Huynh Tien Si

**Name of the Vulnerable Software and Affected Versions** Metaphor Creations Post Duplicator versions through 2.31 **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For versions through 2.31, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 5 Star Plugins Easy Age Verify versions 1.8.2 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 1.8.2 and earlier, update to a version that contains a fix for this issue, as the current version is affected by the Stored XSS vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Icegram versions 3.1.21 and earlier **Description** The issue is related to a Missing Authorization vulnerability in Icegram. This vulnerability allows unauthorized access. **Recommendations** For Icegram versions 3.1.21 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Form Maker by 10Web versions 1.15.24 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. **Recommendations** For versions 1.15.24 and earlier, update to a version later than 1.15.24 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Favorite Posts versions 1.6.8 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue has been identified. This type of issue allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions 1.6.8 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Dummy Content Generator versions 3.1.2 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the WP Dummy Content Generator plugin for WordPress. This vulnerability allows for a security bypass. **Recommendations** For versions 3.1.2 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Timersys WP Popups versions n/a through 2.1.5.5 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This means that an attacker can inject malicious scripts into the website, which can then be executed by other users. **Recommendations** For versions n/a through 2.1.5.5, update to a version later than 2.1.5.5 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced Flamingo versions n/a through 1.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions n/a through 1.0, update to a version that includes a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MW WP Form versions n/a through 5.0.6 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For MW WP Form versions n/a through 5.0.6, update to a version later than 5.0.6 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CRM Perks Forms – WordPress Form Builder versions 1.1.2 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or control. **Recommendations** For versions 1.1.2 and earlier, update to a version later than 1.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the CRM Perks Forms – WordPress Form Builder plugin until a patch is available. Avoid using the plugin for sensitive operations until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building versions through 3.1.19 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting'. This allows Stored XSS. **Recommendations** For versions through 3.1.19, update to a version later than 3.1.19 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content versions n/a through 0.6.2 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS. **Recommendations** For versions n/a through 0.6.2, update to a version later than 0.6.2 to resolve the issue. As a temporary workaround, consider restricting user input to prevent potential exploitation of the Stored XSS vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Chatbot for WordPress plugin for WordPress version 2.3.9 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For version 2.3.9, update to a newer version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ibericode HTML Forms versions 1.3.28 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For versions 1.3.28 and earlier, update to a version later than 1.3.28 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Delete Duplicate Posts versions n/a through 4.8.9 **Description** The issue is related to a Missing Authorization vulnerability in Clever plugins, specifically in the Delete Duplicate Posts plugin. This vulnerability allows accessing functionality not properly constrained by Access Control Lists (ACLs). **Recommendations** For versions n/a through 4.8.9, update to a version that properly constrains functionality with ACLs to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Website Optimization – Plerdy plugin for WordPress versions up to, and including, 1.3.2 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's tracking code settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue specifically affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 1.3.2, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting administrator-level access and monitoring page content for injected scripts. Additionally, enabling unfiltered html, if feasible, may mitigate the risk, but this should be carefully considered against potential security trade-offs.

**Name of the Vulnerable Software and Affected Versions** TienCOP WP EXtra plugin versions <= 6.4 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For TienCOP WP EXtra plugin versions <= 6.4, update to a version higher than 6.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Code Snippets versions n/a through 3.5.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability in Code Snippets Pro Code Snippets. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions n/a through 3.5.0, update to a version that contains a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Slick Popup: Contact Form 7 Popup Plugin versions prior to 1.7.15 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin or higher privileges. This vulnerability can be exploited in the Slick Popup: Contact Form 7 Popup Plugin. **Recommendations** For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The ChatBot for WordPress versions 4.8.6 through 4.9.6 **Description** The issue arises from insufficient input sanitization and output escaping in the FAQ Builder, allowing authenticated attackers with administrator-level permissions to inject arbitrary web scripts. This affects multi-site installations and installations where unfiltered html has been disabled, enabling the execution of injected scripts when a user accesses the affected page. **Recommendations** For versions 4.8.6 through 4.9.6, update to a version that addresses the insufficient input sanitization and output escaping in the FAQ Builder to prevent stored cross-site scripting attacks.