Gibran Abdillah

**Name of the Vulnerable Software and Affected Versions** App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress versions prior to 5.5.11 **Description** The software contains a flaw that allows unauthorized privilege escalation. The `verify role()` function in `AuthTrails.php` incorrectly allows the `wcfm vendor` role, alongside `subscriber` and `customer`, and assigns it directly via `wp insert user()` without proper integration with WCFM Marketplace’s vendor approval process. This allows unauthenticated attackers to register an account with the `wcfm vendor` role by manipulating the `role` parameter in the `/wp-json/app-builder/v1/register` API endpoint. Successful exploitation bypasses the standard WCFM vendor approval process, granting immediate vendor-level privileges, including product management, order access, and store management, on sites utilizing WCFM Marketplace. **Recommendations** Versions prior to 5.5.11 should be updated.

**Name of the Vulnerable Software and Affected Versions** KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to and including 4.1.2 **Description** The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is susceptible to Authentication Bypass. This occurs because the `patientSocialLogin()` function does not validate the social provider access token before authenticating a user. This allows unauthenticated attackers to log in as any registered patient by providing only their email address and an arbitrary value for the access token, bypassing credential verification. Successful exploitation grants access to sensitive medical records, appointments, prescriptions, and billing information, resulting in a potential PII/PHI breach. Authentication cookies are also set for non-patient users, including administrators, even when a 403 response is returned. The vulnerable parameter is the access token used in the `patientSocialLogin()` function. **Recommendations** Versions up to and including 4.1.2 should be updated to a newer, fixed version if available. As a temporary workaround, consider disabling the `patientSocialLogin()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin versions prior to 3.7.1 **Description** The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The plugin does not implement proper authorization checks within the `wcfm-refund-requests-form` AJAX controller. This allows unauthenticated attackers to generate refund requests for any order ID and item ID. If automatic refund approval is enabled, this could result in financial loss. The vulnerable component allows attackers to bypass authorization controls and directly access and manipulate refund requests. **Recommendations** Update the plugin to a version prior to 3.7.1.

**Name of the Vulnerable Software and Affected Versions** NewsBlogger theme for WordPress versions up to, and including, 0.2.5.4 **Description** The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `newsblogger install and activate plugin()` function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For NewsBlogger theme for WordPress versions up to, and including, 0.2.5.4, consider disabling the `newsblogger install and activate plugin()` function until a patch is available to prevent exploitation. Additionally, restrict access to any functionality that relies on this function to minimize the risk of remote code execution.

**Name of the Vulnerable Software and Affected Versions** Newscrunch theme for WordPress versions up to and including 1.8.4 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `newscrunch install and activate plugin()` function. This allows unauthenticated attackers to upload arbitrary files via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to and including 1.8.4, consider disabling the `newscrunch install and activate plugin()` function until a patch is available to prevent exploitation. Restrict access to file upload functionality to minimize the risk of arbitrary file uploads.

**Name of the Vulnerable Software and Affected Versions** BookingPress plugin for WordPress versions 1.1.6 through 1.1.7 **Description** The issue is related to authentication bypass due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This allows unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. The exploitation is only possible when the 'Auto login user after successful booking' setting is enabled. **Recommendations** For versions 1.1.6 through 1.1.7, consider disabling the 'Auto login user after successful booking' setting to prevent exploitation until a patch is available. As a temporary workaround, restrict access to the booking feature to minimize the risk of unauthorized logins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Materialis theme for WordPress versions up to, and including, 1.1.24 **Description** The issue is due to missing authorization checks on the `companion disable popup()` function called via an AJAX action. This allows authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value. **Recommendations** For versions up to, and including, 1.1.24, consider disabling the `companion disable popup()` function until a patch is available to prevent exploitation. Restrict access to the AJAX action that calls this function to minimize the risk of unauthorized option modifications.

**Name of the Vulnerable Software and Affected Versions** The Salon booking system plugin for WordPress versions up to, and including, 10.2 **Description** The issue is related to arbitrary file uploads due to missing file type validation in the `SLN Action Ajax ImportAssistants` function, along with missing authorization checks. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For versions up to, and including, 10.2, consider disabling the `SLN Action Ajax ImportAssistants` function until a patch is available to prevent arbitrary file uploads. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ovic Responsive WPBakery WordPress plugin versions prior to 1.2.9 **Description** The issue allows attackers with a subscriber+ account to update blog options, such as `users can register` and `default role`, via some of its AJAX actions. It also unserializes user input, which may lead to Object Injection attacks. **Recommendations** For versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions that update blog options to minimize the risk of exploitation. Avoid using the `users can register` and `default role` options in the affected AJAX actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jquery Validation For Contact Form 7 WordPress plugin versions prior to 5.3 **Description** The issue is related to the lack of a CSRF check when updating the plugin's settings. This could allow attackers to make a logged-in admin change blog options, such as `default role` and `users can register`, via a CSRF attack. **Recommendations** For versions prior to 5.3, update to version 5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings update functionality to minimize the risk of exploitation.