Huy Tran

**Name of the Vulnerable Software and Affected Versions** Hostel versions prior to 1.1.7 **Description** The Hostel plugin for WordPress contains a Reflected Cross-Site Scripting issue caused by insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages via the `shortcode id` parameter, which execute when a user is tricked into clicking a malicious link. **Recommendations** Update to a version later than 1.1.6. As a temporary workaround, restrict or sanitize the use of the `shortcode id` parameter.

**Name of the Vulnerable Software and Affected Versions** WordPress Community Events plugin versions through 1.5.8 **Description** The WordPress Community Events plugin is susceptible to SQL Injection through the `ce venue name` field within CSV files. This occurs due to inadequate escaping of user-provided CSV data and insufficient preparation of existing SQL queries in the `on save changes venues` function. An authenticated attacker with Administrator-level access or higher can inject additional SQL queries by uploading a specially crafted CSV file, potentially extracting sensitive information from the database. **Recommendations** Update the WordPress Community Events plugin to a version newer than 1.5.8.

**Name of the Vulnerable Software and Affected Versions** Community Events plugin for WordPress versions prior to 1.5.8 **Description** The Community Events plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping of the `ce venue name` parameter. An authenticated attacker with administrator-level access or higher can inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page. **Recommendations** Update the Community Events plugin to version 1.5.8 or later.

**Name of the Vulnerable Software and Affected Versions** The Ebook Store plugin for WordPress versions prior to 5.8012 **Description** The Ebook Store plugin for WordPress is susceptible to Stored Cross-Site Scripting via the Order Details. Insufficient input sanitization and output escaping allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** Update The Ebook Store plugin to a version later than 5.8012.