Felipe De Avila

**Name of the Vulnerable Software and Affected Versions** The Popup by Supsystic WordPress plugin versions prior to 1.10.9 **Description** The issue concerns a lack of authentication and authorization in an AJAX action, allowing unauthenticated attackers to call it and obtain the email addresses of subscribed users. **Recommendations** For versions prior to 1.10.9, update to version 1.10.9 or later to resolve the issue. As a temporary workaround, consider disabling the vulnerable AJAX action until a patch is available. Restrict access to the AJAX endpoint to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** UsersWP WordPress plugin versions prior to 1.2.3.1 **Description** The issue is related to missing access controls when updating a user avatar and the lack of unique file names for user avatars. This allows a logged-in user to overwrite another user's avatar. **Recommendations** For versions prior to 1.2.3.1, update to version 1.2.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Ultimate CSV Importer WordPress plugin versions prior to 6.4.3 **Description** The issue allows high privilege users to import malicious comments, potentially leading to Stored Cross-Site Scripting issues, due to the lack of sanitization and escaping of imported comments. **Recommendations** For versions prior to 6.4.3, update to version 6.4.3 or later to resolve the issue. As a temporary workaround, consider restricting the import functionality to trusted users only until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP Review Slider versions prior to 11.0 **Description** The issue concerns the WP Review Slider WordPress plugin, where the `pid` parameter is not properly sanitized and escaped when copying a Twitter source. This could allow high-privilege users to perform SQL injection attacks. **Recommendations** For versions prior to 11.0, update to version 11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Twitter source copying feature to minimize the risk of exploitation. Avoid using the `pid` parameter in the affected functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Custom Popup Builder WordPress plugin versions prior to 1.3.1 **Description** The issue allows unauthenticated users to send data that is not validated in length, potentially causing a denial of service on the blog. This occurs because the plugin autoloads data from its popup on every page. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's popup functionality to minimize the risk of exploitation.