Darkestmode

**Name of the Vulnerable Software and Affected Versions** Ad Inserter – Ad Manager & AdSense Ads versions prior to 2.8.16 **Description** The plugin is subject to Reflected Cross-Site Scripting (XSS), a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the victim's browser. This occurs via URL parameters when iframe mode is active due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts if a user is tricked into clicking a malicious link. This requires the `AI OPTION IFRAME` configuration to be enabled on at least one ad block on the targeted page. **Recommendations** Update the plugin to a version later than 2.8.15. As a temporary mitigation, disable the `AI OPTION IFRAME` (iframe mode) on all ad blocks.

**Name of the Vulnerable Software and Affected Versions** Page-list plugin for WordPress versions prior to 6.3 **Description** Missing authorization occurs in the `pagelist unqprfx ext shortcode()` function, specifically within the '[pagelist ext]' and '[pagelistext]' shortcodes. The function accepts attacker-controlled `post status`, `post type`, and `show meta key` attributes and passes them directly into `get pages()` and `get post meta()` without verifying if the user has the necessary capabilities to read the matched objects. If the current post lacks child pages, the query is re-issued with `child of` set to 0, expanding the search to all pages on the site matching the provided status and type. This allows authenticated attackers with contributor-level access or higher to disclose titles, body content, excerpts, and arbitrary post meta of private and draft pages by inserting the shortcode into a draft and previewing it. **Recommendations** Update the plugin to a version later than 6.2.

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.

**Name of the Vulnerable Software and Affected Versions** Widget Context plugin for WordPress versions prior to 1.3.4 **Description** The plugin is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into executing unwanted actions. This occurs because the `save widget context settings()` function lacks proper nonce validation. A nonce is a unique token used to verify that a request was intentionally sent by the user. Consequently, unauthenticated attackers can modify widget visibility context settings in the WordPress options table by sending a forged POST request to the '/wp-admin/widgets.php' endpoint, provided they can deceive a site administrator into clicking a malicious link. **Recommendations** Update the plugin to a version later than 1.3.3. As a temporary workaround, restrict access to the '/wp-admin/widgets.php' endpoint or the `save widget context settings()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates versions prior to 6.0.5 **Description** Stored Cross-Site Scripting is possible via the `className`, `classHook`, and `blockId` attributes in the 'Add to Cart' block ('essential-blocks/add-to-cart'). The issue occurs in the `render callback()` function due to insufficient output escaping when these attributes are placed into class and data-id HTML attributes using `sprintf()` and `implode()` without `esc attr()` escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which execute when a user visits the affected page. **Recommendations** Update to a version newer than 6.0.4.

**Name of the Vulnerable Software and Affected Versions** LatePoint versions prior to 5.3.3 **Description** An Insecure Direct Object Reference exists because the `OsStripeConnectController::create payment intent for transaction()` function is registered as a public action requiring no authentication. The system loads invoices using sequential integer `invoice id` values without verifying ownership or requiring an access key. This allows unauthenticated attackers to enumerate valid invoice IDs through error messages and create unauthorized transaction intent records containing sensitive financial data, including `invoice id`, `order id`, `customer id`, and `charge amount`. Additionally, on sites using Stripe Connect, the response leaks `payment intent client secret` tokens, `transaction intent key` values, and payment amounts for any invoice. **Recommendations** Update to a version newer than 5.3.2.

Name of the Vulnerable Software and Affected Versions Smart Slider 3 plugin for WordPress versions up to and including 3.5.1.33 Description The Smart Slider 3 plugin for WordPress is susceptible to unauthorized data access and modification. This is due to the absence of capability checks in multiple `wp ajax smart-slider3` controller actions. The `display admin ajax()` method lacks a call to `checkForCap()`, which requires unfiltered html capability. Several controller actions only validate the nonce (`validateToken()`) without validating permissions. This allows authenticated attackers with Contributor-level access or higher to enumerate slider metadata and create, modify, and delete image storage records by leveraging the `nextend nonce` exposed on post editor pages. Recommendations Update to a version beyond 3.5.1.33

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership plugin for WordPress versions 5.0.1 through 5.1.4 **Description** The plugin has a flaw allowing unauthorized data modification. This is due to an insufficient capability check on the Content Access Rules REST API endpoints. The `check permissions()` method only verifies the `edit posts` capability instead of requiring administrator-level permissions. Authenticated attackers with Contributor-level access or higher can list, create, modify, toggle, duplicate, and delete site-wide content restriction rules. This could lead to the exposure of restricted content or denial of access to legitimate users. The affected API endpoints are the Content Access Rules REST API endpoints. The vulnerable parameter is not specified. **Recommendations** Update to a version beyond 5.1.4.

**Name of the Vulnerable Software and Affected Versions** Smart Custom Fields plugin for WordPress versions up to and including 5.0.6 **Description** The Smart Custom Fields plugin for WordPress has a flaw that allows unauthorized access to data. A missing capability check within the `relational posts search()` function permits authenticated attackers with Contributor-level access or higher to read private and draft post content from other authors. This is achieved through the `smart-cf-relational-posts-search` AJAX action, which queries posts with any status and returns complete post objects, including `post content`, but only verifies the generic `edit posts` capability instead of individual post access permissions. **Recommendations** Update the Smart Custom Fields plugin to a version newer than 5.0.6. As a temporary workaround, consider restricting access to the `smart-cf-relational-posts-search` AJAX action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WPZOOM Social Icons Widget & Block versions up to and including 4.5.8 **Description** The Social Icons Widget & Block plugin for WordPress is susceptible to unauthorized data modification. This occurs because of a missing capability check within the `add menu item()` function, which is connected to the `admin menu` action. The function uses `wp insert post()` and `update post meta()` to create sharing configurations without verifying that the current user has administrator-level permissions. This allows authenticated attackers with Subscriber-level access or higher to create a published wpzoom-sharing configuration post with default sharing button settings. Consequently, social sharing buttons are automatically injected into all post content on the frontend through the `the content` filter. **Recommendations** Update WPZOOM Social Icons Widget & Block to version 4.5.9 or later.