Dikshita Trivedi

**Name of the Vulnerable Software and Affected Versions** The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin versions prior to 2.12.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.12.2, update to version 2.12.2 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** DN Footer Contacts WordPress plugin versions prior to 1.6.3 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Admin Page Spider plugin for WordPress versions up to, and including, 3.20 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 3.20, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting administrator-level permissions and enabling unfiltered html to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Call Now Button WordPress plugin versions prior to 1.4.7 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** AGCA WordPress plugin versions prior to 7.2.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, and this can occur even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For versions prior to 7.2.2, update to version 7.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back plugin for WordPress versions up to, and including, 2.3 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 2.3, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting administrator-level permissions to minimize the risk of exploitation.