Dogus Demirkiran

Name of the Vulnerable Software and Affected Versions: IP Based Login WordPress plugin versions prior to 2.4.1 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing values when importing. Recommendations: For IP Based Login WordPress plugin versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Admin and Site Enhancements (ASE) WordPress plugin versions prior to 7.6.10 **Description** The issue concerns the use of a hardcoded password in the Password Protection feature of the Admin and Site Enhancements (ASE) WordPress plugin. This allows an attacker to bypass the protection offered by the plugin via a crafted request. **Recommendations** For versions prior to 7.6.10, update to version 7.6.10 or later to resolve the issue. As a temporary workaround, consider disabling the Password Protection feature until a patch is available. Restrict access to the Password Protection module to minimize the risk of exploitation. Avoid using the hardcoded password in the affected feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Smart Maintenance Mode WordPress plugin versions prior to 1.5.2 **Description** The issue concerns the Smart Maintenance Mode WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Smart Maintenance Mode WordPress plugin versions prior to 1.5.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape some of its settings. The attack can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Admin and Site Enhancements (ASE) WordPress plugin versions prior to 7.6.10 **Description** The issue allows an attacker to manipulate client IP addresses retrieved from potentially untrusted headers, enabling them to bypass the login limit feature. **Recommendations** For versions prior to 7.6.10, update to version 7.6.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the login feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** System Dashboard WordPress plugin versions prior to 2.8.15 **Description** The issue allows unauthenticated users to perform Cross-Site Scripting attacks due to the plugin not sanitizing and escaping some parameters when outputting them in the page. **Recommendations** For versions prior to 2.8.15, update to version 2.8.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** System Dashboard WordPress plugin versions prior to 2.8.15 **Description** The issue is related to the plugin not validating user input used in a path, which could allow high privilege users, such as admin, to perform path traversal attacks and read arbitrary files on the server. **Recommendations** For versions prior to 2.8.15, update to version 2.8.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** TRtek Software Distant Education Platform versions prior to 3.2024.11 **Description** The issue is related to Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection, and Improper Input Validation vulnerability. This allows for SQL Injection and Parameter Injection, posing a serious cybersecurity risk. **Recommendations** For versions prior to 3.2024.11, update to version 3.2024.11 or later to resolve the issue. As a temporary workaround, consider restricting input validation to minimize the risk of exploitation. Restrict access to sensitive database queries to minimize the risk of SQL Injection.