Bugb Hunter

**Name of the Vulnerable Software and Affected Versions** Comment Guestbook plugin versions <= 0.8.0 at WordPress. **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker, who has admin or higher privileges, can inject malicious scripts into the website, which will be executed by other users' browsers. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Comment Guestbook plugin versions <= 0.8.0, update to a version higher than 0.8.0 to resolve the issue. As a temporary workaround, consider disabling the Comment Guestbook plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Social Media Follow Buttons Bar plugin versions prior to 4.74 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability can be exploited by an admin or higher-privileged user. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For Social Media Follow Buttons Bar plugin versions prior to 4.74, update to version 4.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin versions prior to 1.1.12 is not specified, however the version is <= 1.0.11 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher privileges can inject malicious scripts into the application, which can then be executed by other users. **Recommendations** For MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin versions prior to or equal to 1.0.11, update to a version greater than 1.0.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Webba Booking plugin versions <= 4.2.21 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher privileges can inject malicious scripts into the application, which can then be executed by other users. **Recommendations** For Webba Booking plugin versions <= 4.2.21, update to a version higher than 4.2.21 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** René Hermenau's Social Media Share Buttons plugin versions <= 3.8.1 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For René Hermenau's Social Media Share Buttons plugin versions <= 3.8.1, update to a version higher than 3.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's administrative interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ninja Forms Contact Form plugin versions prior to 3.6.9 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. It affects the Ninja Forms Contact Form plugin at WordPress. The vulnerability can be exploited via the `label` variable. **Recommendations** For versions prior to 3.6.9, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MC4WP plugin versions <= 4.8.6 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. It affects users with admin or higher roles. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For MC4WP plugin versions <= 4.8.6, update to a version higher than 4.8.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyThemeShop WP Subscribe plugin versions <= 1.2.12 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. It affects the MyThemeShop WP Subscribe plugin on WordPress, requiring admin+ authentication to exploit. **Recommendations** For MyThemeShop WP Subscribe plugin versions <= 1.2.12, update to a version higher than 1.2.12 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Maintenance plugin versions prior to 6.0.8 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) in the WP Maintenance plugin. This affects multiple inputs and can be exploited by authenticated administrators. **Recommendations** For WP Maintenance plugin versions prior to 6.0.8, update to version 6.0.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Premio Chaty (WordPress plugin) versions 2.8.3 and earlier **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher user role can inject malicious scripts into the application, which can then be executed by other users. **Recommendations** For Premio Chaty (WordPress plugin) versions 2.8.3 and earlier, update to a version later than 2.8.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Social Media Feather versions <= 2.0.4 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher privileges can inject malicious scripts into the application, which can then be executed by other users. **Recommendations** For versions <= 2.0.4, update to a version greater than 2.0.4 to resolve the issue. At the moment, there is no information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** WordPress Floating Social Media Icon plugin versions <= 4.3.5 **Description** An Authenticated Stored Cross-Site Scripting (XSS) issue was found in the Social Media Configuration form of the WordPress Floating Social Media Icon plugin. This issue requires a high-role user, such as an admin, to exploit. **Recommendations** For WordPress Floating Social Media Icon plugin versions <= 4.3.5, update to a version higher than 4.3.5 to resolve the issue. As a temporary workaround, consider restricting access to the Social Media Configuration form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram versions <= 2.0.2 **Description** The issue concerns the `headline` input, specifically at the `&message data[16][headline]` variable. This input is vulnerable, potentially allowing for exploitation. **Recommendations** For WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram versions <= 2.0.2, consider restricting or sanitizing input for the `headline` variable to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7 **Description** The issue is an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. It affects the `&yith maintenance newsletter submit label` parameter. This vulnerability can be exploited even when WordPress configuration disallows unfiltered HTML. **Recommendations** For YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, update to a version greater than 1.3.7 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameter `&yith maintenance newsletter submit label` to minimize the risk of exploitation.