Brokenac Ignore

**Name of the Vulnerable Software and Affected Versions** WPBot Pro Wordpress Chatbot plugin for WordPress versions up to, and including, 13.5.5 **Description** The issue allows authenticated attackers with Subscriber-level access and above to create Simple Text Responses to chat queries due to a missing capability check on the `qc wp latest update check pro` function. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 13.5.5, consider disabling the `qc wp latest update check pro` function until a patch is available to prevent unauthorized data modification. Restrict access to the chat query response creation feature to minimize the risk of exploitation. Avoid using the affected function for creating Simple Text Responses until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Atarim plugin for WordPress versions up to, and including, 4.0.9 **Description** The issue is related to a missing capability check on the `wpf delete file` function, allowing unauthenticated attackers to delete project pages and files. This results in unauthorized loss of data. **Recommendations** For versions up to, and including, 4.0.9, update to a version higher than 4.0.9 to resolve the issue. As a temporary workaround, consider disabling the `wpf delete file` function until a patch is available. Restrict access to project pages and files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Social Rocket – Social Sharing Plugin versions up to, and including, 1.3.4 **Description** The issue allows authenticated attackers with Subscriber-level access and above to update the plugin's settings due to a missing capability check on the `tweet settings save()` and `tweet settings update()` functions. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 1.3.4, consider disabling the `tweet settings save()` and `tweet settings update()` functions until a patch is available to prevent unauthorized updates to the plugin's settings. Restrict access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Export Import Menus plugin for WordPress versions up to, and including, 1.9.1 **Description** The issue arises from a missing capability check on the `dsp export import menus()` function, allowing unauthorized access to data. This enables unauthenticated attackers to export menu data and settings. **Recommendations** For versions up to, and including, 1.9.1, update to a version higher than 1.9.1 to resolve the issue. As a temporary workaround, consider disabling the `dsp export import menus()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Gold Addons for Elementor plugin for WordPress versions up to, and including, 1.3.2 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `activate()` and `deactivate()` functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses. **Recommendations** For Gold Addons for Elementor plugin for WordPress versions up to, and including, 1.3.2: Update the plugin to a version that includes the necessary capability checks for the `activate()` and `deactivate()` functions. As a temporary workaround, consider restricting access to the `activate()` and `deactivate()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress versions up to, and including, 2.16.3.3 **Description** The issue allows authenticated attackers with Subscriber-level access and above to update the database due to a missing capability check on the `basepress db posts update()` function. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 2.16.3.3, update to a version higher than 2.16.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the `basepress db posts update()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The WP User Manager – User Profile Builder & Membership plugin for WordPress versions up to, and including, 2.9.11 **Description** The issue is related to a missing capability check on the `add sidebar` and `remove sidebar` functions. This allows authenticated attackers with Subscriber-level access and above to add or remove a Carbon Fields custom sidebar if the Carbon Fields plugin is installed. **Recommendations** For versions up to, and including, 2.9.11, consider disabling the `add sidebar` and `remove sidebar` functions until a patch is available to prevent unauthorized modification of data. Restrict access to the Carbon Fields custom sidebar to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Yaad Sarig Payment Gateway For WC plugin for WordPress versions up to, and including, 2.2.4 **Description** The issue is related to a missing capability check on the `yaadpay view log callback()` and `yaadpay delete log callback()` functions. This allows authenticated attackers with Subscriber-level access and above to view and delete logs, resulting in unauthorized modification and access of data. **Recommendations** For versions up to, and including, 2.2.4, consider disabling the `yaadpay view log callback()` and `yaadpay delete log callback()` functions until a patch is available to prevent unauthorized access and modification of logs.