Iohex

**Name of the Vulnerable Software and Affected Versions** Editorial Calendar WordPress plugin versions prior to 3.8.3 **Description** The issue allows users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users. This occurs because the plugin does not sanitise and escape its settings. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin admin panel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Link Library WordPress plugin versions prior to 7.4.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 7.4.1, update to version 7.4.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP Attachments WordPress plugin versions prior to 5.0.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For WP Attachments WordPress plugin versions prior to 5.0.6, update to version 5.0.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Login with Cognito WordPress plugin versions 1.4.8 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions 1.4.8 and earlier, update to a version later than 1.4.8 to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WordPress Filter Gallery Plugin version 0.1.5 and earlier **Description** The WordPress Filter Gallery Plugin does not properly escape the filters passed in the `ufg gallery filters` ajax action before outputting them on the page. This allows a high privileged user, such as an administrator, to inject HTML or javascript to the plugin settings page, even when the `unfiltered html` capability is disabled. **Recommendations** For WordPress Filter Gallery Plugin version 0.1.5 and earlier, update to version 0.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ufg gallery filters` ajax action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Image Optimizer, Resizer and CDN WordPress plugin versions prior to 6.8.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 6.8.1, update to version 6.8.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP-Ban WordPress plugin versions prior to 1.69.1 **Description** The issue is related to the WP-Ban WordPress plugin not sanitizing and escaping some of its settings, which could allow high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. The vulnerability may be exploited by a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** For WP-Ban WordPress plugin versions prior to 1.69.1, update to version 1.69.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** All-in-One Addons for Elementor WordPress plugin versions prior to 2.4.4 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Paytium: Mollie payment forms & donations WordPress plugin versions prior to 4.3.7 **Description** The issue concerns the lack of sanitization and escaping of some settings in the plugin, which could allow high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 4.3.7, update to version 4.3.7 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ImageInject WordPress plugin versions 1.17 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For ImageInject WordPress plugin versions 1.17 and earlier, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Google Review Slider WordPress plugin versions prior to 11.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 11.6, update to version 11.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Eventify WordPress plugin versions prior to 2.1.1 is not specified, however, it is mentioned that versions through 2.1 are affected, so the correct output is: Eventify WordPress plugin versions through 2.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For Eventify WordPress plugin versions through 2.1, update to a version later than 2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** joyqi/hyper-down versions 0.0.0 and later **Description** The issue arises from improper validation of the `href` attribute in the markdown parser module, leading to Cross-site Scripting (XSS). There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For joyqi/hyper-down versions 0.0.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the markdown parsing module until a patch is available. Restrict access to the `href` attribute in the markdown parser to minimize the risk of exploitation. Avoid using the `href` attribute in the affected markdown parser until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Digital Publications by Supsystic WordPress plugin versions prior to 1.7.4 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the lack of sanitization and escaping of its settings. This can occur even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 1.7.4, update to version 1.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Accept Stripe Payments WordPress plugin versions prior to 2.0.64 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the plugin's failure to sanitize and escape some of its settings. This can occur even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 2.0.64, update to version 2.0.64 or later to resolve the issue. As a temporary workaround, consider restricting administrative access to trusted users only until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** The Data Tables Generator by Supsystic WordPress plugin versions prior to 1.10.20 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, for example in a multisite setup. This is due to the plugin not sanitizing and escaping some of its Table settings. **Recommendations** For versions prior to 1.10.20, update to version 1.10.20 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Table settings feature to minimize the risk of exploitation. Additionally, ensure that the unfiltered html capability is properly configured to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** WP-Paginate WordPress plugin versions prior to 2.1.9 **Description** The issue allows high privilege users to perform Stored Cross-Site Scripting attacks when unfiltered html is disallowed, due to the plugin not escaping one of its settings. **Recommendations** For versions prior to 2.1.9, update to version 2.1.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SportsPress WordPress plugin versions prior to 2.7.9 **Description** The issue arises from the lack of sanitization and escaping of the `match day` parameter, which is outputted back in the Events backend page, leading to a Reflected Cross-Site Scripting issue. **Recommendations** For versions prior to 2.7.9, update to version 2.7.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Events backend page to minimize the risk of exploitation. Avoid using the `match day` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Software License Manager versions prior to 4.4.8 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `edit record` parameter is not properly sanitized or escaped before being outputted back in the page within the admin dashboard. **Recommendations** For versions prior to 4.4.8, update to version 4.4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard to minimize the risk of exploitation. Avoid using the `edit record` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MF Gig Calendar WordPress plugin versions prior to 1.2 **Description** The issue is related to a reflected Cross-Site Scripting problem. It occurs because the `id` GET parameter is not properly sanitised and escaped before being outputted back in the admin dashboard when editing an Event. This allows for malicious scripts to be injected. **Recommendations** For versions prior to 1.2, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard to minimize the risk of exploitation. Avoid using the `id` parameter in the affected endpoint until the issue is resolved.