Hardik Patel

**Name of the Vulnerable Software and Affected Versions** WP GDPR Cookie Consent versions prior to 1.0.1 **Description** The plugin is subject to Stored Cross-Site Scripting. Authenticated attackers with subscriber-level access or higher can inject arbitrary web scripts into pages. This occurs because the `handleAjaxCalls()` function lacks capability and nonce checks for the 'ninja gdpr ajax actions' AJAX action. Additionally, there is insufficient input sanitization for `gdprConfig` values and a lack of output escaping in the `generateCSS()` function, which echoes stored configuration values directly into a style block rendered on the page head. **Recommendations** Update to a version later than 1.0.0. As a temporary mitigation, restrict access to the 'ninja gdpr ajax actions' AJAX action or disable the `handleAjaxCalls()` function.

**Name of the Vulnerable Software and Affected Versions** Multi-column Tag Map versions prior to 17.0.40 **Description** The Multi-column Tag Map plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update Multi-column Tag Map to version 17.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** GSheetConnector For Ninja Forms plugin for WordPress versions up to and including 2.0.1 **Description** The GSheetConnector For Ninja Forms plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the 'njform-google-sheet-config' page. Authenticated attackers with Subscriber-level access or higher can retrieve system information. **Recommendations** Update GSheetConnector For Ninja Forms plugin for WordPress to a version later than 2.0.1.

**Name of the Vulnerable Software and Affected Versions** Add Multiple Marker plugin for WordPress versions up to and including 1.2 **Description** The Add Multiple Marker plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check in the `addmultiplemarker reset map()` and `amm save map api()` functions. This allows unauthenticated attackers to update the map API and reset maps. **Recommendations** Update the Add Multiple Marker plugin to a version later than 1.2.