David Hamann

**Name of the Vulnerable Software and Affected Versions** myCred WordPress plugin versions prior to 2.4.3.1 **Description** The issue concerns a lack of authorization and CSRF checks in the `mycred-tools-import-export` AJAX action. This allows any authenticated user to call the action and retrieve the list of email addresses present in the blog. **Recommendations** For versions prior to 2.4.3.1, update to version 2.4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mycred-tools-import-export` AJAX action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Safe SVG WordPress plugin versions prior to 1.9.10 **Description** The sanitisation step of the Safe SVG WordPress plugin can be bypassed by spoofing the `content-type` in the POST request to upload a file, allowing an attacker to perform attacks that the plugin should prevent, mainly XSS, but potentially other XML attacks depending on further use of uploaded SVG files. **Recommendations** For versions prior to 1.9.10, update to version 1.9.10 or later to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the plugin until a patch is available. Avoid using the vulnerable plugin to upload SVG files until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Claris FileMaker Pro and Server (including WebDirect) versions prior to 19.4.1 Description: The issue allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. Recommendations: For versions prior to 19.4.1, update to version 19.4.1 or later to resolve the issue.