Fernando Mecozzi

**Name of the Vulnerable Software and Affected Versions** Premium Addons for Elementor versions prior to 4.11.71 **Description** Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages via the `custom svg` parameter. These scripts execute whenever a user accesses the affected page. **Recommendations** Update to a version later than 4.11.70. As a temporary workaround, restrict access to the `custom svg` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CoBlocks versions prior to 3.1.17 **Description** The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds within the Events block rendering function. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version newer than 3.1.16.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields (ACF) plugin for WordPress versions prior to 6.7.1 **Description** The plugin contains a flaw where AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This allows unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information regarding draft or private posts, restricted post types, and other data intended to be restricted by field configuration. **Recommendations** Update the plugin to a version later than 6.7.0.