Coiffeur

**Name of the Vulnerable Software and Affected Versions** PHPFusion version 9.03.50 **Description** PHPFusion contains a persistent cross-site scripting issue in the `print.php` page. The application does not properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages, which will execute when the print page is generated, allowing script execution in victim browsers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Simple-File-List Plugin for WordPress versions through 4.2.2 Description: The Simple-File-List Plugin for WordPress is susceptible to Remote Code Execution via the `rename` function. This allows unauthenticated attackers to execute code on the server by renaming uploaded PHP code with a PNG extension to use a PHP extension. Recommendations: Update the Simple-File-List Plugin for WordPress to version 4.2.3 or later.

**Name of the Vulnerable Software and Affected Versions:** Simple File List plugin for WordPress versions prior to 4.2.3 **Description:** An unrestricted file upload vulnerability exists in the Simple File List plugin for WordPress. The plugin’s upload endpoint (`ee-upload-engine.php`) restricts file uploads based on extension but lacks proper validation after renaming. An attacker can upload a PHP payload disguised as a .png file and then use the plugin’s `ee-file-engine.php` rename functionality to change the extension to .php, bypassing upload restrictions and enabling execution of the uploaded payload on the server. **Recommendations:** Update the Simple File List plugin to version 4.2.3 or later.