Dmtirii Ignatyev

**Name of the Vulnerable Software and Affected Versions** All in One SEO WordPress plugin versions prior to 4.6.1.1 **Description** The issue allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks due to the plugin not validating and escaping some of its Post fields before outputting them back. This could potentially lead to remote code execution. **Recommendations** For versions prior to 4.6.1.1, upgrade the affected plugin immediately to the latest version.

**Name of the Vulnerable Software and Affected Versions** Gutenverse WordPress plugin versions prior to 1.9.1 **Description** The issue allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks due to the lack of validation of the `htmlTag` option in various blocks before outputting it back in a page or post. This could enable contributors to hijack admin accounts. **Recommendations** For versions prior to 1.9.1, update to version 1.9.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `htmlTag` option in blocks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Filr WordPress plugin version 1.2.3.6 and earlier **Description** The issue allows for Remote Code Execution (RCE), enabling the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. **Recommendations** For versions prior to 1.2.3.6, update to version 1.2.3.6 or later to resolve the issue. As a temporary workaround, consider restricting privileges to prevent Author-level users from exploiting the vulnerability.