Carlos Ferreira

**Name of the Vulnerable Software and Affected Versions** Analytify Under Construction, Coming Soon & Maintenance Mode versions through 2.1.1 **Description** A Cross-Site Request Forgery (CSRF) issue exists in Analytify Under Construction, Coming Soon & Maintenance Mode. This allows attackers to perform actions on behalf of an authenticated user without their knowledge. **Recommendations** Update to a version later than 2.1.1.

**Name of the Vulnerable Software and Affected Versions** Analytify Simple Social Media Share Buttons versions prior to 6.2.0 **Description** A Cross-Site Request Forgery (CSRF) flaw exists in Analytify Simple Social Media Share Buttons, which allows an attacker to perform unauthorized actions on behalf of a user. **Recommendations** Update to a version newer than 6.2.0.

**Name of the Vulnerable Software and Affected Versions** Related Posts Thumbnails Plugin for WordPress versions through 4.3.1 **Description** The Related Posts Thumbnails Plugin for WordPress is susceptible to a Cross-Site Request Forgery issue. This allows attackers to potentially perform actions on behalf of authenticated users without their knowledge. **Recommendations** Update the Related Posts Thumbnails Plugin for WordPress to a version newer than 4.3.1.

**Name of the Vulnerable Software and Affected Versions** Insert Headers And Footers plugin for WordPress versions up to, and including, 3.1.1 **Description** The issue is due to missing or incorrect nonce validation on the `custom plugin set option` function, making it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site. The `WPBRIGADE SDK DEV MODE` constant must be set to `true` to exploit the issue. **Recommendations** For versions up to, and including, 3.1.1, update to a version that includes the fix for the missing or incorrect nonce validation on the `custom plugin set option` function. As a temporary workaround, consider disabling the `custom plugin set option` function until a patch is available. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: LoginPress | wp-login Custom Login Page Customizer plugin for WordPress versions up to, and including, 3.3.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `custom plugin set option` function. This allows unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, potentially granting them administrative user access. The `WPBRIGADE SDK DEV MODE` constant must be set to `true` to exploit the issue. Attackers can trick a site administrator into performing an action, such as clicking on a link, to leverage this exploit and update the default role for registration to administrator, enabling user registration. Recommendations: For versions up to, and including, 3.3.1, update to a version that includes the fix for the nonce validation issue in the `custom plugin set option` function. As a temporary workaround, consider setting the `WPBRIGADE SDK DEV MODE` constant to `false` to prevent exploitation. Restrict access to the `custom plugin set option` function to minimize the risk of exploitation until a patch is available.