Chiragh Arora

**Name of the Vulnerable Software and Affected Versions** FormCraft WordPress plugin versions prior to 1.2.6 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks by exploiting unsanitized and unescaped Field Labels, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 1.2.6, update to version 1.2.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to input custom Field Labels until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FormBuilder WordPress plugin versions 1.08 and earlier **Description** The issue concerns the lack of CSRF checks when creating, updating, and deleting forms, as well as insufficient sanitization and escaping of form field values. This allows attackers to perform CSRF attacks, making logged-in admins update and delete arbitrary forms, and inject Cross-Site Scripting payloads. **Recommendations** For versions 1.08 and earlier, update to a version that includes CSRF checks and proper sanitization and escaping of form field values. As a temporary workaround, consider restricting access to form creation, update, and deletion functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Tenda AC5 AC1200 version V15.03.06.47 multi Description: A Stored Cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `Wifi Name` parameter in the Wifi Settings, specifically in the /main.html endpoint. Recommendations: For Tenda AC5 AC1200 version V15.03.06.47 multi, avoid using the `Wifi Name` parameter in the /main.html Wifi Settings until the issue is resolved. As a temporary workaround, consider restricting access to the Wifi Settings page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.