Fariqfgi

**Name of the Vulnerable Software and Affected Versions** ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress versions up to, and including, 2.1.7 **Description** The issue arises from a missing capability check on the `elex dp export rules()` and `elex dp import rules()` functions, allowing unauthorized access to data. This enables unauthenticated attackers to import and export product rules, as well as obtain `phpinfo()` data. **Recommendations** For versions up to, and including, 2.1.7, consider disabling the `elex dp export rules()` and `elex dp import rules()` functions until a patch is available to prevent unauthorized data access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Advanced iFrame plugin for WordPress versions up to, and including, 2024.1 **Description** The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `advanced iframe` shortcode. This vulnerability is due to the plugin allowing users to include JS files from external sources through the `additional js` attribute. Authenticated attackers with contributor-level and above permissions can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2024.1, consider disabling the `advanced iframe` shortcode until a patch is available to prevent exploitation. Restrict access to the `additional js` attribute to minimize the risk of arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.