Ghsinfosec

**Name of the Vulnerable Software and Affected Versions** 6Storage Rentals versions n/a through 2.19.5 **Description** The issue is related to a Missing Authorization vulnerability, which allows exploitation of incorrectly configured access control security levels. **Recommendations** For versions n/a through 2.19.5, update to a version that contains a fix for this issue, as the current version allows exploitation of access control security levels due to missing authorization.

**Name of the Vulnerable Software and Affected Versions** Booking and Rental Manager versions 2.3.8 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by ACLs. **Recommendations** For versions 2.3.8 and earlier, update to a version that properly constrains functionality with ACLs to prevent unauthorized access. As a temporary workaround, consider restricting access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Plugin Devs Blog, Posts and Category Filter for Elementor versions n/a through 2.0.1 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. **Recommendations** For Plugin Devs Blog, Posts and Category Filter for Elementor versions n/a through 2.0.1, update to a version later than 2.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Realty Workstation versions 1.0.45 and earlier **Description** The issue is related to a lack of proper authorization in Realty Workstation, allowing access to functions not correctly limited by access control lists. **Recommendations** For versions 1.0.45 and earlier, consider restricting access to sensitive functions until a proper fix is applied, ensuring that access control lists are properly configured to limit unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Motors – Car Dealer, Classifieds & Listing plugin for WordPress versions 1.4.43 and earlier **Description** The issue allows authenticated attackers with Subscriber-level access and above to execute arbitrary shortcodes due to the software permitting users to execute an action without properly validating a value before running `do shortcode`. This enables the execution of arbitrary shortcodes. **Recommendations** For versions 1.4.43 and earlier, update to a version later than 1.4.43 to resolve the issue. As a temporary workaround, consider restricting access to the `do shortcode` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Hait Post Grid Elementor Addon versions prior to 2.0.19 **Description** The issue is related to improper neutralization of input during web page generation, allowing stored Cross-site Scripting (XSS). This enables attackers to inject malicious scripts into the website, potentially affecting user sessions. **Recommendations** For versions prior to 2.0.19, update to version 2.0.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the `WP Hait Post Grid Elementor Addon` until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Saksh Escrow System versions n/a through 2.4 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection, potentially enabling malicious actors to manipulate data. **Recommendations** For Saksh Escrow System versions n/a through 2.4, update to a version that includes a fix for this issue to prevent cyber attacks. As a temporary workaround, consider restricting access to sensitive data and ensuring proper input validation to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Saul Morales Pacheco Banner System versions n/a through 1.0.0 Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. Recommendations: For Saul Morales Pacheco Banner System versions n/a through 1.0.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wp NssUser Register versions n/a through 1.0.0 Description: The issue is related to an incorrect privilege assignment in the nssTheme Wp NssUser Register, allowing privilege escalation. Recommendations: For versions n/a through 1.0.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plugin Devs Post Carousel Slider for Elementor versions 1.4.0 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows for stored Cross-site Scripting (XSS). This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or control. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Plugin Devs Post Carousel Slider for Elementor versions 1.4.0 and earlier, update to a version later than 1.4.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pathomation versions n/a through 2.5.1 **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can be exploited by uploading harmful files. **Recommendations** For Pathomation versions n/a through 2.5.1, as a temporary workaround, consider restricting file uploads to prevent the upload of harmful files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LA-Studio Element Kit for Elementor plugin for WordPress versions up to, and including, 1.4.2 **Description** The issue allows authenticated attackers with Contributor-level access and above to include and execute arbitrary files on the server via the ` load template` function. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution, especially in cases where images and other “safe” file types can be uploaded and included. **Recommendations** For versions up to, and including, 1.4.2, consider disabling the ` load template` function as a temporary workaround until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid uploading executable files or any files that could be used to execute malicious code. Update to a version that fixes this issue once it becomes available.

**Name of the Vulnerable Software and Affected Versions** Saul Morales Pacheco Banner System versions n/a through 1.0.0 **Description** The issue is related to improper neutralization of input during web page generation, which allows for Stored XSS. This means that an attacker can inject malicious scripts into the system, potentially affecting users who access the compromised web pages. **Recommendations** For Saul Morales Pacheco Banner System versions n/a through 1.0.0, as a temporary workaround, consider restricting user input to prevent malicious script injection until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThimPress WP Hotel Booking versions through 2.1.4 **Description** A Path Traversal vulnerability exists in ThimPress WP Hotel Booking, allowing PHP Local File Inclusion. **Recommendations** For versions through 2.1.4, update to a version later than 2.1.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Chetan Khandla Woocommerce Product Design versions 1.0.0 and earlier Description: The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This allows for Path Traversal, which can potentially be exploited. Recommendations: For Chetan Khandla Woocommerce Product Design versions 1.0.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPKoi Templates for Elementor versions 3.1.0 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 3.1.0 and earlier, update to a version later than 3.1.0 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Exam Matrix versions 1.5 and earlier Description: The issue affects Exam Matrix, allowing privilege escalation due to incorrect privilege assignment. Recommendations: For Exam Matrix versions 1.5 and earlier, update to a version that contains a fix for this issue, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Realty Workstation versions 1.0.0 through 1.0.45 Description: The issue is related to an Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation, allowing unauthorized access. Recommendations: For versions 1.0.0 through 1.0.45, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Woocommerce Product Design versions 1.0.0 and earlier **Description** The issue is related to an improper limitation of a pathname to a restricted directory, also known as a Path Traversal vulnerability. This allows for potential unauthorized access to read, modify, or delete data. The vulnerability can be exploited by a remote attacker. **Recommendations** For Woocommerce Product Design versions 1.0.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** INK Official versions n/a through 4.1.2 **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling an attacker to upload a web shell to a web server. **Recommendations** For versions n/a through 4.1.2, update to a version that contains a fix for this issue, as using an unrestricted file upload functionality poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.