Cody Sixteen

**Name of the Vulnerable Software and Affected Versions** WP 404 Auto Redirect to Similar Post plugin for WordPress versions prior to 1.0.6 **Description** The WP 404 Auto Redirect to Similar Post plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update the WP 404 Auto Redirect to Similar Post plugin to version 1.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** WatchGuard Fireware OS versions 12.0 through 12.11.4 WatchGuard Fireware OS versions 12.5 through 12.5.13 WatchGuard Fireware OS versions 2025.1 through 2025.1.2 **Description** An out-of-bounds write issue exists in the certificate request command of WatchGuard Fireware OS. A user with privileged access can potentially execute arbitrary code by using specifically designed command-line interface (CLI) commands. **Recommendations** Update WatchGuard Fireware OS to a version later than 12.11.4. Update WatchGuard Fireware OS to a version later than 12.5.13. Update WatchGuard Fireware OS to a version later than 2025.1.2.

**Name of the Vulnerable Software and Affected Versions** WatchGuard Fireware OS versions 11.0 through 11.12.4+541730 WatchGuard Fireware OS versions 12.0 through 12.11.4 WatchGuard Fireware OS versions 12.5 through 12.5.13 WatchGuard Fireware OS versions 2025.1 through 2025.1.2 **Description** An out-of-bounds write issue exists in the Command Line Interface (CLI) of WatchGuard Fireware OS. A user with privileged access can potentially execute arbitrary code by using specifically designed IPSec configuration commands. The issue stems from improper handling of input when configuring IPSec, allowing a malicious actor to write data beyond the allocated buffer. This could lead to system compromise. **Recommendations** WatchGuard Fireware OS versions 11.0 through 11.12.4+541730 should be updated. WatchGuard Fireware OS versions 12.0 through 12.11.4 should be updated. WatchGuard Fireware OS versions 12.5 through 12.5.13 should be updated. WatchGuard Fireware OS versions 2025.1 through 2025.1.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** Fast Velocity Minify versions prior to 3.5.1 **Description** The Fast Velocity Minify plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update Fast Velocity Minify to a version later than 3.5.1.

The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pro version activation code' parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered html has been disabled.

Name of the Vulnerable Software and Affected Versions: Booking Calendar plugin for WordPress versions prior to 10.14.1 Description: The Booking Calendar plugin for WordPress is susceptible to Stored Cross-Site Scripting through its settings. Insufficient input sanitization and output escaping allow authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. Recommendations: Update the Booking Calendar plugin to a version later than 10.14.1.

**Name of the Vulnerable Software and Affected Versions** WatchGuard Fireware OS versions 12.0 through 12.5.12+701324 WatchGuard Fireware OS versions 12.6 through 12.11.2 **Description** A stack-based buffer overflow exists in the certificate request command of WatchGuard Fireware OS. An authenticated privileged user could potentially execute arbitrary code by using specifically crafted command-line interface (CLI) commands. This issue is due to insufficient bounds checking when handling input, leading to a buffer overflow. **Recommendations** Update WatchGuard Fireware OS to a version later than 12.5.12+701324. Update WatchGuard Fireware OS to a version later than 12.11.2.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Applications Manager version 13 before build 13500 **Description** The issue allows post-authentication SQL injection via the `name` parameter in a "manageApplications.do?method=insert" request. **Recommendations** For Zoho ManageEngine Applications Manager version 13 before build 13500, update to build 13500 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Applications Manager version 13 before build 13500 **Description** The issue allows SQL injection via "GraphicalView.do" endpoint, as demonstrated by a crafted `viewProps` `yCanvas` field or `viewid` parameter. **Recommendations** For Zoho ManageEngine Applications Manager version 13 before build 13500, update to build 13500 or later to resolve the issue.