Gennady Kovshenin

**Name of the Vulnerable Software and Affected Versions** StoreApps Affiliate For WooCommerce premium plugin versions prior to 4.7.0 **Description** The issue concerns Multiple Improper Access Control vulnerabilities. **Recommendations** For versions prior to 4.7.0, update to version 4.7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress embed-comment-images plugin versions prior to 0.6 **Description** The issue allows for cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 0.6, update the embed-comment-images plugin to version 0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FancyBox for WordPress versions prior to 3.0.3 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a `mfbfw[*]` parameter in an update action to "wp-admin/admin-post.php". This has been exploited in the wild, as demonstrated by the `mfbfw[padding]` parameter. **Recommendations** For versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint to minimize the risk of exploitation. Avoid using the `mfbfw[*]` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.5.1 **Description** The issue allows remote attackers to send HTTP requests to intranet servers and conduct port-scanning attacks by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. This affects the XMLRPC API. **Recommendations** For versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XMLRPC API until the update is applied.