Gen Sato

**Name of the Vulnerable Software and Affected Versions** Download Plugins and Themes from Dashboard versions prior to 1.8.6 **Description** A path traversal issue exists, allowing a remote authenticated attacker with `switch themes` privilege to obtain arbitrary files on the server if exploited. **Recommendations** For versions prior to 1.8.6, update to version 1.8.6 or later to resolve the issue. As a temporary workaround, consider restricting the `switch themes` privilege to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.5.3 **Description** The issue allows a remote authenticated attacker with administrative privileges to execute an arbitrary OS command. **Recommendations** For versions prior to 6.5.3, update to version 6.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.5.3 **Description** A cross-site request forgery issue allows a remote unauthenticated attacker to delete data in the system. **Recommendations** For versions prior to 6.5.3, update to version 6.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.5.3 **Description** A directory traversal issue allows a remote authenticated attacker with administrative privileges to delete directories and files in the system. **Recommendations** For versions prior to 6.5.3, update to version 6.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.5.3 **Description** A directory traversal issue allows a remote authenticated attacker with administrative privileges to obtain files in the system. **Recommendations** For versions prior to 6.5.3, update to version 6.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Amelia versions prior to 1.0.76 **Description** A cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script by having a user visit a malicious URL, potentially affecting WordPress installations with the Amelia plugin. **Recommendations** For versions prior to 1.0.76, update to version 1.0.76 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Newsletter versions prior to 7.6.9 **Description** The issue is a cross-site scripting vulnerability that allows a remote unauthenticated attacker to inject an arbitrary script. This can be exploited to conduct cross-site scripting attacks. The vulnerability exists due to inadequate protection of the web page structure. **Recommendations** For versions prior to 7.6.9, update to version 7.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Newsletter plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Salon booking system versions prior to 7.9 **Description** A cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script. **Recommendations** For versions prior to 7.9, update to version 7.9 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 Description: A cross-site scripting issue allows a remote attacker to inject an arbitrary script via unspecified vectors. Recommendations: For versions prior to 1.5.11, update to version 1.5.11 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Quiz And Survey Master versions prior to 7.1.14 Description: A cross-site scripting issue allows a remote attacker to inject arbitrary script via unspecified vectors. Recommendations: For versions prior to 7.1.14, update to version 7.1.14 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WP Fastest Cache versions prior to 0.9.1.7 Description: A directory traversal issue allows a remote attacker with administrator privileges to delete arbitrary files on the server. Recommendations: For WP Fastest Cache versions prior to 0.9.1.7, update to version 0.9.1.7 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Paid Memberships Pro versions prior to 2.5.6 Description: The issue allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. This can be exploited by attackers to manipulate database queries, potentially leading to unauthorized data access or modification. Recommendations: For versions prior to 2.5.6, update to version 2.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive database operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple Download Monitor versions 3.8.8 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. This can be achieved by exploiting a SQL injection vulnerability. **Recommendations** For Simple Download Monitor versions 3.8.8 and earlier, update to a version later than 3.8.8 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple Download Monitor versions 3.8.8 and earlier **Description** A cross-site scripting issue allows remote attackers to inject an arbitrary script via unspecified vectors. **Recommendations** For Simple Download Monitor versions 3.8.8 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier, update to a version later than 2.4.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE Payment Module (2.12) versions 3.5.23 and earlier EC-CUBE Payment Module (2.11) versions 2.3.17 and earlier GMO-PG Payment Module (PG Multi-Payment Service) (2.12) versions 3.5.23 and earlier GMO-PG Payment Module (PG Multi-Payment Service) (2.11) versions 2.3.17 and earlier **Description** The issue allows an attacker with administrative rights to execute arbitrary PHP code on the server. This can be achieved via unspecified vectors, indicating a potential input validation problem. **Recommendations** For EC-CUBE Payment Module (2.12) versions 3.5.23 and earlier, update to a version later than 3.5.23. For EC-CUBE Payment Module (2.11) versions 2.3.17 and earlier, update to a version later than 2.3.17. For GMO-PG Payment Module (PG Multi-Payment Service) (2.12) versions 3.5.23 and earlier, update to a version later than 3.5.23. For GMO-PG Payment Module (PG Multi-Payment Service) (2.11) versions 2.3.17 and earlier, update to a version later than 2.3.17.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE Payment Module versions 3.5.23 and earlier EC-CUBE Payment Module (2.11) version 2.3.17 and earlier GMO-PG Payment Module (PG Multi-Payment Service) versions 3.5.23 and earlier GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier **Description** A cross-site scripting issue exists, allowing an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For EC-CUBE Payment Module versions 3.5.23 and earlier, update to a version later than 3.5.23. For EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, update to a version later than 2.3.17. For GMO-PG Payment Module (PG Multi-Payment Service) versions 3.5.23 and earlier, update to a version later than 3.5.23. For GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier, update to a version later than 2.3.17.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member plugin versions prior to 2.0.4 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For Ultimate Member plugin versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member plugin versions prior to 2.0.4 **Description** The issue allows remote authenticated attackers to read arbitrary files due to a directory traversal vulnerability in the shortcodes function. **Recommendations** For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member plugin versions prior to 2.0.4 **Description** The issue allows remote authenticated users to upload arbitrary image files. **Recommendations** For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue.