Daroo

**Name of the Vulnerable Software and Affected Versions** ThemeGrill Masteriyo - LMS versions prior to 2.2.1 **Description** Incorrect privilege assignment in ThemeGrill Masteriyo - LMS allows for privilege escalation, which occurs when a user is granted more permissions than intended, potentially allowing them to perform unauthorized administrative actions. **Recommendations** Update to a version newer than 2.2.0.

**Name of the Vulnerable Software and Affected Versions** 10Web Photo Gallery versions prior to 1.8.42 **Description** Improper neutralization of special elements used in an SQL command allows for Blind SQL Injection. Blind SQL Injection is a type of attack where the application does not return the results of the SQL query directly, but the attacker can still deduce information by observing the application's response to specific queries. **Recommendations** Update to a version newer than 1.8.41.

**Name of the Vulnerable Software and Affected Versions** Sergey AIWU versions prior to 1.4.17 **Description** Incorrect privilege assignment in Sergey AIWU allows for privilege escalation, which occurs when a user is granted more permissions than intended, enabling them to perform unauthorized actions. **Recommendations** Update to a version newer than 1.4.17.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.0.2 **Description** An improper limitation of a pathname to a restricted directory, known as Path Traversal, exists in Gravity Forms. This allows an attacker to access files and directories outside of the intended folder. **Recommendations** Update to version 2.10.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** WP Directory Kit versions prior to 1.5.2 **Description** WP Directory Kit contains an improper neutralization of special elements used in an SQL command, which allows for Blind SQL Injection. Blind SQL Injection is a type of attack where the application does not return the results of the SQL query directly in the HTTP response, but the attacker can still infer data by observing the application's response to specific queries. **Recommendations** Update to a version newer than 1.5.1.

**Name of the Vulnerable Software and Affected Versions** Contest Gallery Pro versions prior to 29.0.1 **Description** Incorrect privilege assignment allows for privilege escalation within the software. **Recommendations** Update to a version newer than 29.0.1.

**Name of the Vulnerable Software and Affected Versions** VeronaLabs WP Statistics versions prior to 14.16.6 **Description** Improper neutralization of input during web page generation allows for DOM-Based Cross-Site Scripting (XSS), a flaw where the application contains client-side JavaScript that processes data from an untrusted source in an unsafe way, typically updating the Document Object Model (DOM). **Recommendations** Update to a version later than 14.16.6.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $ POST[' acf form'] is an array (rather than a form ID), the validate form() function bypasses database lookup and directly processes the attacker-controlled structure. The create record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre update value() validation reads $field['role options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields: Extended versions prior to 0.9.2.6 **Description** The plugin is subject to privilege escalation through a validation bypass. The `after validate save post()` function trusts the ` acf post id` POST parameter without authentication or integrity verification. This allows unauthenticated attackers to select a cleanup branch that discards validation errors not prefixed with acfe:. Consequently, attackers can suppress the role allow-list validation error from `acfe field user roles::validate front value()` and the administrator-role capability guard error from `acfe module form action user::validate action()`. This leads to the execution of `wp insert user()` with an attacker-supplied administrator role, enabling the creation of a new administrator-level user account. This issue requires the target site to have a public ACFE frontend form configured with a Create User action that maps a role field. **Recommendations** Update the plugin to version 0.9.2.6 or later.

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append where sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2.

**Name of the Vulnerable Software and Affected Versions** JetEngine versions prior to 3.8.8.2 **Description** Improper neutralization of special elements used in an SQL command allows for SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution to manipulate a database. **Recommendations** Update to a version newer than 3.8.8.1.

**Name of the Vulnerable Software and Affected Versions** WP Activity Log versions prior to 5.6.4 **Description** Improper neutralization of input during web page generation in Melapress WP Activity Log allows for DOM-Based Cross-site Scripting (XSS), a flaw where the application contains client-side JavaScript that processes data from an untrusted source in an unsafe way, typically writing the data back to the Document Object Model (DOM). **Recommendations** Update to a version newer than 5.6.3.

**Name of the Vulnerable Software and Affected Versions** Unlimited Elements For Elementor versions prior to 2.0.9 **Description** Improper Neutralization of Special Elements used in an SQL Command allows Blind SQL Injection. Blind SQL Injection is a type of attack where the application does not return data directly in the HTTP response, but the attacker can still infer information by observing the application's response to specific queries. **Recommendations** Update to a version newer than 2.0.8.

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5.

**Name of the Vulnerable Software and Affected Versions** WP Chill RSVP and Event Management versions prior to 2.7.17 **Description** A missing authorization issue exists due to incorrectly configured access control security levels, which allows for broken access control. **Recommendations** Update to a version later than 2.7.16.

**Name of the Vulnerable Software and Affected Versions** The AI Engine – The Chatbot, AI Framework & MCP for WordPress version 3.4.9 **Description** Missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path allows authenticated users with Subscriber privileges or higher to gain unauthorized access. Because the system grants MCP access to any valid OAuth token without verifying administrator privileges, attackers can invoke admin-level MCP tools to escalate their privileges to Administrator. **Recommendations** Update The AI Engine – The Chatbot, AI Framework & MCP for WordPress to a version later than 3.4.9.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor versions prior to 6.4.12 **Description** Stored cross-site scripting is possible due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts via the `menu hover click` parameter of the Navigation Menu Lite widget. These scripts execute whenever a user accesses an affected page. **Recommendations** Update to a version later than 6.4.11. As a temporary workaround, restrict access to the Navigation Menu Lite widget or avoid using the `menu hover click` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** JoomSport versions prior to 5.7.8 **Description** The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress contains a time-based blind SQL Injection. This occurs due to insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query. Unauthenticated attackers can append additional SQL queries to existing ones to extract sensitive information from the database via the `sortf` parameter. **Recommendations** Update the plugin to a version later than 5.7.7. Avoid using the `sortf` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Forminator Forms – Contact Form, Payment Form & Custom Form Builder versions prior to 1.52.2 **Description** A Path Traversal issue exists in the Forminator Forms plugin for WordPress. Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information, by manipulating the `upload-1[file][file path]` parameter. This exploitation is possible if a publicly accessible form has a File Upload field with the Save and Continue feature enabled in the Behavior settings, and the corresponding email notification is configured to attach uploaded files. **Recommendations** Update the plugin to a version later than 1.52.1. As a temporary mitigation, disable the Save and Continue feature in the Behavior settings of forms containing File Upload fields or disable the attachment of uploaded files in Email Notifications.