Francesco Carlucci

Name of the Vulnerable Software and Affected Versions: Ninja Forms Webhooks plugin for WordPress versions up to, and including, 3.0.7 Description: The issue allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. The vulnerability is related to the form webhook functionality. Recommendations: For versions up to, and including, 3.0.7, update to a version later than 3.0.7 to resolve the issue. As a temporary workaround, consider restricting access to the form webhook functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms WebHooks plugin for WordPress versions up to, and including, 1.6.0 **Description** The issue allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. The vulnerability is exploited via the `process feed` method of the `GF Webhooks` class. **Recommendations** For versions up to, and including, 1.6.0, consider disabling the `process feed` method of the `GF Webhooks` class as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Memberpress plugin for WordPress versions up to, and including, 1.11.37 **Description** The issue allows unauthenticated attackers to extract sensitive data from restricted posts, such as those limited to higher-level roles like administrators, via the WordPress core search feature. **Recommendations** For versions up to, and including, 1.11.37, update to a version later than 1.11.37 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress Importer plugin versions up to, and including, 0.8.3 **Description** The issue is related to PHP Object Injection via deserialization of untrusted input in the `maybe unserialize` function. This allows authenticated attackers with Administrator-level access and above to inject a PHP Object. However, the vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code, depending on the POP chain present. **Recommendations** For WordPress Importer plugin versions up to, and including, 0.8.3, update to a version above 0.8.3 to resolve the issue. As a temporary workaround, consider disabling the `maybe unserialize` function until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. Avoid using untrusted input in the deserialization process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Make Builder plugin for WordPress versions prior to 1.1.11 **Description** The issue allows authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. The `make builder ajax subscribe()` function is vulnerable to Server-Side Request Forgery. **Recommendations** For versions prior to 1.1.11, update to version 1.1.11 or later to resolve the issue. As a temporary workaround, consider disabling the `make builder ajax subscribe()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress versions up to, and including, 6.2 Description: The issue allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services via the `call webhook` method of the `Automator Send Webhook` class. Recommendations: For versions up to, and including, 6.2, consider disabling the `call webhook` method of the `Automator Send Webhook` class as a temporary workaround until a patch is available. Restrict access to the `Automator Send Webhook` class to minimize the risk of exploitation. Avoid using the `call webhook` method in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Post Meta Data Manager plugin for WordPress versions up to and including 1.4.3 **Description** The issue arises from the plugin's failure to properly verify the existence of a multisite installation before allowing user meta to be added or modified. This allows authenticated attackers with Administrator-level access and above to gain elevated privileges on subsites that would otherwise be inaccessible. **Recommendations** For Post Meta Data Manager plugin for WordPress versions up to and including 1.4.3, update to a version that includes the necessary verification for multisite installations to prevent privilege escalation.

**Name of the Vulnerable Software and Affected Versions** The Code Snippets CPT plugin for WordPress versions prior to 2.1.1 **Description** The issue arises from the software's failure to properly validate a value before executing the `do shortcode` function, allowing authenticated attackers with Subscriber-level access and above to execute arbitrary shortcodes. **Recommendations** For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Starter Templates by FancyWP plugin for WordPress versions prior to 2.1 **Description** The issue allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services via the `http request host is external` filter. **Recommendations** For versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `http request host is external` filter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Allow PHP Execute plugin for WordPress versions prior to 1.1 **Description** The issue allows PHP code to be entered by all users for whom unfiltered HTML is allowed, making it possible for authenticated attackers with Editor-level access and above to inject PHP code into posts and pages. **Recommendations** For versions prior to 1.1, update to a version that fixes the PHP Code Injection issue to prevent authenticated attackers from injecting PHP code into posts and pages.

**Name of the Vulnerable Software and Affected Versions** WPGet API – Connect to any external REST API plugin for WordPress versions up to, and including, 2.2.10 **Description** The issue allows authenticated attackers with Administrator-level access and above to perform Server-Side Request Forgery. This enables them to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services. **Recommendations** For versions up to, and including, 2.2.10, update to a version higher than 2.2.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Platform.ly for WooCommerce plugin for WordPress versions prior to 1.1.7 **Description** The issue allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. The `hooks` function is involved in the exploitation of this issue. **Recommendations** For versions up to and including 1.1.6, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hooks` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More plugin for WordPress versions prior to 2.5.1 **Description** The issue allows unauthenticated attackers to extract sensitive data from restricted posts via the WordPress core search feature. This affects posts that have been restricted to higher-level roles, such as logged-in users. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the WordPress core search feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Album Gallery – WordPress Gallery plugin versions up to, and including, 1.6.3 **Description** The issue allows authenticated attackers with Editor-level access and above to inject a PHP Object via deserialization of untrusted input from gallery meta. This has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. **Recommendations** For versions up to, and including, 1.6.3, update to a version that contains a fix for this issue to prevent PHP Object Injection. As a temporary workaround, consider restricting access to the gallery meta input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ultra Addons Lite for Elementor plugin for WordPress versions up to, and including, 1.1.8 **Description** The issue allows authenticated attackers with Contributor-level access and above to extract data from password-protected, private, or draft posts via the 'ut elementor' shortcode, due to insufficient restrictions on which posts can be included. **Recommendations** For Ultra Addons Lite for Elementor plugin for WordPress versions up to, and including, 1.1.8, consider updating to a version that addresses the insufficient restrictions on post inclusion to prevent unauthorized data exposure.

**Name of the Vulnerable Software and Affected Versions** Tabs for WooCommerce plugin for WordPress versions up to, and including, 1.0.0 **Description** The issue allows authenticated attackers with Shop Manager-level access and above to inject a PHP Object via deserialization of untrusted input in the `product has custom tabs` function. This has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. **Recommendations** For versions up to, and including, 1.0.0, consider disabling the `product has custom tabs` function until a patch is available to prevent potential PHP Object Injection. Restrict access to sensitive data and files to minimize the risk of exploitation if a POP chain is present via an additional plugin or theme.

**Name of the Vulnerable Software and Affected Versions** OneStore Sites plugin for WordPress versions prior to 0.1.2 **Description** The issue allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. The vulnerability is related to Server-Side Request Forgery via the class-export.php file. **Recommendations** For versions prior to 0.1.2, update to version 0.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the class-export.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SureMembers plugin for WordPress versions up to and including 1.10.6 **Description** The issue allows unauthenticated attackers to extract sensitive data, including restricted content, via the REST API. **Recommendations** For versions up to and including 1.10.6, update to a version that contains a fix for this issue to prevent sensitive information exposure.

**Name of the Vulnerable Software and Affected Versions** Mambo Importer plugin for WordPress versions up to, and including, 1.0 **Description** The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input via the `data` parameter in the `fImportMenu` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. **Recommendations** Update the Mambo Importer plugin to the latest version to prevent exploitation of this vulnerability. As a temporary workaround, consider restricting access to the `fImportMenu` function until a patch is available. Avoid using the `data` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SVG Support plugin for WordPress versions up to and including 2.5.10 **Description** The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. By default, this can only be exploited by administrators, but the ability to upload SVG files can be extended to authors. **Recommendations** For SVG Support plugin for WordPress versions up to and including 2.5.10, update to a version higher than 2.5.10 to resolve the issue. As a temporary workaround, consider restricting the ability to upload SVG files to only trusted users, such as administrators, to minimize the risk of exploitation. Additionally, disabling the SVG file upload feature until a patch is available can also help mitigate the risk.