Burak Kılınç

**Name of the Vulnerable Software and Affected Versions** Checkout Field Manager (Checkout Manager) for WooCommerce versions prior to 7.8.2 **Description** The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is susceptible to unauthenticated limited file upload. This is caused by insufficient authorization checks when handling file upload actions through the `ajax checkout attachment upload` function. An unauthenticated attacker can upload files to the server, but the file types are restricted to WordPress's default allowed MIME types, such as images and documents. **Recommendations** Update to Checkout Field Manager (Checkout Manager) for WooCommerce version 7.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Call Now Button versions prior to 1.5.5 **Description** The Call Now Button plugin for WordPress is susceptible to unauthorized data access because of a missing capability check in multiple functions. Attackers with Subscriber-level access or higher can generate links to a billing portal, allowing them to view and modify billing information, generate chat session tokens, and view domain status. The issue was partially addressed in version 1.5.4 and fully resolved in version 1.5.5. The vulnerable functions lack proper authorization controls, potentially exposing sensitive data. **Recommendations** Update Call Now Button to version 1.5.5 or later.