Claudio Marchesini

Name of the Vulnerable Software and Affected Versions: The Payment Gateway for Telcell WordPress plugin versions 2.0.1 and earlier Description: The issue is related to an Open Redirect problem. It occurs because the `api url` parameter is not validated before the user is redirected to its value. This could potentially allow for malicious redirection. Recommendations: For versions 2.0.1 and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the `api url` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin versions prior to 2.2.25 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `biteship error` and `biteship message` parameters are not properly sanitized and escaped before being outputted back on the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 2.2.25, update to version 2.2.25 or later to resolve the issue. As a temporary workaround, consider restricting access to the parameters `biteship error` and `biteship message` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Discord Invite WordPress plugin versions prior to 2.5.1 **Description** The issue allows an unauthenticated attacker to perform actions on behalf of a logged-in administrator by tricking them into submitting a crafted request, due to a lack of protection against CSRF attacks. **Recommendations** For WP Discord Invite WordPress plugin versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ArtPlacer Widget WordPress plugin versions prior to 2.20.7 **Description** The issue is related to the lack of sanitization and escaping of the `id` parameter before submitting a query, leading to a SQL injection (SQLI) that can be exploited by editors and above. Due to the absence of a CSRF check, the issue could also be exploited via a CSRF attack against a logged-in editor or higher. **Recommendations** For versions prior to 2.20.7, update to version 2.20.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for editors and above until the update is applied. Additionally, restrict the use of the `id` parameter in queries to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BSK Contact Form 7 Blacklist WordPress plugin versions 1.0.1 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `inserted count` parameter is not properly sanitized and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions 1.0.1 and earlier, as a temporary workaround, consider disabling the functionality that outputs the `inserted count` parameter until a patch is available. Restrict access to areas where this parameter is used to minimize the risk of exploitation. Update to a version that fixes this issue once it becomes available.

**Name of the Vulnerable Software and Affected Versions** The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin versions prior to 1.2.30 **Description** The issue is related to a Reflected Cross-Site Scripting problem, where a parameter is not properly sanitized and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 1.2.30, update to version 1.2.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bonus for Woo WordPress plugin versions prior to 5.8.3 **Description** The issue is related to Reflected Cross-Site Scripting, which occurs because some parameters are not properly sanitised and escaped before being outputted back in pages. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 5.8.3, update to version 5.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Fattura24 WordPress plugin versions prior to 6.2.8 **Description** The issue is related to a reflected Cross-Site Scripting vulnerability. It occurs because the `id` parameter is not properly sanitized or escaped before being outputted back in the page. This allows for potential malicious script injection. **Recommendations** For versions prior to 6.2.8, update to version 6.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `id` parameter in the affected API endpoint until a patch is available.