Harald Eilertsen

**Name of the Vulnerable Software and Affected Versions** 3DPrint WordPress plugin versions prior to 3.5.6.9 **Description** The issue allows an attacker to craft a malicious request, exploiting the lack of protection against CSRF attacks in the modified version of Tiny File Manager. This can trick a logged-in admin into submitting a form that creates an archive of any files or directories on the target server. The created archive has a predictable location and name, allowing the attacker to download the file if they know the time at which the form was submitted. This makes it possible to leak sensitive files, such as the WordPress configuration containing database credentials and secrets. **Recommendations** For versions prior to 3.5.6.9, update to version 3.5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Tiny File Manager module to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Loan Comparison WordPress plugin versions prior to 1.5.3 **Description** The issue allows an attacker to inject javascript into a site via a crafted URL, as the plugin does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode. **Recommendations** For versions prior to 1.5.3, update to version 1.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of embedded shortcodes until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ask me WordPress theme versions prior to 6.8.4 **Description** The issue allows an attacker to trick a user into changing their profile information by sending a crafted request to the Edit Profile page, due to the lack of nonce checks when processing POST requests. **Recommendations** For versions prior to 6.8.4, update to version 6.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Edit Profile page until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Member Hero WordPress plugin versions 1.0.0 through 1.0.9 **Description** The issue lacks authorization checks and does not validate the `a` request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. **Recommendations** For Member Hero WordPress plugin versions 1.0.0 through 1.0.9, update to a version that includes the necessary authorization checks and input validation to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ask me WordPress theme versions prior to 6.8.2 **Description** The issue allows an attacker to trick logged-in users into performing various actions on their behalf on the site due to the lack of CSRF checks for AJAX actions. **Recommendations** For versions prior to 6.8.2, update to version 6.8.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** School Management WordPress plugin versions prior to 9.9.7 **Description** The issue is related to an obfuscated backdoor injected in the license checking code of the School Management WordPress plugin, which registers a REST API handler. This allows an unauthenticated attacker to execute arbitrary PHP code on the site, potentially leading to full control over the application. The estimated number of potentially affected devices worldwide is over 340,000, as the plugin's creator, Weblizar, claims to have more than 340,000 clients using its premium and free WordPress themes and plugins. The vulnerability was discovered in the premium versions of the plugin prior to 9.9.7 and is considered highly severe. **Recommendations** For School Management WordPress plugin versions prior to 9.9.7, update the plugin to version 9.9.7 or later to prevent exploitation. As a temporary workaround, consider disabling the REST API handler registered by the plugin's license checking code until a patch is available. Restrict access to the plugin's license checking functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AccessPress Themes plugins and themes versions (affected versions not specified) **Description** The AccessPress Themes vendor's website was compromised, resulting in numerous plugins and themes being backdoored. Only plugins and themes downloaded via the vendor's website are affected, while those hosted on wordpress.org are not. The affected plugins and themes have been updated or removed to avoid confusion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software License Manager WordPress plugin versions prior to 4.5.1 **Description** The issue concerns a lack of CSRF checks in the `del reistered domains` AJAX action, making it susceptible to a CSRF attack. This allows an attacker to potentially manipulate the deletion of registered domains without proper validation. **Recommendations** For versions prior to 4.5.1, update to version 4.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `del reistered domains` AJAX action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Workreap WordPress theme versions prior to 2.2.2 **Description** The issue concerns missing authorization checks in several AJAX actions, allowing a logged-in user to modify or delete objects belonging to other users on the site. This affects critical operations such as modifying or deleting objects. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Workreap WordPress theme versions prior to 2.2.2 **Description** The issue allows an attacker to trick a logged-in user into submitting a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site. This is due to several AJAX actions lacking CSRF protections and allowing insecure direct object references that were not validated. **Recommendations** For Workreap WordPress theme versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Workreap WordPress theme versions prior to 2.2.2 **Description** The issue allows unauthenticated visitors to upload arbitrary files, including executable code like php scripts, to the uploads/workreap-temp directory due to the lack of nonce checks and validation in the `workreap award temp file uploader` and `workreap temp file uploader` AJAX actions. The uploaded files are not sanitized or validated. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the `workreap award temp file uploader` and `workreap temp file uploader` functions until a patch is available. Restrict access to the uploads/workreap-temp directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Motor WordPress theme versions prior to 3.1.0 **Description** The issue is related to a lack of authentication or validation in certain AJAX handlers, specifically `motor load more`, `motor gallery load more`, `motor quick view`, and `motor project quick view`, which can allow an unauthenticated attacker to access arbitrary files on the server file system and execute arbitrary PHP scripts already present on the server. There is no vulnerability found for uploading files with this theme, meaning any executable scripts must already exist on the server. **Recommendations** For Motor WordPress theme versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider disabling the `motor load more`, `motor gallery load more`, `motor quick view`, and `motor project quick view` functions until a patch is applied. Restrict access to these AJAX handlers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Business Hours Pro WordPress plugin versions prior to 5.5.1 **Description** The issue allows a remote attacker to upload arbitrary files using the manual update functionality, leading to an unauthenticated remote code execution. **Recommendations** For Business Hours Pro WordPress plugin versions prior to 5.5.1, update to version 5.5.1 or later to resolve the issue.