure. As a temporary workaround, consider restricting access to the `permissionsCheck` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Page Builder: Pagelayer versions up to, and including, 1.9.8 Description: The issue is related to insufficient validation on the `pagelayer save content()` function, allowing authenticated attackers with Contributor-level access and above to bypass post moderation and publish posts to the site. Recommendations: For versions up to, and including, 1.9.8, update to a version that includes a fix for the insufficient validation in the `pagelayer save content()` function. As a temporary workaround, consider restricting access to the `pagelayer save content()` function to prevent unauthorized post publication.

**Name of the Vulnerable Software and Affected Versions** Pagelayer versions prior to 1.9.9 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `pagelayer save post` function. This allows unauthenticated attackers to modify post contents via a forged request if they can trick a site administrator into performing a specific action. **Recommendations** For versions prior to 1.9.9, update to version 1.9.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `pagelayer save post` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Ultimate WordPress Auction Plugin versions prior to 4.3.0 **Description** The issue allows authenticated attackers with Contributor-level access and above to access functionality unauthorized, enabling them to delete arbitrary auctions, posts, and pages, and execute other actions related to auction handling. **Recommendations** For versions prior to 4.3.0, update to version 4.3.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SecuPress Free — WordPress Security plugin versions up to, and including, 2.2.5.3 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the `secupress check ban ips form` shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.2.5.3, consider disabling the `secupress check ban ips form` shortcode until a patch is available to prevent exploitation. Restrict access to pages that utilize this shortcode to minimize the risk of arbitrary web script execution.