David Brown

**Name of the Vulnerable Software and Affected Versions** WP Maps Pro versions prior to 6.1.1 **Description** An unauthenticated privilege escalation issue exists due to a flawed temporary access feature designed for support troubleshooting. The AJAX action 'wpgmp temp access ajax' is registered for unauthenticated users and relies on a nonce check using `fc-call-nonce`. However, this nonce is publicly embedded in the frontend JavaScript object `wpgmp local`, making the security check ineffective. Attackers can invoke the `wpgmp temp access support()` handler by passing the parameter `check temp=false`, which triggers the `wp insert user()` function to unconditionally create a new WordPress user with a hardcoded administrator role. The system then returns a magic login URL that uses `wp set auth cookie()` to fully authenticate the attacker as the new administrator, leading to complete site takeover. Approximately 15,000 sites are estimated to be affected, and active exploitation has been observed, with thousands of attacks blocked by security services in single-day periods. **Recommendations** Update WP Maps Pro to version 6.1.1 or later. As a temporary workaround, disable the plugin until the update can be applied. Audit the administrator user list and remove any unrecognized accounts. Review site logs for POST requests to 'wp-admin/admin-ajax.php' with the action `wpgmp temp access support` to identify potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Visual Planning Admin Center 8 versions prior to v.1 Build 240207 **Description** The issue is related to insufficient access checks, allowing attackers with non-administrative accounts to utilize functions normally reserved for administrators. This can lead to the obtainment of different types of configured credentials and potentially elevate their privileges to administrator level. **Recommendations** For versions prior to v.1 Build 240207, update to version v.1 Build 240207 or later to resolve the issue. As a temporary workaround, consider restricting access to administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Stilog Visual Planning version 8 **Description** An authentication bypass issue was found, allowing an unauthenticated attacker to brute-force the password reset PINs of administrative users. **Recommendations** For Stilog Visual Planning version 8, consider temporarily restricting access to the password reset functionality until a patch is available. As a mitigation measure, limit the number of attempts to reset the PIN to prevent brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Stilog Visual Planning version 8 **Description** An XML external entity (XXE) vulnerability was found in the software. It allows an authenticated attacker to access local server files and exfiltrate data to an external server. **Recommendations** For Stilog Visual Planning version 8, consider disabling XML external entities or restricting access to sensitive files as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Spryker Commerce OS version 0.9 **Description** The issue allows for access to sensitive data via the `customer/order?orderSearchForm[searchText]=` API endpoint, specifically through the `searchText` variable. This is a SQL injection vulnerability, which means an attacker can inject malicious SQL code to manipulate the database. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Spryker Commerce OS version 0.9, as a temporary workaround, consider restricting access to the `customer/order` API endpoint or sanitizing the `searchText` variable to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spryker Commerce OS version 1.4.2 **Description** The issue allows for Remote Command Execution. **Recommendations** For Spryker Commerce OS version 1.4.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zephyr versions 1.14.0 through 2.1.0 and later versions. **Description** An attacker with code execution within a user thread can elevate privileges to that of the kernel. **Recommendations** For zephyr versions 1.14.0 through 2.1.0 and later versions, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zephyr version 2.1.0 and later versions **Description** The issue concerns the UpdateHub module, which disables DTLS peer checking. This allows for a man-in-the-middle attack. However, firmware images require valid signatures, mitigating the issue to some extent. It's noted that there's no benefit to using DTLS without peer checking. **Recommendations** For zephyr version 2.1.0 and later versions, consider disabling the UpdateHub module until a patch is available that enables DTLS peer checking. As a mitigation measure, ensure that all firmware images are properly signed to minimize the risk of exploitation.