Florent Besnard

**Name of the Vulnerable Software and Affected Versions** Polylang versions up to, and including, 3.2.16 **Description** The Theme and plugin translation for Polylang is vulnerable to authorization bypass due to missing capability checks in the `process polylang theme translation wp loaded()` function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings. **Recommendations** For Polylang versions up to, and including, 3.2.16, update to a version higher than 3.2.16 to resolve the issue. As a temporary workaround, consider disabling the `process polylang theme translation wp loaded()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PrestaShop Module Olea Gift On Order versions through 5.0.8 **Description** The issue allows an unauthenticated user to read arbitrary files on the server via a directory traversal attack using the getfile.php endpoint with a `file` parameter, such as `getfile.php?file=/..`. **Recommendations** For versions through 5.0.8, as a temporary workaround, consider restricting access to the getfile.php endpoint until a patch is available. Avoid using the `file` parameter in the affected endpoint to minimize the risk of exploitation.