Emad

**Name of the Vulnerable Software and Affected Versions** codedrafty Mediabay versions 1.6 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows the exploitation of incorrectly configured access control security levels. **Recommendations** For codedrafty Mediabay versions 1.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Agency Dominion Fusion versions n/a through 1.6.1 **Description** The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting (XSS). This means that an attacker can inject malicious scripts into the web application, potentially affecting users who access the compromised pages. **Recommendations** For versions n/a through 1.6.1, update to a version later than 1.6.1 to resolve the issue. As a temporary workaround, consider restricting user input to prevent malicious script injection until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nickolas Bossinas WordPress File Upload versions 4.24.7 and earlier **Description** The issue is related to a Broken Access Control vulnerability, which allows exploitation due to incorrectly configured access control security levels. **Recommendations** For versions 4.24.7 and earlier, update to a version later than 4.24.7 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MAS Static Content plugin for WordPress versions up to, and including, 1.0.8 Description: The issue allows authenticated attackers with contributor-level access and above to extract potentially sensitive information from private static content pages via the `static content()` function. Recommendations: For versions up to, and including, 1.0.8, update to a version higher than 1.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the `static content()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Codection Import and export users and customers versions n/a through 1.26.8 **Description** The issue allows exposure of sensitive information to an unauthorized actor due to accessing functionality not properly constrained by ACLs. This affects the import and export users and customers functionality. **Recommendations** For versions n/a through 1.26.8, update to a version that properly constrains functionality by ACLs to prevent unauthorized access to sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Advanced File Manager plugin for WordPress versions up to, and including, 5.2.4 **Description** The issue allows unauthenticated attackers to extract sensitive data, including backups or other sensitive information, if the files have been moved to the built-in Trash folder. This is possible via the `fma local file system` function. **Recommendations** For versions up to, and including, 5.2.4, consider disabling the `fma local file system` function until a patch is available to prevent sensitive information exposure. Restrict access to the built-in Trash folder to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ninja Tables versions prior to 5.0.6 **Description** A Missing Authorization issue has been identified. This issue affects the Ninja Tables plugin, allowing unauthorized access. **Recommendations** For versions prior to 5.0.6, update to version 5.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Metagauss ProfileGrid versions 5.6.6 and earlier **Description** A Missing Authorization issue has been identified. This issue affects Metagauss ProfileGrid, allowing potential unauthorized access. **Recommendations** For Metagauss ProfileGrid versions 5.6.6 and earlier, update to a version that contains a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** weForms versions 1.6.18 and earlier **Description** A Missing Authorization issue has been identified in weForms. This issue allows for potential unauthorized access. **Recommendations** For weForms versions 1.6.18 and earlier, update to a version later than 1.6.18 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ninja Tables versions 5.0.6 and earlier **Description** A Missing Authorization issue has been identified. This issue affects the Ninja Tables plugin, allowing potential unauthorized access due to the lack of proper authorization checks. **Recommendations** For Ninja Tables versions 5.0.6 and earlier, update to a version later than 5.0.6 to resolve the Missing Authorization issue.

**Name of the Vulnerable Software and Affected Versions** Welcart e-Commerce versions 2.9.14 and earlier **Description** The issue is related to a Missing Authorization vulnerability in Welcart e-Commerce. **Recommendations** For versions 2.9.14 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Codection Import and export users and customers versions 1.26.5 and earlier **Description** The issue is related to a Missing Authorization vulnerability. This vulnerability affects the import and export functionality for users and customers. **Recommendations** For versions 1.26.5 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Code for Recovery 12 Step Meeting List versions 3.14.28 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the Code for Recovery 12 Step Meeting List. **Recommendations** For versions 3.14.28 and earlier, update to a version that includes the fix for the Missing Authorization issue, however at the moment there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** All-in-One Video Gallery versions 3.5.2 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the All-in-One Video Gallery plugin. This vulnerability affects versions from n/a through 3.5.2. **Recommendations** For versions 3.5.2 and earlier, update to a version later than 3.5.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dFactory Responsive Lightbox versions through 2.4.6 **Description** A Missing Authorization vulnerability has been identified in dFactory Responsive Lightbox. This issue may expose websites to unauthorized access. The estimated number of potentially affected devices is not specified. There is no information available about real-world incidents where this issue was exploited. **Recommendations** For versions through 2.4.6, update to a version later than 2.4.6 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Codection Import and export users and customers versions 1.24.6 and earlier **Description** The issue is related to a Missing Authorization vulnerability in Codection Import and export users and customers. This vulnerability affects the import and export functionality of users and customers. **Recommendations** For versions 1.24.6 and earlier, update to a version that includes the fix for the Missing Authorization vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.0.7 **Description** The issue allows unauthenticated attackers to extract sensitive data, including backups or other sensitive information, if the files have been moved to the built-in Trash folder. This is possible via the `fileorganizer ajax handler` function. **Recommendations** For versions up to, and including, 1.0.7, update to a version later than 1.0.7 to resolve the issue. As a temporary workaround, consider disabling the `fileorganizer ajax handler` function until a patch is available. Restrict access to the built-in Trash folder to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lukman Nakib Debug Log – Manger Tool versions 1.4.5 and earlier **Description** The issue is related to the insertion of sensitive information into log files. This could potentially expose sensitive data. The estimated number of affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 1.4.5 and earlier, update to a version that contains a fix for this issue, as the current version may expose sensitive data in logs. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Font Farsi plugin for WordPress versions up to, and including, 1.6.6 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For Font Farsi plugin for WordPress versions up to, and including, 1.6.6, update to a version later than 1.6.6 to resolve the issue. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Automatic Translator with Google Translate plugin for WordPress versions up to, and including, 1.5.4 **Description** The issue is related to Stored Cross-Site Scripting via the custom font setting due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 1.5.4, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the custom font setting to minimize the risk of exploitation. Additionally, ensure that unfiltered html is enabled, if possible, to reduce the attack surface.