Dale Mavers

**Name of the Vulnerable Software and Affected Versions** Download Manager plugin for WordPress versions prior to 3.3.24 **Description** The WordPress Download Manager plugin is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages, potentially leading to execution if a user is tricked into performing an action, such as clicking a malicious link. The vulnerability is located in the `user ids` parameter. **Recommendations** Update the Download Manager plugin to version 3.3.24 or later.

**Name of the Vulnerable Software and Affected Versions** HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder versions up to and including 2.2.1 **Description** The HT Contact Form Widget plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation within the `temp file delete()` function. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files, such as `wp-config.php`, are deleted. **Recommendations** HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder versions prior to 2.2.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. versions up to and including 2.2.1 **Description** The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `temp file upload` function. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. Approximately 500 potentially vulnerable instances of the plugin have been identified. Attackers are observed exploiting the vulnerability through POST requests to `/wp-admin/admin-ajax.php` with malicious files and GET requests attempting to move or delete system files, such as `wp-config.php`. **Recommendations** Update the plugin to a version greater than 2.2.1.

**Name of the Vulnerable Software and Affected Versions** Related Content By PickPlugins plugin for WordPress versions up to and including 2.0.59 **Description** The issue is related to Cross-Site Request Forgery due to missing nonce validation on a function, allowing unauthenticated attackers to inject malicious web scripts via a forged request if they can trick a site administrator into performing an action. **Recommendations** For versions up to and including 2.0.59, update to a version that includes nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the vulnerable function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** UiPress lite versions up to, and including, 3.5.04 **Description** The issue allows unauthorized modification of data, potentially leading to privilege escalation, due to a missing capability check on the `uip save form as option()` function. This enables authenticated attackers with Subscriber-level access or higher to update arbitrary options on the WordPress site, which can be used to gain administrative user access. **Recommendations** For versions up to, and including, 3.5.04, consider disabling the `uip save form as option()` function until a patch is available to prevent unauthorized data modification. Restrict access to sensitive options and settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SKU Generator for WooCommerce plugin for WordPress versions up to, and including, 1.6.2 **Description** The issue is related to Reflected Cross-Site Scripting, which occurs due to the use of `add query arg` without proper escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which can be executed if a user is tricked into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 1.6.2, update to a version that includes the necessary escaping for the `add query arg` function to prevent Reflected Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Advanced AJAX Product Filters plugin for WordPress versions up to, and including, 1.6.8.1 **Description** The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts via the `nonce` parameter. This enables attackers to execute scripts if they can trick a user into performing a specific action, such as clicking on a link. **Recommendations** For Advanced AJAX Product Filters plugin for WordPress versions up to, and including, 1.6.8.1, update to a version higher than 1.6.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the `nonce` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress versions up to, and including, 4.0.4 **Description** The issue arises from insufficient input sanitization and output escaping, allowing Reflected Cross-Site Scripting attacks. This enables unauthenticated attackers to inject arbitrary web scripts into pages by tricking a user into performing a specific action, such as clicking on a link, via the `s` parameter. **Recommendations** For versions up to, and including, 4.0.4, update to a version higher than 4.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the `s` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Digihood HTML Sitemap plugin for WordPress versions up to, and including, 3.1.1 **Description** The issue is related to Reflected Cross-Site Scripting via the `channel` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 3.1.1, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `channel` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress versions up to, and including, 241114 **Description** The issue is related to Reflected Cross-Site Scripting due to the use of `add query arg` without appropriate escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 241114, update to a version that fixes the issue with `add query arg` to prevent Reflected Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to potentially vulnerable pages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** System Dashboard plugin for WordPress versions up to, and including, 2.8.15 **Description** The issue is related to Reflected Cross-Site Scripting via the `Filename` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 2.8.15, update to a version later than 2.8.15 to resolve the issue. As a temporary workaround, consider restricting access to the `Filename` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple:Press Forum plugin for WordPress versions up to, and including, 6.10.11 **Description** The issue is related to Reflected Cross-Site Scripting via the `s` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 6.10.11, update to a version later than 6.10.11 to resolve the issue. As a temporary workaround, consider restricting access to the `s` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Team Rosters plugin for WordPress versions up to, and including, 4.7 **Description** The issue is related to Reflected Cross-Site Scripting via the `tab` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 4.7, consider disabling the `tab` parameter in the affected plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the `tab` parameter in the affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ai Image Alt Text Generator for WP plugin for WordPress versions 1.0.2 and earlier **Description** The issue is related to Reflected Cross-Site Scripting via the `page` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions 1.0.2 and earlier, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `page` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WC Affiliate – A Complete WooCommerce Affiliate Plugin versions up to, and including, 2.4 **Description** The issue is related to Reflected Cross-Site Scripting, which occurs due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For versions up to, and including, 2.4, update to a version later than 2.4 to resolve the issue. As a temporary workaround, consider restricting access to any parameter in the plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Target Video Easy Publish plugin for WordPress versions up to, and including, 3.8.3 **Description** The issue is due to missing or incorrect nonce validation on the `resync carousel()`, `seek snapshot()`, `uploaded cc()`, and `remove cc()` functions. This allows unauthenticated attackers to inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 3.8.3, consider disabling the `resync carousel()`, `seek snapshot()`, `uploaded cc()`, and `remove cc()` functions until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP-BibTeX plugin for WordPress versions up to, and including, 3.0.1 **Description** The issue is due to missing or incorrect nonce validation on the `wp bibtex option page()` function, making it possible for unauthenticated attackers to inject malicious web scripts via a forged request. This can happen if attackers can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For WP-BibTeX plugin for WordPress versions up to, and including, 3.0.1, consider disabling the `wp bibtex option page()` function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Abstracts plugin for WordPress versions up to, and including, 2.7.2 **Description** The issue is due to missing nonce validation on the `wpabstracts load status()` and `wpabstracts delete abstracts()` functions, making it possible for unauthenticated attackers to inject malicious web scripts via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For WP Abstracts plugin for WordPress versions up to, and including, 2.7.2, consider disabling the `wpabstracts load status()` and `wpabstracts delete abstracts()` functions until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Proofreading plugin for WordPress versions up to, and including, 1.2.1.1 **Description** The issue is related to Reflected Cross-Site Scripting via the `nonce` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 1.2.1.1, consider disabling the `nonce` parameter until a patch is available to prevent exploitation. Restrict access to sensitive pages that utilize the `nonce` parameter to minimize the risk of Reflected Cross-Site Scripting attacks. Avoid using the `nonce` parameter in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Image Gallery – Responsive Photo Gallery plugin for WordPress versions 1.0.5 and earlier **Description** The issue is related to Reflected Cross-Site Scripting via the `awsmgallery` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions 1.0.5 and earlier, as a temporary workaround, consider restricting access to the `awsmgallery` parameter until a patch is available. Avoid using the `awsmgallery` parameter in affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.