Dhabaleshwar Das

**Name of the Vulnerable Software and Affected Versions** VikRestaurants Table Reservations and Take-Away versions 1.3.3 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability, which allows Cross Site Request Forgery. **Recommendations** For versions 1.3.3 and earlier, update to a version that contains a fix for this issue, however at the moment, there is no information about a newer version that contains a fix for this issue. As a temporary workaround, consider implementing CSRF protection measures to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Chat2 versions prior to 3.6.3 Description: The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability, which allows unauthorized actions to be performed on behalf of a user. Recommendations: For versions prior to 3.6.3, update to a version that includes the fix for this issue. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions.

Name of the Vulnerable Software and Affected Versions: WordPress Events Calendar Plugin – connectDaily versions 1.4.8 and earlier Description: The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability that also allows Cross-Site Scripting (XSS) in the WordPress Events Calendar Plugin – connectDaily. Recommendations: For WordPress Events Calendar Plugin – connectDaily versions 1.4.8 and earlier, update to a version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: REVE Chat versions n/a through 6.2.2 Description: The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability and Stored XSS in REVE Chat. Recommendations: For versions n/a through 6.2.2, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to sensitive features that may be exploited through CSRF or Stored XSS attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ateeq Rafeeq RepairBuddy versions n/a through 3.8211 **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For versions n/a through 3.8211, update to a version that addresses the Missing Authorization vulnerability. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Astra Security Suite versions 0.2 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows the exploitation of incorrectly configured access control security levels. **Recommendations** For Astra Security Suite versions 0.2 and earlier, update to a version that includes the necessary security patches to fix the Missing Authorization vulnerability. As a temporary workaround, consider restricting access to sensitive areas of the Astra Security Suite to minimize the risk of exploitation due to incorrectly configured access control security levels.

**Name of the Vulnerable Software and Affected Versions** DesignO versions n/a through 2.2.0 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) problem, which allows for Cross Site Request Forgery. This is a type of attack where an attacker can trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions n/a through 2.2.0, consider implementing proper CSRF token validation to prevent unauthorized requests. As a temporary workaround, restrict access to sensitive functionality that may be exploited through CSRF attacks until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Apimo Connector versions n/d through 2.6.3.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) problem, which allows for Cross-Site Request Forgery. **Recommendations** For versions n/d through 2.6.3.1, update to a version later than 2.6.3.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Appointy Appointment Scheduler versions n/a through 4.2.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability, which allows for Cross Site Request Forgery. This means an attacker can trick a user into performing unintended actions on the web application. **Recommendations** For Appointy Appointment Scheduler versions n/a through 4.2.1, update to a version later than 4.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VikBooking Hotel Booking Engine & PMS versions 1.7.2 and earlier **Description** The issue affects the access control security levels in VikBooking Hotel Booking Engine & PMS, allowing exploitation due to incorrectly configured security levels. This is related to a Missing Authorization vulnerability. **Recommendations** For versions 1.7.2 and earlier, update to a version that includes the necessary security patches to fix the Missing Authorization vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Estatebud – Properties & Listings plugin for WordPress versions up to, and including, 5.5.0 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'estatebud settings' page. This allows unauthenticated attackers to update the plugin's settings via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 5.5.0, update to a version that includes the fix for the nonce validation issue on the 'estatebud settings' page to prevent Cross-Site Request Forgery attacks.

**Name of the Vulnerable Software and Affected Versions** RateMyAgent Official plugin for WordPress versions up to and including 1.4.0 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This allows unauthenticated attackers to update the plugin's API key via a forged request if they can trick a site administrator into performing a specific action. **Recommendations** For versions up to and including 1.4.0, update to a version that includes proper nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the 'rma-settings-wizard' to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SakolaWP plugin for WordPress versions prior to 1.0.9 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `save exam setting` and `delete exam setting` actions. This allows unauthenticated attackers to update exam settings by tricking a site administrator into performing an action, such as clicking on a link, via a forged request. **Recommendations** For SakolaWP plugin for WordPress versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `save exam setting` and `delete exam setting` actions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SpeedSize Image & Video AI-Optimizer plugin for WordPress versions up to, and including, 1.5.1 **Description** The issue is due to missing or incorrect nonce validation on the `speedsize clear css cache action` function, making it possible for unauthenticated attackers to clear the plugin's cache via a forged request. This can be achieved if the attackers can trick a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 1.5.1, consider disabling the `speedsize clear css cache action` function until a patch is available to prevent exploitation. Restrict access to the plugin's cache management functionality to minimize the risk of cache clearance by unauthorized parties. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mortgage Lead Capture System plugin for WordPress versions up to, and including, 8.2.10 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `wprequal reset defaults` action. This allows unauthenticated attackers to reset the plugin's settings by tricking a site administrator into performing an action, such as clicking on a link. **Recommendations** For Mortgage Lead Capture System plugin for WordPress versions up to, and including, 8.2.10: Update to a version later than 8.2.10 to resolve the issue. As a temporary workaround, consider restricting access to the `wprequal reset defaults` action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Houzez Property Feed plugin for WordPress versions up to, and including, 2.4.21 **Description** The issue is due to missing or incorrect nonce validation on the `deleteexport` action, making it possible for unauthenticated attackers to delete property feed exports via a forged request. This can be achieved by tricking a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 2.4.21, update to a version that includes the fix for the missing or incorrect nonce validation on the `deleteexport` action. As a temporary workaround, consider restricting access to the `deleteexport` action to prevent unauthenticated attackers from deleting property feed exports.

**Name of the Vulnerable Software and Affected Versions** Linear plugin for WordPress versions up to, and including, 2.8.1 **Description** The issue is due to missing or incorrect nonce validation on the `linear-debug` feature, making it possible for unauthenticated attackers to reset the plugin's cache via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 2.8.1, consider disabling the `linear-debug` feature until a patch is available to prevent exploitation. Restrict access to the Linear plugin's cache reset functionality to minimize the risk of exploitation. Avoid using the `linear-debug` feature in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** G5Theme Essential Real Estate versions 5.1.8 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue affects the software, allowing unauthorized actions to be performed on behalf of a user. **Recommendations** For versions 5.1.8 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Automate Hub Free by Sperse.IO plugin for WordPress versions up to and including 1.7.0 **Description** The issue is due to missing or incorrect nonce validation on the 'automate hub' page, making it possible for unauthenticated attackers to update an activation status via a forged request if they can trick a site administrator into performing an action such as clicking on a link. This allows attackers to manipulate site settings without authorization. **Recommendations** For Automate Hub Free by Sperse.IO plugin for WordPress versions up to and including 1.7.0, update to a version later than 1.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the 'automate hub' page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VikAppointments Services Booking Calendar versions 1.2.16 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows stored Cross-site Scripting (XSS). This means an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions 1.2.16 and earlier, update to a version later than 1.2.16 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable calendar module until a patch is available. Avoid using the vulnerable calendar functionality in the affected versions until the issue is resolved.