Colin Xu

**Name of the Vulnerable Software and Affected Versions** Frontend Admin by DynamiApps versions prior to 3.28.37 **Description** Insufficient authorization checks in the role field update mechanism and overly permissive capabilities for the `admin form` post type allow for privilege escalation. The `admin form` custom post type uses `capability type` set to `page`, enabling editors to create and edit forms. By submitting POST data to the 'wp-admin/post.php' endpoint, an editor can bypass UI restrictions in `feadmin get user roles()` to include 'administrator' in the `role options` array of an `edit user` form. The `pre update value()` function in `class-role.php` validates that the submitted role exists in the `role options` array but does not verify if the user has permission to assign that role. This allows unauthenticated attackers to register as editors via a public `new user` form, create an `edit user` form with administrator roles, and escalate their privileges to administrator. **Recommendations** Update the plugin to a version later than 3.28.36.

**Name of the Vulnerable Software and Affected Versions** Vicente Ruiz Gálvez VR-Frases versions 3.0.1 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This means that an attacker can inject malicious scripts into the website, potentially stealing user data or taking control of user sessions. **Recommendations** For Vicente Ruiz Gálvez VR-Frases versions 3.0.1 and earlier, update to a version that fixes the Cross-site Scripting issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Front End Users plugin for WordPress versions up to, and including, 3.2.32 **Description** The issue allows for SQL Injection via the `UserSearchField` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables unauthenticated attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For versions up to, and including, 3.2.32, update to a version higher than 3.2.32 to resolve the issue. As a temporary workaround, consider restricting access to the `UserSearchField` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProductDyno plugin for WordPress versions up to and including 1.0.24 **Description** The issue arises from insufficient input sanitization and output escaping, allowing Reflected Cross-Site Scripting via the `res` parameter. This enables unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user performs a specific action, such as clicking on a link. **Recommendations** For versions up to and including 1.0.24, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Reflected Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `res` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Currency Switcher for WooCommerce plugin for WordPress versions up to, and including, 2.16.2 **Description** The issue is related to Reflected Cross-Site Scripting, which occurs due to the use of `add query arg` without proper escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user performs a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 2.16.2, update to a version higher than 2.16.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – Purolator Edition plugin for WordPress versions up to, and including, 2.2.3 **Description** The issue is related to SQL Injection via the `dropship edit id` and `edit id` parameters due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 2.2.3, consider disabling the `dropship edit id` and `edit id` parameters until a patch is available. Restrict access to the SQL queries to minimize the risk of exploitation. Avoid using the `dropship edit id` and `edit id` parameters in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – GlobalTranz Edition plugin for WordPress versions up to, and including, 2.3.11 **Description** The issue is related to SQL Injection via the 'engtz wd save dropship' AJAX endpoint due to insufficient escaping on the `user supplied parameter` and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 2.3.11, update to a version later than 2.3.11 to resolve the issue. As a temporary workaround, consider restricting access to the 'engtz wd save dropship' AJAX endpoint until a patch is available. Avoid using the vulnerable parameter in the affected AJAX endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – GlobalTranz Edition plugin for WordPress versions up to, and including, 2.3.12 **Description** The issue concerns a missing capability check on the "engtz wd save dropship" AJAX endpoint, allowing unauthenticated attackers to update drop shipping settings. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 2.3.12, update to a version that includes a fix for the missing capability check on the "engtz wd save dropship" AJAX endpoint. As a temporary workaround, consider restricting access to the "engtz wd save dropship" AJAX endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pollin plugin for WordPress versions up to, and including, 1.01.1 **Description** The issue is related to Reflected Cross-Site Scripting via the `question` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.01.1, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `question` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Small Package Quotes – USPS Edition plugin for WordPress versions up to, and including, 1.3.5 **Description** The issue concerns SQL Injection via the `edit id` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.3.5, consider disabling the `edit id` parameter until a patch is available to prevent SQL Injection attacks. Restrict access to sensitive database information to minimize the risk of exploitation. As a temporary workaround, avoid using the `edit id` parameter in existing queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pollin plugin for WordPress versions up to, and including, 1.01.1 **Description** The issue allows unauthenticated attackers to perform SQL Injection via the `question` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.01.1, consider disabling the `question` parameter until a patch is available to prevent SQL Injection attacks. Restrict access to sensitive database information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – TForce Edition plugin for WordPress versions up to and including 3.6.4 **Description** The issue concerns SQL injection via the `dropship edit id` and `edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to and including 3.6.4, update to a version higher than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the `dropship edit id` and `edit id` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Small Package Quotes – Worldwide Express Edition plugin for WordPress versions prior to 5.2.19 **Description** The issue concerns SQL injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions prior to 5.2.19, update to a version that includes the necessary security patches to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the `edit id` and `dropship edit id` parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – SEFL Edition plugin for WordPress versions prior to 3.2.5 **Description** The issue concerns SQL Injection via the `dropship edit id` and `edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to and including 3.2.4, update to a version later than 3.2.4 to resolve the issue. As a temporary workaround, consider restricting access to the `dropship edit id` and `edit id` parameters until a patch is available. Avoid using the parameters `dropship edit id` and `edit id` in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Small Package Quotes – For Customers of FedEx plugin for WordPress versions up to, and including, 4.3.1 **Description** The issue concerns SQL Injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 4.3.1, update to a version higher than 4.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the `edit id` and `dropship edit id` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – SAIA Edition plugin for WordPress versions prior to 2.2.11 **Description** The issue concerns SQL Injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions prior to 2.2.11, update to version 2.2.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the `edit id` and `dropship edit id` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – ABF Freight Edition plugin for WordPress versions up to, and including, 3.3.7 **Description** The issue concerns SQL Injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 3.3.7, update to a version later than 3.3.7 to resolve the issue. As a temporary workaround, consider restricting access to the `edit id` and `dropship edit id` parameters to minimize the risk of exploitation. Avoid using these parameters in existing queries until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – R+L Carriers Edition plugin for WordPress versions up to, and including, 3.3.4 **Description** The issue concerns SQL Injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 3.3.4, consider disabling the `edit id` and `dropship edit id` parameters until a patch is available to prevent SQL Injection attacks. Restrict access to sensitive database information to minimize the risk of exploitation. Update to a version later than 3.3.4 when available.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – Old Dominion Edition plugin for WordPress versions up to, and including, 4.2.10 **Description** The issue is related to SQL Injection via the `edit id` and `dropship edit id` parameters due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 4.2.10, consider disabling the `edit id` and `dropship edit id` parameters until a patch is available to prevent SQL Injection attacks. Restrict access to sensitive database information to minimize the risk of exploitation. As a temporary workaround, avoid using the `edit id` and `dropship edit id` parameters in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Option Editor plugin for WordPress version 1.0 **Description** The issue is due to missing nonce validation on the `plugin page()` function, making it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site. **Recommendations** For version 1.0, consider disabling the `plugin page()` function until a patch is available to prevent exploitation. Additionally, restrict access to the plugin's settings to minimize the risk of unauthorized changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.