Hayato Takizawa

**Name of the Vulnerable Software and Affected Versions** Link Optimizer Lite plugin for WordPress versions up to, and including 1.4.5 **Description** The issue is due to missing nonce validation on the `admin page` function found in the `admin.php` file. This allows unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including 1.4.5, update to a version that includes nonce validation on the `admin page` function to prevent Cross-Site Request Forgery to Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `admin.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** uContext for Amazon plugin for WordPress versions up to, and including 3.9.1 **Description** The issue is related to Cross-Site Request Forgery to Cross-Site Scripting due to missing nonce validation in the ~/app/sites/ajax/actions/keyword save.php file, which is called via the `doAjax()` function. This allows unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including 3.9.1, update to a version that includes nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the `~/app/sites/ajax/actions/keyword save.php` file to minimize the risk of exploitation. Additionally, restrict the use of the `doAjax()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** uContext for Clickbank plugin for WordPress versions up to, and including 3.9.1 **Description** The issue is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword save.php file, which is called via the `doAjax()` function. This allows unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including 3.9.1, update to a version that includes nonce validation to prevent Cross-Site Request Forgery to Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the ~/app/sites/ajax/actions/keyword save.php file to minimize the risk of exploitation.