Craig Smith

**Name of the Vulnerable Software and Affected Versions** Tiled Gallery Carousel Without JetPack versions prior to 3.2 **Description** The plugin is subject to stored cross-site scripting due to insufficient input sanitization and output escaping. Authenticated attackers with contributor level access or higher can inject arbitrary web scripts through the `data-image-title` parameter. These scripts execute whenever a user visits the affected page. **Recommendations** Update to a version later than 3.1.

**Name of the Vulnerable Software and Affected Versions** Avada (Fusion) Builder plugin for WordPress versions prior to 3.15.3 **Description** The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within multiple shortcodes. Authenticated attackers with Subscriber-level access or higher can inject arbitrary web scripts into pages. These scripts execute when a user, typically an administrator, views a page that displays dynamic user data, such as biographical information retrieved via the Dynamic Data feature. **Recommendations** Update the plugin to a version later than 3.15.2.

**Name of the Vulnerable Software and Affected Versions** WP Carousel Free versions prior to 2.7.11 **Description** Stored Cross-Site Scripting occurs when the `fancybox-config.js` script reads the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. If a user with Contributor-level access or higher creates an HTML block with a malformed carousel container ID, the custom configuration fails, causing the bundled fancybox library (v3.5.7) to render the `data-caption` attribute as raw HTML. This allows authenticated attackers to inject arbitrary web scripts that execute when a user clicks an image in the crafted carousel lightbox. **Recommendations** Update to a version later than 2.7.10.

**Name of the Vulnerable Software and Affected Versions** Betheme versions prior to 28.5 **Description** The Betheme theme for WordPress allows authenticated attackers with contributor-level access and above to move or delete arbitrary local files via path traversal. This occurs because the `upload icons()` function uses a user-controlled upload path `mfn-icon-upload` in a filesystem move operation without restricting it to the uploads directory. **Recommendations** Update to a version later than 28.4. As a temporary workaround, restrict access to the `upload icons()` function for users with contributor-level permissions.

**Name of the Vulnerable Software and Affected Versions** Betheme versions prior to 28.5 **Description** The Betheme theme for WordPress allows authenticated attackers with author-level access or higher to upload arbitrary files, including PHP scripts. This occurs because the `upload icons()` function moves and unzips user-controlled ZIP files into a public uploads directory without validating the types of the extracted files. This flaw can lead to remote code execution via the Icons icon-pack upload flow. **Recommendations** Update to a version later than 28.4. As a temporary workaround, restrict access to the Icons icon-pack upload flow for users with author-level permissions.

**Name of the Vulnerable Software and Affected Versions** Livemesh Addons for Elementor versions prior to 9.1 **Description** The plugin is subject to Local File Inclusion due to insufficient sanitization of the template name parameter within the `lae get template part()` function. The implementation uses an inadequate `str replace()` method that can be bypassed using recursive directory traversal patterns. This allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary local files on the server by manipulating the widget's template parameter. **Recommendations** Update the plugin to a version later than 9.0.

**Name of the Vulnerable Software and Affected Versions** Avada (Fusion) Builder versions prior to 3.15.2 **Description** The plugin allows authenticated attackers with Subscriber-level access and above to execute arbitrary WordPress action hooks through the Dynamic Data feature. This occurs because the `output action hook()` function accepts user-controlled input to trigger registered WordPress action hooks without proper authorization checks. This flaw can lead to privilege escalation, file inclusion, or denial of service, depending on the available action hooks in the WordPress installation. **Recommendations** Update to a version newer than 3.15.1.

**Name of the Vulnerable Software and Affected Versions** Avada (Fusion) Builder versions prior to 3.15.2 **Description** The plugin contains a sensitive information exposure issue. The `fusion get post custom field()` function does not validate if metadata keys are protected by an underscore prefix. This allows authenticated attackers with Subscriber-level access or higher to extract protected post metadata fields through the `post custom field` parameter of the Dynamic Data feature. **Recommendations** Update to a version newer than 3.15.1.

Name of the Vulnerable Software and Affected Versions The Element Pack Addons for Elementor plugin for WordPress versions up to and including 8.4.2 Description The Element Pack Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through the SVG Image Widget. This is a result of inadequate input sanitization and output escaping of SVG content retrieved from remote URLs within the `render svg()` function. The function uses `wp safe remote get()` to fetch SVG content and then directly outputs it without proper sanitization, only applying a `preg replace()` to modify the SVG tag, which does not eliminate malicious event handlers. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into SVG files, which will execute when a user views a page containing the compromised widget. Recommendations For versions up to and including 8.4.2, update to a newer version that addresses this issue. As a temporary workaround, avoid using the SVG Image Widget with remote URLs.

Name of the Vulnerable Software and Affected Versions wpForo Forum plugin for WordPress versions up to and including 2.4.16 Description The wpForo Forum plugin for WordPress is susceptible to arbitrary file deletion due to a missing file name/path validation against path traversal sequences. Authenticated attackers with subscriber level access or higher can delete arbitrary files on the server by embedding a crafted path traversal string within a forum post body and then deleting the post. Recommendations Update the wpForo Forum plugin to a version later than 2.4.16.

Name of the Vulnerable Software and Affected Versions Xpro Addons — 140+ Widgets for Elementor plugin for WordPress versions up to and including 1.4.20 Description The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'onClick Event' setting of the Pricing Widget. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page. Recommendations Update Xpro Addons — 140+ Widgets for Elementor plugin for WordPress to a version later than 1.4.20.

Name of the Vulnerable Software and Affected Versions King Addons for Elementor plugin for WordPress versions up to and including 51.1.38 Description The King Addons for Elementor plugin for WordPress is susceptible to multiple Contributor+ DOM-Based Stored Cross-Site Scripting issues. This is a result of inadequate input sanitization and output escaping across various widgets and features. The plugin utilizes `esc attr()` and `esc url()` within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Several JavaScript files employ unsafe DOM manipulation methods (template literals, .html(), and `window.location.href` with unvalidated URLs) with user-controlled data. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts through Elementor widget settings. These scripts execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. Recommendations Versions up to and including 51.1.38 should be updated to version 5.1.51 or later.

**Name of the Vulnerable Software and Affected Versions** Sina Extension for Elementor versions up to and including 3.7.0 **Description** The Sina Extension for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting. This occurs due to inadequate input sanitization and output escaping in the `Fancy Text Widget` and `Countdown Widget` DOM attributes. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page. **Recommendations** Update the Sina Extension for Elementor plugin to a version later than 3.7.0.

**Name of the Vulnerable Software and Affected Versions** Apollo13 Framework Extensions plugin for WordPress versions up to and including 1.9.8 **Description** The software is susceptible to Stored Cross-Site Scripting through the `a13 alt link` parameter. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the Apollo13 Framework Extensions plugin to a version later than 1.9.8.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum plugin for WordPress versions prior to 2.4.14 **Description** The wpForo Forum plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the `wpforo display array data` function. This allows authenticated attackers with Subscriber-level access or higher to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed on the site. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code. **Recommendations** Update the wpForo Forum plugin to version 2.4.14 or later.

**Name of the Vulnerable Software and Affected Versions** WPZOOM Addons for Elementor – Starter Templates & Widgets versions prior to 1.3.3 **Description** The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the `ajax post grid load more` function. An unauthenticated attacker can retrieve protected post titles and excerpts (draft, future, pending) that should not be publicly accessible. **Recommendations** Update WPZOOM Addons for Elementor – Starter Templates & Widgets to version 1.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Template Library versions up to and including 2.2.14 **Description** The BlockArt Blocks plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping of user-supplied attributes within the BlockArt Counter. Successful exploitation allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will then execute when a user accesses the compromised page. **Recommendations** Update BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Template Library to a version later than 2.2.14.

**Name of the Vulnerable Software and Affected Versions** Nexter Extension – Site Enhancements Toolkit plugin for WordPress versions through 4.4.6 **Description** The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input in the `nxt unserialize replace` function. This allows unauthenticated attackers to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code. **Recommendations** Versions prior to and including 4.4.6 should be updated.

**Name of the Vulnerable Software and Affected Versions** Jeg Elementor Kit versions up to and including 3.0.1 **Description** The Jeg Elementor Kit plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization within the countdown widget’s redirect functionality. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code. This injected code will execute when an administrator or another user views the page containing the malicious countdown element. The vulnerable component is the countdown widget and its redirect functionality. The vulnerable parameter is the redirect URL within the countdown widget. **Recommendations** Update Jeg Elementor Kit to a version beyond 3.0.1.

**Name of the Vulnerable Software and Affected Versions** Phlox theme for WordPress versions through 2.17.7 **Description** The Phlox theme for WordPress is susceptible to Stored Cross-Site Scripting through the `data-caption` HTML attribute. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. The vulnerable parameter is `data-caption`. **Recommendations** Update the Phlox theme to a version beyond 2.17.7.