Chien Vuong

**Name of the Vulnerable Software and Affected Versions** All In One Redirection WordPress plugin versions prior to 2.2.0 **Description** The issue arises from improper sanitization and escaping of multiple parameters before their use in an SQL statement, leading to a SQL injection. This can be exploited by high-privilege users, such as administrators. **Recommendations** For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Responsive CSS EDITOR WordPress plugin version 1.0 **Description** The issue arises from improper sanitization and escaping of a parameter before its use in a SQL statement, leading to a SQL injection. This can be exploited by high-privilege users, such as administrators. **Recommendations** For Responsive CSS EDITOR WordPress plugin version 1.0, consider updating to a newer version that properly sanitizes and escapes parameters used in SQL statements to prevent SQL injection. As a temporary workaround, restrict administrative access to trusted users only to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FormCraft WordPress plugin versions prior to 3.9.7 **Description** The issue arises from improper sanitization and escaping of a parameter before its use in a SQL statement, resulting in a SQL injection that can be exploited by high-privilege users, such as administrators. **Recommendations** For versions prior to 3.9.7, update to version 3.9.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin versions prior to 1.2.4 **Description** The issue is related to a SQL injection that occurs due to improper sanitization and escaping of a parameter before it is used in a SQL statement. This can be exploited by high-privilege users, such as administrators. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to high-privilege user accounts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The QueryWall: Plug'n Play Firewall WordPress plugin versions 1.1.1 and earlier **Description** The issue is related to a SQL injection problem. It occurs because a `parameter` is not properly sanitised and escaped before being used in a SQL statement. This can be exploited by high privilege users, such as admins. The estimated number of potentially affected devices worldwide is not available. **Recommendations** For The QueryWall: Plug'n Play Firewall WordPress plugin versions 1.1.1 and earlier, consider updating to a version that properly sanitises and escapes parameters used in SQL statements to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Custom Cursors WordPress plugin versions prior to 3.2 **Description** The issue arises from the plugin's failure to properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection. This can be exploited by users with a role as low as Admin. **Recommendations** For WP Custom Cursors WordPress plugin versions prior to 3.2, update to version 3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Image Optimizer by 10web WordPress plugin versions prior to 1.0.27 **Description** The issue allows high-privileged users, such as admins, to inspect names of files and directories outside of the site's root. This is due to the plugin not sanitizing the `dir` parameter when handling the `get subdirs` ajax action. **Recommendations** For versions prior to 1.0.27, update to version 1.0.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the `get subdirs` ajax action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thumbnail carousel slider WordPress plugin versions prior to 1.1.10 **Description** The issue is related to Reflected Cross-Site Scripting, where some parameters are not properly sanitised and escaped before being outputted back in pages. This could be exploited against high privilege users, such as admins. **Recommendations** For versions prior to 1.1.10, update to version 1.1.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Custom 404 Pro versions prior to 3.7.3 **Description** The issue is related to the Custom 404 Pro WordPress plugin, which does not properly escape some URLs before outputting them in attributes. This can lead to Reflected Cross-Site Scripting, allowing a remote attacker to conduct inter-site script attacks. **Recommendations** For versions prior to 3.7.3, update to version 3.7.3 or later to resolve the issue.