Cheng Liu

**Name of the Vulnerable Software and Affected Versions** 360 Photo Spheres plugin for WordPress versions up to and including 1.3 **Description** The 360 Photo Spheres plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'sphere' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allow authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the 360 Photo Spheres plugin to a version newer than 1.3.

Name of the Vulnerable Software and Affected Versions: A/B Testing for WordPress plugin versions up to and including 1.18.2 Description: The issue is related to stored cross-site scripting due to insufficient input sanitization and output escaping on the `id` parameter in the 'ab-testing-for-wp/ab-test-block' block. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. Recommendations: For versions up to and including 1.18.2, update to a version higher than 1.18.2 to resolve the issue. As a temporary workaround, consider restricting access to the 'ab-testing-for-wp/ab-test-block' block to minimize the risk of exploitation. Avoid using the `id` parameter in the affected block until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: The Simple User Registration plugin for WordPress versions up to, and including, 6.3 Description: The issue is due to insufficient restrictions on user meta values that can be supplied during registration, making it possible for unauthenticated attackers to register as an administrator. Recommendations: For versions up to, and including, 6.3, consider disabling the user registration feature until a patch is available. Restrict access to user meta values to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IRM Newsroom plugin for WordPress versions up to, and including, 1.2.17 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For IRM Newsroom plugin for WordPress versions up to, and including, 1.2.17, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the 'irmcalendarview' shortcode to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** IRM Newsroom plugin for WordPress versions up to, and including, 1.2.17 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.2.17, update to a version that includes the necessary input sanitization and output escaping for the 'irmflat' shortcode to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the 'irmflat' shortcode for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IRM Newsroom plugin for WordPress versions 1.2.17 and earlier **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions 1.2.17 and earlier, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the 'irmeventlist' shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress version 1.3.1 and earlier **Description** The issue is related to Stored Cross-Site Scripting via the `containerWidth` parameter. This is due to a missing capability check on the `vayu blocks option panel callback()` function and insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions 1.3.1 and earlier, update to a version that includes a fix for the missing capability check and insufficient input sanitization and output escaping. As a temporary workaround, consider disabling the `vayu blocks option panel callback()` function until a patch is available. Restrict access to the `containerWidth` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FastSpring plugin for WordPress versions up to, and including, 3.0.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on the `color` attribute in the 'fastspring/block-fastspringblocks-complete-product-catalog' block. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to, and including, 3.0.1, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the 'fastspring/block-fastspringblocks-complete-product-catalog' block to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Daisycon prijsvergelijkers plugin for WordPress versions up to, and including, 4.8.4 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'daisycon uitvaart' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.8.4, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the 'daisycon uitvaart' shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress versions up to, and including, 1.12 **Description** The issue allows authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts due to a missing capability check on the `woo slide pro delete draft preview` AJAX action. **Recommendations** For versions up to, and including, 1.12, update to a version that includes a fix for the missing capability check on the `woo slide pro delete draft preview` AJAX action. As a temporary workaround, consider restricting access to the `woo slide pro delete draft preview` AJAX action to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Tournamatch plugin for WordPress versions up to and including 4.6.1 **Description** The issue is related to Stored Cross-Site Scripting via the 'trn-ladder-registration-button' shortcode. This is due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts in pages that will execute when a user accesses an injected page. **Recommendations** For versions up to and including 4.6.1, update to a version higher than 4.6.1 to resolve the issue. As a temporary workaround, consider disabling the 'trn-ladder-registration-button' shortcode until a patch is available. Restrict access to the Tournamatch plugin to minimize the risk of exploitation, especially for users with contributor-level access or higher.

Name of the Vulnerable Software and Affected Versions: Weluka Lite plugin for WordPress versions up to, and including, 1.0.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.0.3, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'weluka-map' shortcode. As a temporary workaround, consider restricting access to the 'weluka-map' shortcode for users with contributor-level access and above until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Bon Toolkit plugin for WordPress versions up to, and including, 1.3.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.3.2, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'bt-map' shortcode. As a temporary workaround, consider restricting access to the 'bt-map' shortcode for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Multiple Addresses plugin for WordPress versions up to, and including, 1.0.7.1 **Description** The issue is due to insufficient restrictions on user meta that can be updated through the `save multiple shipping addresses()` function. This allows authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. **Recommendations** For versions up to, and including, 1.0.7.1, consider disabling the `save multiple shipping addresses()` function until a patch is available to prevent privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Projectopia – WordPress Project Management plugin for WordPress versions up to, and including, 5.1.16 **Description** The issue allows unauthorized modification of data, potentially leading to a denial of service. This is due to a missing capability check on the `pto remove logo` function. Authenticated attackers with Subscriber-level access and above can delete arbitrary option values on the WordPress site, which can be leveraged to create an error and deny service to legitimate users. **Recommendations** For versions up to, and including, 5.1.16, update to a version higher than 5.1.16 to resolve the issue. As a temporary workaround, consider restricting access to the `pto remove logo` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Aeropage Sync for Airtable plugin for WordPress versions up to, and including, 3.2.0 **Description** The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `aeropage media downloader` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For Aeropage Sync for Airtable plugin for WordPress versions up to, and including, 3.2.0: Update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `aeropage media downloader` function until a patch is available. Restrict access to the vulnerable plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Aeropage Sync for Airtable plugin for WordPress versions up to, and including, 3.2.0 **Description** The issue is related to unauthorized loss of data due to a missing capability check on the `aeropageDeletePost` function. This allows authenticated attackers with Subscriber-level access and above to delete arbitrary posts. **Recommendations** For Aeropage Sync for Airtable plugin for WordPress versions up to, and including, 3.2.0, consider disabling the `aeropageDeletePost` function until a patch is available to prevent unauthorized post deletion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verification SMS with TargetSMS plugin for WordPress versions up to, and including, 1.5 **Description** The issue is related to limited Remote Code Execution in the Verification SMS with TargetSMS plugin for WordPress. This vulnerability is due to a lack of validation on the type of function that can be called via the `targetvr ajax handler` function. As a result, unauthenticated attackers can execute any callable function on the site, such as `phpinfo()`. **Recommendations** For versions up to, and including, 1.5, consider disabling the `targetvr ajax handler` function until a patch is available to prevent exploitation. Restrict access to the `admin-ajax.php` endpoint to minimize the risk of exploitation. Avoid using the vulnerable plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.85 Description: The InstaWP Connect plugin is vulnerable to Local File Inclusion via the `instawp-database-manager` parameter. This allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Recommendations: For versions up to, and including, 0.1.0.85, update to version 0.1.0.86 or later to secure the website. As a temporary workaround, consider restricting access to the `instawp-database-manager` parameter to minimize the risk of exploitation.