Friderika Baranyai

**Name of the Vulnerable Software and Affected Versions** Doctreat Core plugin for WordPress versions prior to 1.6.9 **Description** The plugin is subject to privilege escalation because the `doctreat process registration()` function does not properly restrict the roles assigned during user registration. This allows unauthenticated attackers to register an account with administrator privileges. **Recommendations** Update the plugin to a version later than 1.6.8. As a temporary workaround, restrict access to the registration functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin versions prior to 5.1.3 **Description** The plugin is subject to improper privilege management. This occurs because the software accepts a user-supplied role during membership registration without properly enforcing a server-side allowlist, allowing unauthenticated attackers to create administrator accounts. Over 60,000 devices worldwide are potentially affected. Real-world incidents have been reported, with hundreds of exploitation attempts blocked within a single day. Attackers can achieve this by sending requests to the 'admin-ajax.php' endpoint and supplying a privileged value to the `role` parameter. **Recommendations** Update to version 5.1.3 or newer. As a temporary workaround, disable or uninstall the plugin to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** WP CarDealer plugin for WordPress versions prior to 1.2.17 **Description** The WP CarDealer plugin for WordPress is susceptible to a privilege escalation issue. The `WP CarDealer User::process register` function does not adequately restrict user role assignments during registration. This allows unauthenticated attackers to register with the 'administrator' role, gaining unauthorized administrative access to the WordPress site. **Recommendations** Versions prior to 1.2.17 should be updated. As a temporary workaround, restrict user registrations until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Elated Membership plugin for WordPress versions prior to 1.3 **Description** The Elated Membership plugin for WordPress is susceptible to Authentication Bypass in versions up to 1.2. The plugin does not properly log in a user when data is verified through the `eltdf membership check facebook user` and `eltdf membership login user from social network` functions. This allows unauthenticated attackers to log in as administrative users if they have an existing account on the site, which can be created through the temporary user functionality. **Recommendations** Update the Elated Membership plugin to version 1.3 or later.

**Name of the Vulnerable Software and Affected Versions** StreamTube Core plugin for WordPress versions up to and including 4.78 **Description** The StreamTube Core plugin for WordPress is susceptible to Arbitrary User Password Change. This occurs because the plugin grants user-controlled access to objects, allowing bypass of authorization and access to system resources. This enables unauthenticated attackers to modify user passwords, potentially gaining control of administrator accounts. This exploitation is possible if the 'registration password fields' are enabled in the theme options. **Recommendations** Versions prior to 4.78: Disable the 'registration password fields' in theme options as a temporary measure. Versions prior to 4.78: Update to a newer version that addresses this issue as soon as it becomes available.

**Name of the Vulnerable Software and Affected Versions** Ovatheme Events Manager plugin for WordPress versions through 1.8.6 **Description** The Ovatheme Events Manager plugin for WordPress is susceptible to unauthorized access. A missing capability check on several functions within the `/class-ovaem-ajax.php` file allows unauthenticated attackers to perform actions such as deleting ticket files and downloading tickets. **Recommendations** Update the Ovatheme Events Manager plugin to a version later than 1.8.6.

**Name of the Vulnerable Software and Affected Versions** Service Finder Bookings plugin for WordPress versions up to and including 6.0 **Description** The Service Finder Bookings plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately verify a user’s identity before processing a password change request. Authenticated attackers with subscriber access or higher can exploit this to reset passwords for other users, including administrators. The vulnerable functionality is related to the `change candidate password` function. **Recommendations** Versions prior to 6.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** WP Freeio versions prior to 1.4.29 WP Freeio versions 1.2.21 and earlier **Description** The WP Freeio plugin for WordPress is affected by a privilege escalation issue. The `process register()` function does not adequately restrict user role assignments during registration. This allows unauthenticated attackers to register with the `administrator` role, gaining administrative access to the WordPress site. The `administrator` role can be supplied during registration due to insufficient restrictions in the `process register()` function. **Recommendations** WP Freeio versions prior to 1.4.29: Update to version 1.4.29 or later. WP Freeio version 1.2.21 and earlier: Update to version 1.4.29 or later.

**Name of the Vulnerable Software and Affected Versions** Ovatheme Events Manager plugin for WordPress versions up to and including 1.8.5 **Description** The Ovatheme Events Manager plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation. This occurs in the `process checkout()` function. This allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution (RCE). **Recommendations** Update the Ovatheme Events Manager plugin to a version newer than 1.8.5.

**Name of the Vulnerable Software and Affected Versions** Service Finder Bookings plugin for WordPress versions prior to 6.1 **Description** The Service Finder Bookings plugin for WordPress does not properly validate a user's identity prior to claiming a business when using the `claim business` API endpoint. This allows unauthenticated attackers to login as any user, including administrators. Subscriber privileges or brute-forcing are needed to complete the account takeover, and the `claim id` is required to takeover an admin account. **Recommendations** Update to a version prior to 6.1.

**Name of the Vulnerable Software and Affected Versions** Service Finder SMS System plugin for WordPress versions prior to 2.1.0 **Description** The Service Finder SMS System plugin for WordPress does not verify a user's phone number before logging them in, leading to authentication bypass. This allows unauthenticated attackers to log in as arbitrary users. **Recommendations** Update the Service Finder SMS System plugin to version 2.1.0 or later.

Name of the Vulnerable Software and Affected Versions: Dokan Pro versions prior to 4.0.6 Description: The Dokan Pro plugin for WordPress is susceptible to privilege escalation via account takeover. The issue stems from insufficient user identity validation during staff password resets, allowing authenticated attackers with vendor-level access or higher to elevate their privileges. Attackers can then modify arbitrary user passwords, including those of administrators, to gain unauthorized access to accounts. By default, the plugin allows customers to become vendors. Recommendations: Update Dokan Pro to version 4.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** Case Theme User plugin for WordPress versions prior to 1.0.4 **Description** The Case Theme User plugin for WordPress is susceptible to an authentication bypass. This issue stems from the plugin's failure to correctly log in a user with data previously verified through the `facebook ajax login callback()` function. This allows unauthenticated attackers to log in as administrative users if they possess an existing account on the site and have access to the administrative user's email address. This vulnerability is actively exploited in the wild, with over 1,700 vulnerable sites identified. Approximately 27,000 vulnerable sites have been found in the past year. **Recommendations** Update to version 1.0.4 or later.

Name of the Vulnerable Software and Affected Versions: WPGYM - Wordpress Gym Management System plugin versions prior to 67.7.1 Description: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation. This is due to the plugin not properly validating a user's capabilities prior to adding users, allowing authenticated attackers with Subscriber-level access and above to create new users, including administrators. Recommendations: Update the WPGYM - Wordpress Gym Management System plugin to version 67.7.1 or later.

Name of the Vulnerable Software and Affected Versions: School Management System for WordPress plugin versions prior to 93.2.0 Description: The School Management System for WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation in the `homework.php` file. This allows authenticated attackers with Student-level access or higher to upload arbitrary files to the affected site’s server, potentially leading to remote code execution. Recommendations: School Management System for WordPress plugin versions prior to 93.2.0: Update to version 93.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Service Finder SMS System plugin for WordPress versions prior to 2.0.1 **Description** The Service Finder SMS System plugin for WordPress is susceptible to privilege escalation, allowing unauthenticated attackers to register as administrator users. This is due to the plugin’s failure to restrict user role selection during registration through the `aonesms fn savedata after signup()` function. **Recommendations** Update to version 2.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Service Finder Bookings plugin for WordPress versions up to and including 6.0 **Description** The Service Finder Bookings plugin for WordPress is susceptible to a privilege escalation issue stemming from an authentication bypass. This occurs because the plugin does not properly validate a user's cookie value before granting access through the `service finder switch back()` function. This allows unauthenticated attackers to log in as any user, including administrators. Over 13,800 exploit attempts have been detected since August, with over 1,500 daily attacks observed since late September. The vulnerability allows attackers to bypass authentication and sign in as any user, including administrators, due to improper cookie validation in the `service finder switch back()` function. **Recommendations** Update to Service Finder Bookings version 6.1 to address this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Droip plugin for WordPress versions up to 2.2.0 **Description** The Droip plugin for WordPress is susceptible to unauthorized modification and access of data due to a missing capability check on the `droip post apis()` function. Authenticated attackers with Subscriber-level access or higher can perform actions through AJAX hooks to several functions, potentially leading to arbitrary post deletion, arbitrary post creation, post duplication, settings update, and user manipulation. **Recommendations** Update the Droip plugin to a version newer than 2.2.0.

**Name of the Vulnerable Software and Affected Versions** Droip plugin for WordPress versions up to and including 2.2.0 **Description** The Droip plugin for WordPress is susceptible to arbitrary file uploads due to the absence of file type validation within the `make google font offline()` function. This allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Update the Droip plugin to a version later than 2.2.0.

**Name of the Vulnerable Software and Affected Versions** LoginPress Pro versions prior to 5.0.1 **Description** The LoginPress Pro plugin for WordPress is susceptible to authentication bypass in all versions up to and including 5.0.1. This issue stems from inadequate verification of the user returned by the social login token. This allows unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address and the user does not already have an account for the service returning the token. **Recommendations** Update LoginPress Pro to version 5.0.1 or later.