Fourcade

**Name of the Vulnerable Software and Affected Versions** The Chatbot for WordPress by Collect.chat versions prior to 2.4.4 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, even when unfiltered html is disallowed. **Recommendations** For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Simple Ajax Chat WordPress plugin versions prior to 20240412 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 20240412, update to version 20240412 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Advanced Search WordPress plugin versions 1.1.6 and earlier **Description** The issue allows users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configuration due to improper escaping of parameters appended to an SQL query. **Recommendations** For Advanced Search WordPress plugin versions 1.1.6 and earlier, update to a version that properly escapes parameters appended to SQL queries to prevent SQL Injection attacks.

**Name of the Vulnerable Software and Affected Versions** The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress versions up to, and including, 20231101 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 20231101, update to a version later than 20231101 to resolve the issue. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation. Additionally, ensure that unfiltered html is enabled, if possible, to reduce the vulnerability's impact.

**Name of the Vulnerable Software and Affected Versions** The Simple Ajax Chat WordPress plugin versions prior to 20240223 **Description** The issue concerns the reflection of unsanitized input to other users, specifically when visitors use malicious names in the chat. This allows for potential malicious activity. **Recommendations** For versions prior to 20240223, update to version 20240223 or later to resolve the issue. As a temporary workaround, consider restricting user input for names in the chat to minimize the risk of exploitation.