Emili Castells

**Name of the Vulnerable Software and Affected Versions** AlphaBPO Easy Newsletter Signups versions 1.0.0 through 1.0.4 **Description** The issue is related to missing authorization, allowing exploitation of incorrectly configured access control security levels. This is a broken access control issue that could be exploited. Remediation is available. **Recommendations** For AlphaBPO Easy Newsletter Signups versions 1.0.0 through 1.0.4, update to the latest version to secure your WordPress site. As a temporary workaround, consider restricting access to the vulnerable plugin until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Zippy versions 1.6.2 and earlier **Description** The issue is related to a Missing Authorization vulnerability, also described as a broken access control vulnerability, which affects the Zippy plugin for WordPress. This vulnerability allows exploiting incorrectly configured access control security levels. Users are urged to update to the latest version to mitigate risks. **Recommendations** Update to the latest version of the Zippy plugin to resolve the issue. As a temporary workaround, consider restricting access to the Zippy plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PickPlugins Product Designer versions 1.0.0 through 1.0.33 **Description** The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by Access Control Lists (ACLs). This means that certain features or data may be accessible without the necessary permissions, potentially leading to unauthorized access or actions. **Recommendations** For PickPlugins Product Designer versions 1.0.0 through 1.0.33, update to a version that includes the necessary authorization constraints to prevent unauthorized access to functionality. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** N.O.U.S. Open Useful and Simple Event post versions n/a through 5.9.5 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal', which allows PHP Local File Inclusion. **Recommendations** For versions n/a through 5.9.5, update to a version that fixes this issue to prevent PHP Local File Inclusion attacks.

**Name of the Vulnerable Software and Affected Versions** Hamid Alinia – idehweb versions 1.7.16 and earlier **Description** The issue is related to improper privilege management, allowing privilege escalation through the 'Login with phone number' feature. **Recommendations** For versions 1.7.16 and earlier, update to a version that fixes the improper privilege management issue. As a temporary workaround, consider restricting access to the 'Login with phone number' feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Booking Ultra Pro versions 1.1.12 and earlier **Description** The issue is related to Improper Privilege Management, allowing Privilege Escalation in Booking Ultra Pro. **Recommendations** For versions 1.1.12 and earlier, update to a version later than 1.1.12 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sirv versions n/a through 7.2.2 **Description** The issue is related to Improper Privilege Management, allowing Privilege Escalation in Sirv. **Recommendations** For versions n/a through 7.2.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy versions through 2.1.1 **Description** The issue is related to a Missing Authorization vulnerability in the Woo product importer. This vulnerability affects the Sharkdropship dropshipping plugin for various e-commerce platforms. **Recommendations** For versions through 2.1.1, update to a version later than 2.1.1 to resolve the issue. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** PressFore Rolo Slider versions 1.0.9 and earlier **Description** A Missing Authorization vulnerability has been identified in PressFore Rolo Slider. This issue allows unauthorized access. The estimated number of potentially affected devices is not specified. **Recommendations** For PressFore Rolo Slider versions 1.0.9 and earlier, update to a version later than 1.0.9 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Twinpictures Annual Archive versions 1.6.0 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For Twinpictures Annual Archive versions 1.6.0 and earlier, update to a version that fixes the Stored XSS issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Frontend Dashboard versions through 2.2.2 **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. This is a problem where sensitive data is made available to individuals who should not have access to it. **Recommendations** For versions through 2.2.2, update to a version that contains a fix for this issue, however, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Email Customizer for WooCommerce versions n/a through 2.6.0 **Description** The issue is related to Exposure of Sensitive Information to an Unauthorized Actor, affecting Email Customizer for WooCommerce. **Recommendations** For versions n/a through 2.6.0, update to a version later than 2.6.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Long Watch Studio MyRewards versions n/a through 5.3.0 **Description** The issue is related to a Missing Authorization vulnerability. This means that there is a lack of proper authorization checks, potentially allowing unauthorized access to certain features or data. **Recommendations** For versions n/a through 5.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 5 Stars Rating Funnel versions 1.2.67 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the 5 Stars Rating Funnel. **Recommendations** For versions 1.2.67 and earlier, update to a version that includes the fix for the Missing Authorization issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contest Gallery versions prior to 21.3.4 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential unauthorized access and manipulation of data. **Recommendations** For versions prior to 21.3.4, update to version 21.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive database operations to minimize the risk of exploitation. Avoid using user-supplied input in SQL commands until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WholesaleX versions n/a through 1.3.1 **Description** The issue is related to a Missing Authorization vulnerability in Wholesale Team WholesaleX. **Recommendations** For versions n/a through 1.3.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WholesaleX versions prior to 1.3.1 **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. This is a problem where sensitive data is made available to individuals who should not have access to it. **Recommendations** For versions prior to 1.3.1, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wiloke WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit versions 1.0.9 and earlier **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. This could potentially allow access to confidential data without proper authorization. **Recommendations** For Wiloke WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit versions 1.0.9 and earlier, update to a version later than 1.0.9 to resolve the issue. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Akshay Menariya Export Import Menus versions 1.8.0 and earlier **Description** The issue is related to an Unrestricted Upload of File with Dangerous Type, which affects the Export Import Menus. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions 1.8.0 and earlier, update to a version that fixes the Unrestricted Upload of File with Dangerous Type vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dazzlersoft Team Members Showcase plugin versions prior to 1.3.4 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects users with admin+ authentication. This type of vulnerability allows an attacker to inject malicious scripts into the website, which can then be executed by other users. **Recommendations** For versions prior to 1.3.4, update to version 1.3.4 or later to resolve the issue.