Dimas Maulana

**Name of the Vulnerable Software and Affected Versions** My Sticky Bar versions up to and including 2.8.6 **Description** The My Sticky Bar plugin for WordPress is susceptible to SQL injection through the `stickymenu contact lead form` AJAX action. This occurs because the handler directly uses attacker-controlled POST parameter names as SQL column identifiers within the `$wpdb->insert()` function. While parameter values are sanitized using `esc sql()` and `sanitize text field()`, the parameter keys are used without modification when constructing the column list in the INSERT statement. This allows unauthenticated attackers to inject SQL code through crafted parameter names, potentially enabling blind time-based data extraction from the database. The **API Endpoint** involved is `stickymenu contact lead form`. The vulnerable component utilizes POST parameters, where the parameter names are directly used as SQL column identifiers. **Recommendations** Versions up to and including 2.8.6 should be updated to a newer, fixed version if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Geo Mashup versions through 1.13.16 Description: A flaw exists in the handling of filename control for include/require statements within a PHP program, specifically a PHP Local File Inclusion issue in Dylan Kuhn Geo Mashup. This allows for the local inclusion of files in PHP. Recommendations: Update Geo Mashup to a version later than 1.13.16.

**Name of the Vulnerable Software and Affected Versions** WPoperation Arrival versions 1.4.5 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion. **Recommendations** For WPoperation Arrival versions 1.4.5 and earlier, update to a version that fixes this issue, as the current version is affected by the PHP Local File Inclusion vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Checkout Field Visibility for WooCommerce versions 1.2.3 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion'. This allows for PHP Local File Inclusion. **Recommendations** For versions 1.2.3 and earlier, update to a version that fixes this issue, as the current version is affected by the PHP Local File Inclusion vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CWW Portfolio versions 1.3.1 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This means that an attacker could potentially include and execute local files on the server, leading to unauthorized access or code execution. **Recommendations** For versions 1.3.1 and earlier, update to a version that fixes this issue, as using vulnerable versions may allow unauthorized access or code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ACF: Google Font Selector versions 3.0.1 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows for reflected cross-site scripting (XSS). This can be exploited through the ACF: Google Font Selector, enabling attackers to inject malicious scripts into web pages. **Recommendations** For ACF: Google Font Selector versions 3.0.1 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cedcommerce Product Lister for eBay versions n/a through 2.0.9 **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This is a type of security vulnerability that can be exploited by manipulating the filename parameter in include or require statements, potentially leading to the execution of malicious code. **Recommendations** For versions n/a through 2.0.9, update to a version later than 2.0.9 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions through 2.4.37 **Description** The issue is related to Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. **Recommendations** For versions through 2.4.37, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** everestthemes Grace Mag versions 1.1.5 and earlier **Description** The issue affects the everestthemes Grace Mag, allowing for PHP Local File Inclusion due to improper control of filename for include/require statement in PHP program, also known as 'PHP Remote File Inclusion'. **Recommendations** For versions 1.1.5 and earlier, update to a version that fixes this issue, as the current version allows for PHP Local File Inclusion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Anything Popup versions n/a through 7.3 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS, where an attacker can inject malicious scripts into a website. **Recommendations** For versions n/a through 7.3, update to a version that fixes the Cross-site Scripting issue to prevent Reflected XSS attacks. As a temporary workaround, consider restricting user input to prevent malicious scripts from being injected into the web page. Avoid using the Anything Popup until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Xews Lite versions 1.0.9 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion. **Recommendations** For Xews Lite versions 1.0.9 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPoperation Opstore versions 1.4.5 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion in WPoperation Opstore. **Recommendations** For WPoperation Opstore versions 1.4.5 and earlier, update to a version that fixes this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** License For Envato versions 1.0.0 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' or 'PHP Local File Inclusion'. This allows an attacker to potentially include malicious files, which could lead to code execution or other security issues. **Recommendations** For versions 1.0.0 and earlier, consider restricting access to sensitive files and directories to minimize the risk of exploitation, as a temporary workaround, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Capturly versions n/a through 2.0.1 **Description** The issue is related to Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion in Capturly. **Recommendations** For versions n/a through 2.0.1, update to a version that fixes the Improper Control of Filename for Include/Require Statement issue to prevent PHP Local File Inclusion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** arete-it Activity Reactions For Buddypress versions 1.0.0 through 1.0.22 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential attackers to inject malicious scripts into web pages. **Recommendations** For arete-it Activity Reactions For Buddypress versions 1.0.0 through 1.0.22, update to a version later than 1.0.22 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** teamzt Smart Agreements versions 1.0.3 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability, which allows PHP Local File Inclusion. **Recommendations** For teamzt Smart Agreements versions 1.0.3 and earlier, update to a version later than 1.0.3 to resolve the issue. As a temporary workaround, consider restricting access to vulnerable PHP files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zephyr Project Manager versions n/a through 3.3.101 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting', which allows Reflected XSS. This means an attacker can inject malicious scripts into a website, potentially stealing user data or taking control of user sessions. **Recommendations** For versions n/a through 3.3.101, update to a version that fixes the Improper Neutralization of Input During Web Page Generation issue to prevent Reflected XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wecantrack Affiliate Links Lite versions 3.1.0 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This means an attacker can inject malicious scripts into a website, potentially stealing user data or taking control of user sessions. **Recommendations** For wecantrack Affiliate Links Lite versions 3.1.0 and earlier, update to a version later than 3.1.0 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** AdminQuickbar versions 1.9.1 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential attackers to inject malicious scripts into web pages. **Recommendations** For AdminQuickbar versions 1.9.1 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided.

**Name of the Vulnerable Software and Affected Versions** Docket Cache versions through 24.07.02 **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This vulnerability allows PHP Local File Inclusion. **Recommendations** For versions through 24.07.02, update to a version that fixes the Improper Control of Filename for Include/Require Statement in PHP Program vulnerability to prevent PHP Local File Inclusion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.