Dayea Song

**Name of the Vulnerable Software and Affected Versions** Country Blocker for AdSense plugin for WordPress versions prior to 1.1 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF) due to the absence of nonce validation in the `CBFA guardar cbfa()` function. This allows unauthenticated attackers to modify the plugin’s settings by deceiving a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Page Title, Description & Open Graph Updater plugin for WordPress versions prior to 1.03 **Description** The plugin is susceptible to Cross-Site Request Forgery (CSRF) due to the absence of nonce validation on several AJAX actions, including `dieno update page title`. This allows attackers to update page titles and metadata by forging requests, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Page Title, Description & Open Graph Updater plugin to version 1.03 or later.

**Name of the Vulnerable Software and Affected Versions** Stopwords for Comments WordPress Plugin versions prior to 1.2 **Description** The Stopwords for Comments plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by a lack of nonce validation in the `set stopwords for comments` and `delete stopwords for comments` functions. An unauthenticated attacker can add or delete stopwords by forging a request, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update Stopwords for Comments to version 1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sosh Share Buttons plugin for WordPress versions prior to 1.1.1 **Description** The Sosh Share Buttons plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is a result of the absence of nonce validation within the `admin page content` function. An unauthenticated attacker could potentially modify the plugin’s settings by forging a request, provided they can deceive a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the Sosh Share Buttons plugin to version 1.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** WPBlogSyn versions prior to 1.1 **Description** The WPBlogSyn plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is a result of inadequate or missing nonce validation. An unauthenticated attacker could potentially modify the plugin’s remote sync settings by deceiving a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the WPBlogSyn plugin to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** SVG Map Plugin for WordPress versions prior to 1.0.1 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on multiple AJAX actions. Specifically, the AJAX actions ‘save data’, ‘delete data’, and ‘add popup’ lack proper validation. This allows attackers to potentially update the plugin’s settings, delete map data, and inject malicious web scripts by tricking a site administrator into performing an action. **Recommendations** Update to version 1.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Mamurjor Employee Info plugin for WordPress versions up to and including 1.0.0 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF) due to the absence of nonce validation on several administrative functions. This allows unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments by deceiving a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Mamurjor Employee Info plugin to a version beyond 1.0.0.

**Name of the Vulnerable Software and Affected Versions** xShare plugin for WordPress versions up to and including 1.0.1 **Description** The xShare plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by a lack of nonce validation within the `xshare plugin reset()` function. An unauthenticated attacker could potentially reset the plugin’s settings by deceiving a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the xShare plugin to a version beyond 1.0.1.

**Name of the Vulnerable Software and Affected Versions** Web to SugarCRM Lead plugin for WordPress versions up to and including 1.0.0 **Description** The Web to SugarCRM Lead plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is caused by a lack of nonce validation when deleting custom fields. An unauthenticated attacker could potentially delete custom fields by tricking a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the Web to SugarCRM Lead plugin to a version beyond 1.0.0.

**Name of the Vulnerable Software and Affected Versions** Popover Windows plugin for WordPress versions prior to 1.3 **Description** The Popover Windows plugin for WordPress has an issue where data can be modified without proper authorization. This is due to a missing capability check on several ajax actions, including `pop submit` and `poptheme submit`. An authenticated attacker with subscriber-level access or higher can potentially modify the plugin’s settings and content. **Recommendations** Update the Popover Windows plugin to version 1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Popover Windows versions up to and including 1.2 **Description** The Popover Windows plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify the plugin’s settings by forging requests, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update Popover Windows to a version newer than 1.2.

The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks.

The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup pt handle deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Name of the Vulnerable Software and Affected Versions** Truefy Embed versions up to and including 1.1.0 **Description** The Truefy Embed plugin for WordPress is susceptible to Cross-Site Request Forgery due to the absence of nonce validation on the `truefy embed options update` settings update action. This allows unauthenticated attackers to modify the plugin’s settings, including the API key, by crafting a forged request, provided they can deceive a site administrator into performing an action. **Recommendations** Update the Truefy Embed plugin to a version newer than 1.1.0.

**Name of the Vulnerable Software and Affected Versions** Simple Theme Changer versions prior to 1.1 **Description** The Simple Theme Changer plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate or missing nonce validation. This allows unauthenticated attackers to modify the plugin’s settings by crafting a malicious request, contingent on deceiving a site administrator into performing an action, such as clicking a link. **Recommendations** Update Simple Theme Changer to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Simple Theme Changer versions prior to 1.1 **Description** The Simple Theme Changer plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check on the `user theme admin`, `display method admin`, and `set change theme button name` actions. Authenticated attackers with subscriber-level access or higher can modify the plugin’s settings. **Recommendations** Update Simple Theme Changer to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Wpik WordPress Basic Ajax Form versions up to and including 1.0 **Description** The Wpik WordPress Basic Ajax Form plugin for WordPress has a Stored Cross-Site Scripting issue because of inadequate input sanitization and output escaping. An authenticated attacker with Contributor-level access or higher can inject arbitrary web scripts via the `dname` parameter. These scripts will execute when a user accesses the injected page. **Recommendations** Update Wpik WordPress Basic Ajax Form to a version newer than 1.0.

**Name of the Vulnerable Software and Affected Versions** Norby AI plugin for WordPress versions up to and including 1.0.3 **Description** The software is susceptible to Cross-Site Request Forgery due to the absence of nonce validation on the settings update functionality. This allows unauthenticated attackers to modify the plugin’s settings and inject malicious web scripts by deceiving a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Norby AI plugin for WordPress to a version newer than 1.0.3.

**Name of the Vulnerable Software and Affected Versions** dream gallery plugin for WordPress versions prior to 1.0 **Description** The dream gallery plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of inadequate or missing nonce validation on the `dreampluginsmain` AJAX action. An unauthenticated attacker could potentially update the plugin’s settings and inject malicious web scripts by deceiving a site administrator into performing an action, such as clicking a link. **Recommendations** Update the dream gallery plugin to a version newer than 1.0.