Drop

**Name of the Vulnerable Software and Affected Versions** WooCommerce plugin for WordPress versions up to, and including, 9.0.2 **Description** The issue arises from the plugin not properly neutralizing HTML elements from submitted order forms, making it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions. **Recommendations** For versions up to, and including, 9.0.2, update to a version higher than 9.0.2 to resolve the issue. As a temporary workaround, consider restricting access to order form submissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LearnPress – WordPress LMS Plugin versions up to, and including, 4.2.6.3 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the Course, Lesson, and Quiz title and content. This allows authenticated attackers with LP Instructor-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.2.6.3, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the Course, Lesson, and Quiz title and content editing features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LearnPress – WordPress LMS Plugin versions up to, and including, 4.2.6.3 **Description** The issue allows authenticated attackers to obtain information on orders placed by other users and guests due to missing validation on a user controlled key when looking up order information. This can be leveraged to sign up for paid courses that were purchased by guests, and emails of other users are also exposed. **Recommendations** For versions up to, and including, 4.2.6.3, update to a version later than 4.2.6.3 to resolve the issue. As a temporary workaround, consider restricting access to order information lookup functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms plugin for WordPress versions up to, and including, 5.1.9 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator, which can be as low as contributor, but by default is admin. **Recommendations** For versions up to, and including, 5.1.9, update to a version higher than 5.1.9 to resolve the issue. As a temporary workaround, consider restricting the right to create forms to only trusted administrators to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** weForms plugin for WordPress versions up to, and including, 1.6.21 **Description** The issue is related to Stored Cross-Site Scripting via the 'Referer' HTTP header due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.6.21, update to a version later than 1.6.21 to resolve the issue. As a temporary workaround, consider restricting access to the 'Referer' HTTP header to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.0 **Description** The issue allows authenticated attackers with subscriber access or higher to interact with questions in courses they are not enrolled in, including private courses, due to a missing capability check when interacting with questions. **Recommendations** For versions up to, and including, 2.6.0, update to a version higher than 2.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the Q&A content for users who are not enrolled in the respective courses.

**Name of the Vulnerable Software and Affected Versions** The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.0 **Description** The issue is due to insufficient sanitization of HTML input in the Q&A functionality, making it possible for authenticated attackers with Student access and above to inject arbitrary HTML onto a site. This does not allow Cross-Site Scripting. **Recommendations** For versions up to, and including, 2.6.0, update to a version later than 2.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the Q&A functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The PDF Generator For Fluent Forms – The Contact Form Plugin plugin for WordPress versions up to, and including, 1.1.7 **Description** The issue is related to Stored Cross-Site Scripting via the header, PDF body, and footer content parameters due to insufficient input sanitization and output escaping. This allows attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator, which can be as low as contributor, but by default is admin. **Recommendations** For versions up to, and including, 1.1.7, update to a version higher than 1.1.7 to resolve the issue. As a temporary workaround, consider restricting the right to create forms to only trusted administrators to minimize the risk of exploitation. Additionally, restrict access to the header, PDF body, and footer content parameters to prevent arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** WPForms Pro versions up to, and including, 1.8.5.3 **Description** The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Approximately 710,707 devices are potentially affected, mainly distributed in the United States, Germany, and other countries. **Recommendations** For WPForms Pro versions up to, and including, 1.8.5.3, update to a version later than 1.8.5.3 to resolve the issue. As a temporary workaround, consider restricting access to form submission parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ARForms Form Builder plugin for WordPress versions up to, and including, 1.5.8 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `arf http referrer url` parameter is specifically vulnerable to this type of attack. **Recommendations** For versions up to, and including, 1.5.8, update to a version higher than 1.5.8 to resolve the issue. As a temporary workaround, consider restricting access to the `arf http referrer url` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Formidable Forms plugin for WordPress versions up to, and including, 6.7 **Description** The Formidable Forms plugin for WordPress is vulnerable to HTML injection. This issue allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites. **Recommendations** For versions up to, and including, 6.7, update to a version later than 6.7 to resolve the issue. As a temporary workaround, consider restricting access to the Entries View Page to minimize the risk of exploitation. Additionally, restrict the ability of unauthenticated users to inject HTML code into form fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress versions up to 6.7 **Description** The issue is related to Stored Cross-Site Scripting via the `name` field label and `description` field label parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability primarily affects multi-site installations and installations where unfiltered html has been disabled. However, it can also be exploited by lower-level user types if they have been granted the proper permissions in the Formidable settings. **Recommendations** For versions up to 6.7, update to a version later than 6.7 to resolve the issue. As a temporary workaround, consider restricting the form creation, deletion, and other management permissions to only administrator-level users until a patch is available. Restrict access to the `name` field label and `description` field label parameters to minimize the risk of exploitation.