German

**Name of the Vulnerable Software and Affected Versions** Widgets for Social Photo Feed versions prior to 1.9 **Description** Missing capability checks on the '/trustindex feed hook instagram/troubleshooting' and '/trustindex feed hook instagram/submit-data' REST API endpoints allow unauthenticated attackers to access and modify plugin settings. **Recommendations** Update to a version later than 1.8. As a temporary workaround, restrict access to the '/trustindex feed hook instagram/troubleshooting' and '/trustindex feed hook instagram/submit-data' endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CTX Feed – WooCommerce Product Feed Manager plugin for WordPress versions through 6.6.11 **Description** The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress has a flaw that allows unauthorized arbitrary plugin installation. This is due to a missing capability check within the `woo feed plugin installing()` function. Attackers with Shop Manager-level access or higher can exploit this to install plugins, potentially leading to remote code execution. **Recommendations** Update CTX Feed – WooCommerce Product Feed Manager plugin to a version later than 6.6.11.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Square versions prior to 5.1.2 **Description** The WooCommerce Square plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a user-controlled key within the `get token by id` function. An unauthenticated attacker can exploit this to reveal arbitrary Square “ccof” (credit card on file) values. This exposed value could potentially be used to make unauthorized charges on the affected site. **Recommendations** Update WooCommerce Square to version 5.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** weDocs plugin for WordPress versions prior to 2.1.16 **Description** The weDocs plugin for WordPress is susceptible to sensitive information disclosure. Unauthenticated attackers can extract sensitive data, including API keys for third-party services, through the `/wp-json/wp/v2/docs/settings` API endpoint. The vulnerable parameter is not specified. **Recommendations** Update the weDocs plugin to version 2.1.16 or later.

**Name of the Vulnerable Software and Affected Versions** Survey Maker plugin for WordPress versions up to and including 5.1.9.4 **Description** The software is susceptible to unauthorized data access. This is due to a missing capability check on the `ays survey show results` API endpoint. This allows unauthenticated attackers to view all survey submissions. **Recommendations** Update the Survey Maker plugin to a version newer than 5.1.9.4.

**Name of the Vulnerable Software and Affected Versions** Survey Maker plugin for WordPress versions up to and including 5.1.9.4 **Description** The software is susceptible to unauthorized data modification. This is due to a missing capability check within the `deactivate plugin option()` function. This allows unauthenticated attackers to update the `ays survey maker upgrade plugin` option. **Recommendations** Update the Survey Maker plugin to a version later than 5.1.9.4.

**Name of the Vulnerable Software and Affected Versions** GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress versions prior to 2.8.139 **Description** The GeoDirectory plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the `post attachment upload` function. Authenticated attackers possessing author-level access or higher can exploit this to attach arbitrary image files to unintended locations. **Recommendations** Update to a version beyond 2.8.139.