Hunter Jensen

**Name of the Vulnerable Software and Affected Versions** Open User Map PRO versions prior to 1.4.32 **Description** The Open User Map PRO plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because of insufficient input sanitization and output escaping involving the `oum location notification` parameter. Unauthenticated attackers can exploit this to inject arbitrary web scripts into pages, which then execute when a user accesses the affected page. **Recommendations** Update to a version later than 1.4.31. As a temporary workaround, restrict or disable the use of the `oum location notification` parameter to minimize the risk of exploitation.

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver pos rest authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver pos authorization token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.

**Name of the Vulnerable Software and Affected Versions** AWP Classifieds versions prior to 4.4.6 **Description** Insufficient escaping of user-supplied parameters and lack of proper preparation in SQL queries allow unauthenticated attackers to append additional SQL queries. This issue occurs via the `regions` parameter array keys, enabling the extraction of sensitive information from the database. **Recommendations** Update to a version later than 4.4.5. Avoid using the `regions` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership plugin for WordPress versions prior to 5.1.5 **Description** A missing capability check in the `embed form action()` function allows authenticated attackers with Contributor-level access or higher to perform unauthorized modification of data. This flaw enables these users to append shortcode content to arbitrary pages that they do not own or have permission to edit. **Recommendations** Update the plugin to version 5.1.5 or later. As a temporary workaround, restrict access to the `embed form action()` function for users with Contributor-level permissions.

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save course content order()` private method, which is called unconditionally by the `tutor update course content order` AJAX handler. While the handler's `content parent` branch includes a `can user manage()` check, the `save course content order()` call processes attacker-supplied `tutor topics lessons sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.

Name of the Vulnerable Software and Affected Versions MainWP Child Reports versions up to and including 2.2.6 Description The MainWP Child Reports plugin for WordPress has a missing authorization check in the `heartbeat received()` function within the Live Update class. This allows authenticated attackers with Subscriber-level access or higher to retrieve MainWP Child Reports activity log entries, including action summaries, user information, IP addresses, and contextual data, through the WordPress Heartbeat API by sending a crafted heartbeat request with the `wp-mainwp-stream-heartbeat` data key. Recommendations Update MainWP Child Reports to a version later than 2.2.6.

**Name of the Vulnerable Software and Affected Versions** Amelia Booking plugin for WordPress versions up to 9.1.2 **Description** The Amelia Booking plugin for WordPress is susceptible to Insecure Direct Object References. The plugin allows user-controlled access to objects, potentially enabling a user to bypass authorization and access system resources. Authenticated attackers with customer-level permissions or above may be able to change user passwords and potentially gain control of administrator accounts. The issue exists in the pro plugin. **Recommendations** Update the Amelia Booking plugin to a version later than 9.1.2.

**Name of the Vulnerable Software and Affected Versions** Masteriyo LMS plugin for WordPress versions prior to 2.1.7 **Description** The Masteriyo LMS plugin for WordPress is susceptible to a privilege escalation issue. An authenticated attacker with Student-level access or higher can elevate their privileges to that of an administrator. This is possible due to the plugin allowing a user to update their user role through the `InstructorsController::prepare object for database` function. The vulnerable API endpoint is not explicitly mentioned. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update the Masteriyo LMS plugin to version 2.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Expire Users plugin for WordPress versions through 1.2.2 **Description** The Expire Users plugin for WordPress is susceptible to a privilege escalation issue. This occurs because the plugin permits a user to modify the `on expire default to role` meta data through the `save extra user profile fields` function. Authenticated attackers possessing Subscriber-level access or higher can exploit this to elevate their privileges to administrator level. **Recommendations** Versions prior to and including 1.2.2 should be updated to a newer, fixed version when available.

**Name of the Vulnerable Software and Affected Versions** Calculated Fields Form plugin for WordPress versions up to and including 5.4.5.0 **Description** The Calculated Fields Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through the form settings. This is caused by inadequate capability checks during the form settings save process and insufficient sanitization of the `fcontent` field within `fhtml` field types. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. The vulnerable component is the form settings save handler. The vulnerable parameter is `fcontent`. **Recommendations** Update the Calculated Fields Form plugin to a version later than 5.4.5.0.