Ismailshadow

**Name of the Vulnerable Software and Affected Versions** Login No Captcha reCAPTCHA versions prior to 1.8.1 **Description** The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. The issue occurs because the `authenticate()` function stores the unsanitized output of the `$ SERVER['PHP SELF']` superglobal in the `login nocaptcha error` WordPress option during login attempts from non-standard pages, such as 'xmlrpc.php'. Subsequently, the `admin notices()` function outputs this stored value into the admin dashboard HTML without proper escaping. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address accesses the dashboard within 30 seconds of the attack. **Recommendations** Update to a version later than 1.8.0.

Name of the Vulnerable Software and Affected Versions MW WP Form plugin for WordPress versions up to and including 5.1.0 Description The MW WP Form plugin for WordPress is susceptible to arbitrary file movement due to inadequate file path validation through the `generate user filepath` function and the `move temp file to upload dir` function. This allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution if a sensitive file, such as wp-config.php, is moved. The vulnerability is exploitable when a file upload field is added to a form and the “Saving inquiry data in database” option is enabled. It affects over 200,000 WordPress sites. Recommendations Update the MW WP Form plugin to a version later than 5.1.0.

**Name of the Vulnerable Software and Affected Versions** Kali Forms versions prior to 2.4.9 **Description** The Kali Forms plugin for WordPress is susceptible to Remote Code Execution in versions up to and including 2.4.9. This is due to the `prepare post data` function mapping user-supplied keys directly into internal placeholder storage, combined with the use of `call user func` on these placeholder values. This allows unauthenticated attackers to execute code on the server. The vulnerability is triggered via the `form process` function. The issue involves user-controlled placeholders and the `call user func` function, which can lead to unauthorized code execution. **Recommendations** Versions prior to 2.4.9 should be updated.

**Name of the Vulnerable Software and Affected Versions** Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress versions up to and including 3.3.0 **Description** The Brevo plugin for WordPress has an authorization bypass issue caused by type juggling. This occurs because of the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID. An unauthenticated attacker can exploit this by sending a boolean `true` value for the `id` parameter to the `/wp-json/mailin/v1/mailin disconnect` API endpoint. Successful exploitation allows attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings. The vulnerable parameter is `id`. **Recommendations** Update the Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress to a version later than 3.3.0.

**Name of the Vulnerable Software and Affected Versions** Greenshift – animation and page builder blocks plugin for WordPress versions through 12.5.7 **Description** The plugin is susceptible to unauthorized data access because of a missing capability check within the `greenshift app pass validation()` function. Attackers with Subscriber-level access or higher can retrieve global plugin settings, including stored AI API keys. **Recommendations** Update to a version beyond 12.5.7.

**Name of the Vulnerable Software and Affected Versions** Hummingbird Performance plugin for WordPress versions prior to 3.18.1 **Description** The Hummingbird Performance plugin for WordPress is susceptible to exposure of sensitive information. This affects unauthenticated attackers who can extract data, including Cloudflare API credentials, through the `request` function. **Recommendations** Update the Hummingbird Performance plugin to version 3.18.1 or later.

**Name of the Vulnerable Software and Affected Versions** Modula Image Gallery plugin for WordPress versions 2.13.1 through 2.13.2 **Description** The Modula Image Gallery plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation within the `ajax unzip file` function. Authenticated attackers possessing Author-level access or higher can exploit this to delete arbitrary files on the server. Deletion of specific files, such as wp-config.php, could potentially lead to remote code execution. **Recommendations** Update the Modula Image Gallery plugin to a newer, fixed version. As a temporary workaround, restrict access for users with Author-level permissions or higher. Consider disabling the `ajax unzip file` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Blubrry PowerPress versions up to and including 11.15.2 **Description** The Blubrry PowerPress plugin for WordPress is susceptible to arbitrary file uploads due to inadequate file type validation. This occurs because the plugin validates file extensions but does not stop processing when validation fails within the `powerpress edit post` function. Authenticated attackers with Contributor-level access or higher can exploit this to upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Versions up to and including 11.15.2 should be updated to a newer, fixed version. As a temporary workaround, consider restricting access to the `powerpress edit post` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AI Engine versions prior to 3.1.9 **Description** The AI Engine plugin for WordPress is susceptible to PHP Object Injection through PHAR Deserialization. This occurs due to the deserialization of untrusted input within the `rest simpleTranscribeAudio` and `rest simpleVisionQuery` functions. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Injection (POP) chain is installed, which could allow for actions such as arbitrary file deletion, sensitive data retrieval, or code execution. **Recommendations** Update AI Engine to version 3.1.9 or later.

**Name of the Vulnerable Software and Affected Versions** Better Find and Replace – AI-Powered Suggestions plugin for WordPress versions through 1.7.7 **Description** The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is susceptible to Limited Code Injection. This is a result of inadequate input validation and restriction within the `rtafar ajax` function. Authenticated attackers possessing Subscriber-level access or higher can invoke arbitrary plugin functions and execute code within those functions. **Recommendations** Versions prior to and including 1.7.7 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the `rtafar ajax` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Duplicate Page and Post plugin for WordPress versions prior to 2.9.5 Description: The Duplicate Page and Post plugin for WordPress is susceptible to time-based SQL Injection via the `meta key` parameter. Insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries allow authenticated attackers with Contributor-level access or higher to inject additional SQL queries into existing database queries, potentially extracting sensitive information. Recommendations: Update the Duplicate Page and Post plugin to a version later than 2.9.5.

**Name of the Vulnerable Software and Affected Versions** AI Engine plugin for WordPress versions up to and including 2.9.5 **Description** The AI Engine plugin for WordPress is susceptible to unauthorized access and data loss. This is due to a missing capability check in the `rest list` and `delete files` functions, allowing unauthenticated attackers to list and delete files uploaded by other users. **Recommendations** Update the AI Engine plugin to a version later than 2.9.5.

**Name of the Vulnerable Software and Affected Versions** AI Engine plugin for WordPress versions 2.9.3 and 2.9.4 **Description** The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest simpleFileUpload()` function. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary files to the affected site’s server when the REST API is enabled, potentially leading to remote code execution. **Recommendations** Update to a version of the AI Engine plugin for WordPress that addresses this issue. Disable the REST API if it is not required. As a temporary workaround, restrict access to the `rest simpleFileUpload()` function.

**Name of the Vulnerable Software and Affected Versions** AI Engine plugin for WordPress versions through 2.9.4 **Description** The AI Engine plugin for WordPress is susceptible to sensitive information exposure. The `simpleTranscribeAudio` API endpoint does not properly restrict URL schemes before invoking the `get audio()` function. This allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the web server and potentially exfiltrate them through the plugin’s OpenAI API integration. **Recommendations** Update the AI Engine plugin to a version newer than 2.9.4. As a temporary workaround, restrict access to the `simpleTranscribeAudio` endpoint.

**Name of the Vulnerable Software and Affected Versions** Strong Testimonials versions prior to 3.2.12 **Description** The Strong Testimonials plugin for WordPress is susceptible to Stored Cross-Site Scripting via the Testimonial Custom Fields due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update Strong Testimonials to version 3.2.12 or later.