Cynau1T

**Name of the Vulnerable Software and Affected Versions** Nginx Cache Purge Preload plugin for WordPress versions through 2.1.1 **Description** The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution via the `nppp preload cache on update` function. This is due to insufficient sanitization of the `$ SERVER['HTTP REFERERER']` parameter passed from the `nppp handle fastcgi cache actions admin bar` function. This allows authenticated attackers with Administrator-level access and above to execute code on the server. **Recommendations** Nginx Cache Purge Preload plugin for WordPress versions through 2.1.1: Update to a version later than 2.1.1.

Name of the Vulnerable Software and Affected Versions: UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress versions up to, and including, 3.5.07 Description: The issue is related to Remote Code Execution in the UiPress lite plugin for WordPress. This is due to the `uip process form input()` function taking user-supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server. Recommendations: For versions up to, and including, 3.5.07, update to a version higher than 3.5.07 to resolve the issue. As a temporary workaround, consider disabling the `uip process form input()` function until a patch is available. Restrict access to the plugin to minimize the risk of exploitation.