Fuzzyap1

**Name of the Vulnerable Software and Affected Versions** The Flower Delivery by Florist One WordPress plugin versions 3.7 and earlier **Description** The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitising and escaping some of its settings. **Recommendations** For versions 3.7 and earlier, update to a version that properly sanitises and escapes its settings to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting the `unfiltered html` capability to high privilege users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Books & Papers WordPress plugin versions 0.20210223 and earlier **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, due to the Custom DB prefix settings not being escaped. **Recommendations** For versions 0.20210223 and earlier, update to a version that properly escapes the Custom DB prefix settings to prevent Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Mark Posts WordPress plugin versions prior to 2.0.1 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly escape new markers, even when the unfiltered html capability is disallowed. **Recommendations** For Mark Posts WordPress plugin versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Simple Tracking WordPress plugin versions prior to 1.7 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape its settings, even when the unfiltered html capability is disallowed. **Recommendations** For Simple Tracking WordPress plugin versions prior to 1.7, update to version 1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SEO 301 Meta WordPress plugin versions 1.9.1 and earlier **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks by exploiting unescaped Request and Destination settings in the plugin, even when the unfiltered html capability is disallowed. **Recommendations** For SEO 301 Meta WordPress plugin versions 1.9.1 and earlier, consider updating to a version that escapes the Request and Destination settings to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Petfinder Listings WordPress plugin versions 1.0.18 and earlier **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not escape its settings, even when the unfiltered html capability is disallowed. **Recommendations** For Petfinder Listings WordPress plugin versions 1.0.18 and earlier, update to a version later than 1.0.18 to resolve the issue. At the moment, there is no information about other specific fixes for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GD Mylist WordPress plugin versions 1.1.1 and earlier **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape some of its settings, even when the unfiltered html capability is disallowed. **Recommendations** For GD Mylist WordPress plugin versions 1.1.1 and earlier, update to a version that properly sanitises and escapes its settings to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sync QCloud COS WordPress plugin versions prior to 2.0.1 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because some settings are not properly escaped, enabling the attacks even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kunze Law WordPress plugin versions prior to 2.1 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly escape its 'E-Mail Error "From" Address' settings, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 2.1, update to version 2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Home Page Menu WordPress plugin versions prior to 3.1 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape its settings, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.15 **Description** The issue is related to a Remote Command Execution (RCE) vulnerability. This vulnerability can be exploited via the upload avatar function using a crafted image file. **Recommendations** For CMS Made Simple version 2.2.15, consider disabling the upload avatar function as a temporary workaround until a patch is available. Restrict access to the upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.15 **Description** A reflected cross-site scripting (XSS) issue was found, which can be exploited via the `m1 fmmessage` parameter. **Recommendations** For CMS Made Simple version 2.2.15, update to a version that fixes this issue to prevent exploitation. As a temporary workaround, consider restricting access to the parameter `m1 fmmessage` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hospital Management System version 1.0 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited via the `Doctor` parameter at the "/admin-panel1.php" API endpoint. **Recommendations** For Hospital Management System version 1.0, as a temporary workaround, consider restricting access to the `/admin-panel1.php` endpoint or disabling the use of the `Doctor` parameter until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Hospital Management System version 1.0 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited via the `dpassword` parameter at the "/admin-panel1.php" API endpoint. **Recommendations** For Hospital Management System version 1.0, consider disabling access to the "/admin-panel1.php" endpoint until a fix is available, and restrict the use of the `dpassword` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hospital Management System version 1.0 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited via the `demail` parameter at the "/admin-panel1.php" API endpoint. **Recommendations** For Hospital Management System version 1.0, consider disabling access to the "/admin-panel1.php" endpoint until a patch is available, or restrict the use of the `demail` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Maxsite CMS version v180 **Description** A stored cross-site scripting (XSS) issue was found in Maxsite CMS. The vulnerability is exploited via the `f file description` parameter at the "/admin/files" API endpoint. This allows for malicious scripts to be stored and executed, potentially leading to unauthorized actions on the affected system. **Recommendations** For Maxsite CMS version v180, as a temporary workaround, consider restricting access to the `/admin/files` API endpoint until a patch is available. Avoid using the `f file description` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Maxsite CMS version v180 **Description** A Remote Code Execution (RCE) issue exists at the "/admin/options" API endpoint, allowing attackers to execute arbitrary code via a crafted PHP file. **Recommendations** For Maxsite CMS version v180, consider disabling access to the "/admin/options" API endpoint until a patch is available. Restrict the ability to upload or execute PHP files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Maxsite CMS version v180 **Description** The issue allows for arbitrary file deletion. This is achieved through the /admin page/all-files-update-ajax.php endpoint via the `dir` and `deletefile` parameters. **Recommendations** For Maxsite CMS version v180, consider restricting access to the /admin page/all-files-update-ajax.php endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `dir` and `deletefile` parameters in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Maxsite CMS version 108 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited via the `f tags` parameter at the "/admin/page edit/3" API endpoint. **Recommendations** For Maxsite CMS version 108, consider restricting access to the `f tags` parameter in the "/admin/page edit/3" API endpoint until a fix is available. As a temporary workaround, avoid using the `f tags` parameter in this endpoint to minimize the risk of exploitation.