Gai Tanaka

**Name of the Vulnerable Software and Affected Versions** baserCMS versions prior to 5.2.3 **Description** baserCMS is a website development framework. A cross-site scripting issue exists in blog posts within versions prior to 5.2.3. This issue was addressed with the release of version 5.2.3. **Recommendations** Update to version 5.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress versions through 2.7.6 **Description** The plugin is susceptible to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation in the `adminExport()` function. This allows unauthenticated attackers to update settings and potentially execute remote code if the Server command execution setting is enabled, provided they can trick a site administrator into performing an action. **Recommendations** Versions prior to 2.7.7 should be updated. As a temporary workaround, disable the Server command execution setting.

Name of the Vulnerable Software and Affected Versions: Eventin plugin for WordPress versions through 4.0.37 Description: The Eventin plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) via the `proxy image` function. This allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application, potentially enabling them to query and modify information from internal services. Recommendations: Update the Eventin plugin to a version later than 4.0.37.

**Name of the Vulnerable Software and Affected Versions** StreamWeasels YouTube Integration plugin for WordPress versions prior to 1.4.1 **Description** The StreamWeasels YouTube Integration plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s `data-uuid` attribute. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the StreamWeasels YouTube Integration plugin to version 1.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** StreamWeasels Twitch Integration plugin for WordPress versions through 1.9.3 **Description** The StreamWeasels Twitch Integration plugin for WordPress is susceptible to Stored Cross-Site Scripting via the plugin's `data-uuid` attribute due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. **Recommendations** Update the StreamWeasels Twitch Integration plugin to a version newer than 1.9.3.

**Name of the Vulnerable Software and Affected Versions** StreamWeasels Kick Integration plugin for WordPress versions through 1.1.4 **Description** The StreamWeasels Kick Integration plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s `data-uuid` attribute. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the StreamWeasels Kick Integration plugin for WordPress to a version later than 1.1.4.

Name of the Vulnerable Software and Affected Versions: Uncanny Automator versions up to, and including, 6.4.0.1 Description: The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the `automator api decode message()` function. This allows authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The presence of a POP chain also enables attackers to delete arbitrary files. Recommendations: For versions up to, and including, 6.4.0.1, update to a version later than 6.4.0.1 to resolve the issue. As a temporary workaround, consider disabling the `automator api decode message()` function until a patch is available. Restrict access to the `automator api decode message()` function to minimize the risk of exploitation.