Chloe Chamberland

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin options page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc appointments calendar load2() function, which is reachable via the cpabc calendar load2=1 query parameter in wp-admin and only checks is admin() && current user can('edit posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics user avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min height, min width, max height, max width) in the wcmamtx get avatar default() function, which are concatenated unescaped into the get avatar() extra attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current user can()` capability check beyond `check admin referer('cg admin')`, and the `RegistryUserRole` value is processed only through `sanitize text field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg create wp user from google user` function then reads back from the `contest gal1ery registry and login options` database table without any allowlist validation and passes directly to `wp update user()`, effectively promoting a newly registered Google sign-in account to Administrator.

**Name of the Vulnerable Software and Affected Versions** Burst Statistics versions 3.4.0 through 3.4.1.1 **Description** The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress contains an authentication bypass flaw. The issue stems from incorrect return-value handling in the `is mainwp authenticated()` function when validating application passwords from the Authorization header. This allows an unauthenticated attacker who knows an administrator username to impersonate that administrator for the duration of a request by providing any random Basic Authentication password, leading to privilege escalation and full site takeover. Over 200,000 sites are estimated to be affected worldwide, with more than 7,400 attacks recorded within 24 hours of disclosure. **Recommendations** Update Burst Statistics to version 3.4.2. Audit administrator accounts for any unrecognized users created during the period of exposure. Enable automatic updates for plugins to reduce the window of exposure for future issues.

Name of the Vulnerable Software and Affected Versions: Motors – Car Dealership & Classified Listings Plugin versions up to, and including, 1.4.66 Description: The issue allows authenticated attackers with Subscriber-level access and above to execute several initial set-up actions due to a missing capability check on several functions in the ajax actions.php file. This enables unauthorized modification of data. Recommendations: For Motors – Car Dealership & Classified Listings Plugin versions up to, and including, 1.4.66, update to a version that includes a fix for the missing capability check in the ajax actions.php file to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Newscrunch theme for WordPress versions up to, and including, 1.8.4.1 **Description** The issue is related to a missing capability check in the `newscrunch install and activate plugin()` function, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files on the affected site's server. This could potentially lead to remote code execution. **Recommendations** For versions up to, and including, 1.8.4.1, consider disabling the `newscrunch install and activate plugin()` function until a patch is available to prevent arbitrary file uploads. Restrict access to file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AdForest theme for WordPress versions up to, and including, 5.1.8 **Description** The AdForest theme for WordPress is vulnerable to authentication bypass due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. Thousands of sites may be at risk. **Recommendations** To safeguard sites, update to version 5.1.9. As a temporary workaround, consider disabling the OTP login by phone number feature until the issue is resolved. Restrict access to sensitive areas of the site to minimize the risk of exploitation. Avoid using the OTP login feature in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress User Extra Fields plugin versions up to, and including, 16.6 **Description** The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the `delete tmp uploaded file()` function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as `wp-config.php`. **Recommendations** For WordPress User Extra Fields plugin versions up to, and including, 16.6, update to a version later than 16.6 to mitigate the risk of arbitrary file deletion. As a temporary workaround, consider disabling the `delete tmp uploaded file()` function until a patch is available. Restrict access to sensitive files, such as `wp-config.php`, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Essential Addons for Elementor plugin for WordPress versions up to and including 4.6.4 **Description** The issue is related to authorization bypass due to missing capability checks and nonce disclosure. This allows authenticated attackers with minimal permissions, such as a subscriber, to perform unauthorized actions like changing settings and installing arbitrary plugins. **Recommendations** For versions up to and including 4.6.4, update to the latest version to secure your site and apply all recommended patches. As a temporary workaround, consider restricting access to sensitive settings and plugin installation features until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Essential Addons for Elementor plugin for WordPress versions up to and including 4.6.4 **Description** The issue is related to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user. **Recommendations** For versions up to and including 4.6.4, update the plugin to the latest version to protect the site. As a temporary workaround, consider restricting access to the Elementor page builder to minimize the risk of exploitation. Avoid using the registration form feature in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NinjaFirewall plugin for WordPress versions up to, and including, 4.3.3 **Description** The issue allows authenticated attackers to perform phar deserialization on the server, which can enable other plugin or theme exploits if vulnerable software is present, including WordPress and NinjaFirewall. **Recommendations** For NinjaFirewall plugin for WordPress versions up to, and including, 4.3.3, update to a version higher than 4.3.3 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Post Grid plugin for WordPress versions up to, and including, 2.1.12 **Description** The issue is related to blind SQL Injection via post metadata due to insufficient escaping on the `user supplied parameter` and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with contributor-level permissions and above to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For Post Grid plugin for WordPress versions up to, and including, 2.1.12, update to a version higher than 2.1.12 to resolve the issue. As a temporary workaround, consider restricting access to post metadata for users with contributor-level permissions and above until a patch is available. Avoid using the vulnerable post metadata feature in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Facebook Chat Plugin for WordPress versions up to and including 1.5 **Description** The Facebook Chat Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the `wp ajax update options` function. This flaw makes it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. **Recommendations** For versions up to and including 1.5, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `wp ajax update options` function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the vulnerable plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kaswara Modern VC Addons plugin for WordPress versions up to, and including, 3.0.1 **Description** The issue is related to insufficient capability checking on various AJAX actions, allowing unauthenticated attackers to perform unauthorized actions. These actions include importing data, uploading arbitrary files, deleting arbitrary files, and more. **Recommendations** For versions up to, and including, 3.0.1, update to a version higher than 3.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions until a patch is available. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Slimstat Analytics plugin for WordPress versions up to, and including, 5.0.9 **Description** The issue is related to SQL Injection via the plugin's shortcode due to insufficient escaping on the `user supplied parameter` and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For Slimstat Analytics plugin for WordPress versions up to, and including, 5.0.9: Update to a version higher than 5.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's shortcode for users with contributor-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AI ChatBot plugin for WordPress versions up to, and including, 4.8.9 AI ChatBot plugin for WordPress version 4.9.2 **Description** The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which can lead to taking over affected sites as well as others sharing the same hosting account. Version 4.9.1 originally addressed the issue, but it was reintroduced in 4.9.2 and fixed again in 4.9.3. **Recommendations** For versions up to, and including, 4.8.9, update to version 4.9.1 or later to resolve the issue. For version 4.9.2, update to version 4.9.3 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories on the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Project Manager plugin for WordPress versions up to, and including, 2.6.4 **Description** The issue allows authenticated attackers with minimal permissions, such as a subscriber, to modify their user role. This is possible due to insufficient restriction on the `save users map name` function, which can be exploited by supplying the `usernames` parameter. **Recommendations** For WP Project Manager plugin for WordPress versions up to, and including, 2.6.4, consider disabling the `save users map name` function until a patch is available to prevent privilege escalation. Restrict access to the `usernames` parameter in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Inisev WordPress plugins (affected versions not specified) **Description** The issue allows authenticated attackers with minimal permissions to install select plugins due to a missing capability check on the `handle installation` function. This function is called via the `inisev installation` AJAX action. As a result, attackers with minimal permissions, such as subscribers, can install plugins on vulnerable sites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Inisev WordPress plugins (affected versions not specified) **Description** The issue allows unauthenticated attackers to install plugins from a limited list via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a missing nonce check on the `handle installation` function that is called via the `inisev installation` AJAX action in various versions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.