Dmitry Ignatyev

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax pay for order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order key verification when processing payment for an order via the `wc stripe pay for order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.

**Name of the Vulnerable Software and Affected Versions** FooGallery versions prior to 3.1.32 **Description** The FooGallery plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `foogallery sanitize javascript()` function uses an incomplete blacklist for JavaScript event handlers, blocking only a specific subset (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while allowing others like `onmouseenter`. Additionally, the `foogallery build container attributes safe()` function fails to escape the attribute key when constructing the gallery container HTML. Authenticated attackers with contributor-level access or higher can exploit the `custom attribute key` shortcode parameter to inject arbitrary web scripts that execute when a user visits the affected page. **Recommendations** Update to a version later than 3.1.31. As a temporary workaround, restrict the use of the `custom attribute key` shortcode parameter by users with contributor-level access.

**Name of the Vulnerable Software and Affected Versions** Presto Player versions prior to 4.2.1 **Description** The Presto Player plugin for WordPress contains a Stored Cross-Site Scripting issue. The `getOverlays()` function fails to properly sanitize input and escape output, allowing the `link url` parameter of the `[presto player overlay]` shortcode to be copied directly into the overlay configuration without scheme validation. This allows `javascript:` URIs to be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page. **Recommendations** Update to a version later than 4.2.0. As a temporary workaround, restrict the use of the `link url` parameter within the `[presto player overlay]` shortcode.

**Name of the Vulnerable Software and Affected Versions** All-In-One Security (AIOS) – Security and Firewall plugin for WordPress versions prior to 5.4.8 **Description** Stored Cross-Site Scripting occurs due to insufficient input sanitization in the `get rest route()` function and missing output escaping in the `column default()` method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (`aiowps disallow unauthorized rest requests`) and debug logging (`aiowps enable debug`) are both enabled, an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via `urldecode($ SERVER['REQUEST URI'])`, which decodes payloads into literal HTML characters. This unsanitized value is stored in the database and subsequently executed in an administrator's browser session when they view the AIOS Dashboard Debug Logs page. This can lead to nonce theft, privileged AJAX/REST actions, and full site compromise. **Recommendations** Update the plugin to a version later than 5.4.7. As a temporary workaround, disable the `aiowps enable debug` debug logging or the `aiowps disallow unauthorized rest requests` feature to prevent the storage and execution of malicious scripts.

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.

The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue block assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.

**Name of the Vulnerable Software and Affected Versions** WooCommerce PayPal Payments versions prior to 4.0.2 **Description** Missing authorization checks on the 'ppc-create-order' and 'ppc-get-order' WC-AJAX endpoints allow unauthorized order manipulation and information disclosure. The 'ppc-create-order' endpoint accepts an arbitrary WooCommerce order ID via the `pay-now` context without validating order ownership, enabling attackers to create PayPal orders for any WooCommerce order and write PayPal metadata to it. Additionally, the 'ppc-get-order' endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. Unauthenticated attackers can chain these endpoints to manipulate payment flows of other customers and exfiltrate sensitive data, including payer information and shipping data. **Recommendations** Update to a version later than 4.0.1. As a temporary workaround, restrict access to the 'ppc-create-order' and 'ppc-get-order' endpoints to minimize the risk of exploitation.

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has checkout consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

**Name of the Vulnerable Software and Affected Versions** Hostinger Reach – AI-Powered Email Marketing for WordPress versions prior to 1.3.9 **Description** The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin allows unauthorized modification of data because the `handle ajax action()` function lacks a capability check. Authenticated users with Subscriber-level access or higher can utilize the 'hostinger reach connection notice action' action to update the API key stored in the database. This issue is exploitable only if the plugin is not connected to a site and no API key currently exists in the database. **Recommendations** Update to a version later than 1.3.8.

**Name of the Vulnerable Software and Affected Versions** MonsterInsights – Google Analytics Dashboard for WordPress versions prior to 10.1.3 **Description** Missing capability checks in the `get ads access token()` and `reset experience()` functions allow authenticated attackers with Subscriber-level access or higher to retrieve live Google OAuth access tokens and reset the Google Ads integration. **Recommendations** Update to a version later than 10.1.2. As a temporary workaround, restrict access to the `get ads access token()` and `reset experience()` functions to minimize the risk of unauthorized data access and modification.

**Name of the Vulnerable Software and Affected Versions** Royal Elementor Addons versions prior to 1.7.1058 **Description** The Royal Elementor Addons plugin for WordPress contains a Server-Side Request Forgery (SSRF) issue. This occurs because the `render csv data()` function does not sufficiently validate user-supplied URLs, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter. These URLs are then used in `fopen()` calls without blocking internal or private network addresses. Authenticated attackers with Contributor-level access or higher can exploit this to make requests to arbitrary URLs and retrieve sensitive information from internal services. **Recommendations** Update the plugin to a version later than 1.7.1057. As a temporary workaround, restrict access to the `render csv data()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ExactMetrics – Google Analytics Dashboard for WordPress versions prior to 9.1.3 **Description** Missing authorization in the plugin allows authenticated attackers with subscriber-level access or higher to retrieve valid Google Ads access tokens and reset Google Ads integration settings. This occurs because the AJAX handlers `get ads access token()` and `reset experience()` only verify the nonce and fail to perform necessary capability checks, unlike other endpoints in the same class that require the `exactmetrics save settings` capability. **Recommendations** Update the plugin to a version later than 9.1.2. As a temporary workaround, restrict access to the `get ads access token()` and `reset experience()` AJAX handlers.

**Name of the Vulnerable Software and Affected Versions** Royal Elementor Addons versions prior to 1.7.1057 **Description** The Royal Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting issue within the Image Grid/Slider/Carousel widget. The flaw exists in the `render post thumbnail()` function due to insufficient output escaping, specifically where `wp kses post()` is used instead of `esc attr()` for the alt attribute context. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts via image captions. These scripts execute when a user views a page containing the malicious image displayed in the media grid widget. **Recommendations** Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the `render post thumbnail()` function or limit the permissions of users who can edit image captions in the Image Grid/Slider/Carousel widget.

**Name of the Vulnerable Software and Affected Versions** HubSpot All-In-One Marketing - Forms, Popups, Live Chat versions prior to 11.3.33 **Description** An issue exists in the `leadin/public/admin/class-adminconstants.php` file that allows authenticated attackers with Contributor-level access or higher to extract a list of all installed plugins and their respective versions. This exposure of sensitive information can be used for reconnaissance to facilitate further attacks. **Recommendations** Update the plugin to a version later than 11.3.32. Restrict access to the `leadin/public/admin/class-adminconstants.php` file to minimize the risk of information exposure.

**Name of the Vulnerable Software and Affected Versions** Email Encoder WordPress plugin versions prior to 2.3.4 **Description** Certain settings are not properly sanitized and escaped. This allows high privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, which occurs when a malicious script is permanently stored on the target server, even in environments where the `unfiltered html` capability is disabled, such as in multisite setups. **Recommendations** Update the plugin to version 2.3.4.

**Name of the Vulnerable Software and Affected Versions** Unlimited Elements for Elementor versions prior to 2.0.7 **Description** An arbitrary file read issue exists due to insufficient path traversal sanitization in the `URLtoRelative()` and `urlToPath()` functions, combined with the ability to enable debug output in widget settings. The `URLtoRelative()` function removes the site base URL but fails to sanitize path traversal sequences (../), while the `cleanPath()` function normalizes directory separators without removing traversal components. This allows authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, such as wp-config, by providing a crafted URL in the 'Repeater JSON/CSV URL' parameter. **Recommendations** Update the plugin to a version later than 2.0.6.

**Name of the Vulnerable Software and Affected Versions** Shortcodes Ultimate versions prior to 7.5.0 **Description** The Shortcodes Ultimate plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes within the 'su box' shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 7.4.9.

Name of the Vulnerable Software and Affected Versions WP-Optimize plugin for WordPress versions up to and including 4.5.0 Description The WP-Optimize plugin for WordPress has a flaw that allows unauthorized access to functionality. This is due to missing capability checks in the `receive heartbeat()` function within the `includes/class-wp-optimize-heartbeat.php` file. The Heartbeat handler directly invokes `Updraft Smush Manager Commands` methods without proper verification of user capabilities, nonce tokens, or a command whitelist. This allows authenticated attackers with Subscriber-level access or higher to perform admin-only Smush operations, including reading log files via the `/api/v1/smush/logs` endpoint, deleting all backup images using the `clean all backup images()` function, triggering bulk image processing with the `process bulk smush()` function, and modifying Smush options through the `update smush options()` function. Recommendations Update to a version of the WP-Optimize plugin later than 4.5.0.

Name of the Vulnerable Software and Affected Versions The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net versions up to and including 1.1.5 Description The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing nonce validation on the `woobe redraw table row()` function. This allows unauthenticated attackers to modify WooCommerce product data, including prices and descriptions, by tricking a site administrator or shop manager into performing an action. Recommendations Versions up to and including 1.1.5 should be updated to a newer version that includes nonce validation for the `woobe redraw table row()` function.