H0Xilo

**Name of the Vulnerable Software and Affected Versions** ARMember Premium versions prior to 7.3.1 **Description** The ARMember Premium plugin for WordPress contains an insecure password reset mechanism. **Recommendations** Update to version 7.3.1.

**Name of the Vulnerable Software and Affected Versions** ARMember Premium versions prior to 7.3.2 **Description** An issue exists where unauthenticated attackers can append additional SQL queries to existing ones to extract sensitive information from the database. This occurs due to insufficient escaping of the `order` and `orderby` parameters and a lack of sufficient preparation of the SQL query within the `arm get directory members()` function. The flaw is triggered via the 'order' parameter of the 'arm directory paging action' AJAX action endpoint. **Recommendations** Update the plugin to a version later than 7.3.1. As a temporary workaround, restrict access to the 'arm directory paging action' AJAX action or avoid using the `order` and `orderby` parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ARMember Premium versions prior to 7.3.2 **Description** An SQL Injection issue exists in the ARMember Premium plugin for WordPress. The `get private content data` AJAX action fails to properly sanitize the `sSortDir 0` parameter, which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to extract sensitive information from the database. This issue is only exploitable if the User Private Content addon is enabled. **Recommendations** Update to a version newer than 7.3.1. As a temporary mitigation, disable the User Private Content addon.

**Name of the Vulnerable Software and Affected Versions** Wishlist Member versions prior to 3.30.2 **Description** The Wishlist Member plugin for WordPress allows unauthorized modification of data because the `save settings()` function in `WishListMemberFeaturesTeam Accounts` lacks a capability check. Authenticated attackers with Subscriber-level access or higher can update arbitrary plugin options, including the REST API Secret Key. This can be leveraged to create a new membership level with the administrator WordPress role and register an administrator-level user account, leading to a complete site takeover. **Recommendations** Update to a version newer than 3.30.1. As a temporary workaround, restrict access to the `save settings()` function to prevent unauthorized users from modifying plugin settings.

**Name of the Vulnerable Software and Affected Versions** Wishlist Member versions prior to 3.30.2 **Description** The Wishlist Member plugin for WordPress allows unauthorized modification of data because of a missing capability check in the `generate api key()` function. Authenticated attackers with Subscriber-level access or higher can update the REST API Secret Key. This allows for the creation of a new membership level assigned the administrator WordPress role and the registration of an arbitrary administrator-level user account, leading to a complete site takeover. **Recommendations** Update to a version newer than 3.30.1. As a temporary workaround, restrict access to the `generate api key()` function to prevent unauthorized users from modifying the API Secret Key.

**Name of the Vulnerable Software and Affected Versions** WishList Member versions prior to 3.30.2 **Description** An issue exists where missing authorization allows for privilege escalation. The `ajax get screen()` function fails to perform necessary capability and nonce checks. Authenticated attackers with Subscriber-level access or higher can provide an arbitrary admin screen identifier through the `data[url]` parameter. This action causes the plugin to load and execute the administrative API configuration template without authorization, returning the plugin's plaintext REST API Secret Key within the AJAX JSON response. An attacker possessing this key can authenticate to the API, create a membership level with the administrator WordPress role, and register an administrator-level user account, leading to a complete site takeover. **Recommendations** Update to a version later than 3.30.1. As a temporary workaround, restrict access to the `ajax get screen()` function to prevent unauthorized users from triggering the administrative API configuration template.

**Name of the Vulnerable Software and Affected Versions** WishList Member versions prior to 3.30.2 **Description** Missing authorization in the `export settings()` function allows for sensitive information disclosure and privilege escalation. The function fails to perform capability checks, enabling an attacker to retrieve the REST API Secret Key via an AJAX JSON response. With this key, an attacker can authenticate to the WishList Member API, create a new membership level with the administrator WordPress role, and register an arbitrary administrator-level user account, leading to a complete site takeover. **Recommendations** Update to a version later than 3.30.1. As a temporary workaround, restrict access to the `export settings()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Slider Revolution versions 7.0.0 through 7.0.10 **Description** Insufficient file type validation in the ` get media url()` and ` check file path()` functions allows authenticated attackers with subscriber-level access or higher to perform an Arbitrary File Upload. This flaw enables the upload of executable files, which can lead to remote code execution (the ability to run arbitrary commands on the server). **Recommendations** Update to version 7.0.11.