Fayçal Chena

**Name of the Vulnerable Software and Affected Versions** The Coming Soon - Under Construction WordPress plugin versions 1.1.9 and earlier **Description** The issue allows high-privileged users to perform Cross-Site Scripting attacks due to the plugin not sanitizing and escaping some of its settings, even when unfiltered html is disallowed. **Recommendations** For The Coming Soon - Under Construction WordPress plugin versions 1.1.9 and earlier, update to a version that addresses the sanitization and escaping of settings to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Event Timeline WordPress plugin versions 1.1.5 and earlier **Description** The issue allows high-privileged users, such as admins, to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of Timeline Text, even when unfiltered html is disallowed. **Recommendations** For Event Timeline WordPress plugin versions 1.1.5 and earlier, consider disabling the Timeline Text feature until a patch is available to prevent potential Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Contact Slider WordPress plugin versions prior to 2.4.7 **Description** The issue allows high privileged users, such as editors and above, to perform Cross-Site Scripting attacks. This is possible because the Text to Display settings of sliders are not properly sanitized and escaped, even when the unfiltered html is disallowed. **Recommendations** For versions prior to 2.4.7, update to version 2.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Text to Display settings in sliders to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Form - Contact Form WordPress plugin versions prior to 1.2.1 **Description** The issue allows high-privileged users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitize and escape Custom text fields, even when unfiltered html is disallowed. **Recommendations** For The Form - Contact Form WordPress plugin versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to Custom text fields for high-privileged users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Image Gallery WordPress plugin versions prior to 1.1.6 **Description** The issue allows high-privileged users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitize and escape some of its image fields, even when unfiltered html is disallowed. **Recommendations** For versions prior to 1.1.6, update to version 1.1.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Image Gallery plugin's image fields by high-privileged users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Post Grid, Slider & Carousel Ultimate WordPress plugin versions prior to 1.5.0 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of the Header Title, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 1.5.0, update to version 1.5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Carousel CK WordPress plugin versions prior to 1.1.1 **Description** The issue allows high-privileged users, such as admins, to perform Cross-Site Scripting attacks when unfiltered html is disallowed, due to the lack of sanitization and escaping of Slide's descriptions. **Recommendations** For Carousel CK WordPress plugin versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Slideshow CK WordPress plugin versions prior to 1.4.10 **Description** The issue allows high-privileged users, such as admins, to perform Cross-Site Scripting attacks when unfiltered html is disallowed, due to the lack of sanitization and escaping of Slide's descriptions. **Recommendations** For versions prior to 1.4.10, update to version 1.4.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Video Slider WordPress plugin versions prior to 1.4.8 **Description** The issue allows high-privileged users to perform Cross-Site Scripting attacks due to the lack of sanitization or escaping of some video settings, even when unfiltered html is disallowed. **Recommendations** For versions prior to 1.4.8, update to version 1.4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to video settings for high-privileged users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Slideshow WordPress plugin versions 2.3.1 and earlier **Description** The issue concerns the Slideshow WordPress plugin, where some default slideshow settings are not properly sanitized and escaped. This could allow high-privileged users, such as administrators, to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed. **Recommendations** For Slideshow WordPress plugin versions 2.3.1 and earlier, update to a version that addresses the sanitization and escaping of default slideshow settings to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BannerMan WordPress plugin versions prior to 0.2.5 **Description** The issue allows high-privileged users to perform Cross-Site Scripting attacks when the unfiltered html is disallowed, such as in multisite, due to the plugin not sanitizing or escaping its settings. **Recommendations** For BannerMan WordPress plugin versions prior to 0.2.5, update to version 0.2.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IMDB info box WordPress plugin versions through 2.0 **Description** The issue allows high-privileged users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of some settings, even when the unfiltered html capability is disallowed. **Recommendations** For IMDB info box WordPress plugin versions through 2.0, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Sliderby10Web WordPress plugin versions prior to 1.2.52 **Description** The issue is related to the improper sanitization and escaping of some settings in the plugin, which could allow high-privileged users, such as admins, to perform Cross-Site Scripting attacks even when unfiltered html is disallowed. **Recommendations** For versions prior to 1.2.52, update to version 1.2.52 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high-privileged users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Tabs WordPress plugin versions prior to 2.2.8 **Description** The issue allows high privileged users with a role as low as editor to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, due to the lack of sanitization and escaping of Tab descriptions. **Recommendations** For versions prior to 2.2.8, update to version 2.2.8 or later to resolve the issue. As a temporary workaround, consider restricting the ability of editors to create or modify Tab descriptions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BulletProof Security WordPress plugin versions prior to 6.1 **Description** The issue concerns the BulletProof Security WordPress plugin, where certain CAPTCHA settings are not properly sanitized and escaped. This could allow high-privileged users to perform Cross-Site Scripting attacks, even in scenarios where unfiltered html is disallowed. **Recommendations** For versions prior to 6.1, update to version 6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the CAPTCHA settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Slide Anything WordPress plugin versions prior to 2.3.44 **Description** The issue allows high privilege users, such as editors and above, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitize and escape sliders' descriptions, even when the unfiltered html is disallowed. **Recommendations** For versions prior to 2.3.44, update to version 2.3.44 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to create or edit sliders until the update is applied.