István Márton

**Name of the Vulnerable Software and Affected Versions** WordPress Tiger theme versions prior to 101.2.2 **Description** The Tiger theme for WordPress allows privilege escalation due to a flaw in the `set role()` function. Authenticated attackers with Subscriber-level access or higher can elevate their privileges to administrator level. The vulnerable component is the `$user->set role()` function, which allows modification of a user's role. **Recommendations** Update the WordPress Tiger theme to version 101.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** FindAll Membership plugin for WordPress versions up to and including 1.0.4 **Description** The FindAll Membership plugin for WordPress is susceptible to an Authentication Bypass issue. The plugin does not properly log in a user after verifying data through the `findall membership check facebook user` and `findall membership check google user` functions. This allows unauthenticated attackers to log in as administrative users if they have an existing account on the site and access to the administrative user's email. **Recommendations** Update the FindAll Membership plugin to a version later than 1.0.4.

**Name of the Vulnerable Software and Affected Versions** Zegen Core versions prior to 2.0.1 **Description** The Zegen Core plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) issue leading to Arbitrary File Upload. This is caused by a lack of nonce validation and file type validation within the `/custom-font-code/custom-fonts-uploads.php` file. An unauthenticated attacker could potentially upload arbitrary files to the server by exploiting this flaw, potentially leading to remote code execution if a site administrator is tricked into performing an action. **Recommendations** Update Zegen Core to a version newer than 2.0.1.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Designer Pro versions up to and including 1.9.28 **Description** The WooCommerce Designer Pro theme for WordPress is susceptible to an arbitrary file read issue. This allows unauthenticated attackers to read arbitrary files on the server. A specific file mentioned as potentially exposed is `wp-config.php`, which may contain database credentials. The issue is due to a vulnerable endpoint or function that allows unauthorized file access. **Recommendations** Update WooCommerce Designer Pro to a version beyond 1.9.28.

**Name of the Vulnerable Software and Affected Versions** Classified Pro versions up to and including 1.0.14 **Description** The Classified Pro theme for WordPress is susceptible to unauthorized plugin installation due to a missing capability check within the `cwp addons update plugin cb` function. This allows authenticated attackers with subscriber-level access or higher to install arbitrary plugins on the affected WordPress site. The installation of arbitrary plugins may lead to remote code execution. The required nonce for exploitation is found within the CubeWP Framework plugin. **Recommendations** Update Classified Pro to a version newer than 1.0.14.

**Name of the Vulnerable Software and Affected Versions** Felan Framework plugin for WordPress versions up to and including 1.1.4 **Description** The Felan Framework plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check within the `process plugin actions` function, which is triggered through an AJAX action. This allows unauthenticated attackers to activate or deactivate plugins without authorization. **Recommendations** Update the Felan Framework plugin to a version beyond 1.1.4.

**Name of the Vulnerable Software and Affected Versions** Truelysell Core plugin for WordPress versions up to and including 1.8.6 **Description** The Truelysell Core plugin for WordPress is susceptible to unauthorized user password modification. This occurs because the plugin allows user-controlled access to objects, enabling attackers to bypass authorization and access system resources. Unauthenticated attackers can exploit this to change user passwords, potentially gaining control of administrator accounts. The exploitation requires knowledge of a page containing the 'truelysell edit staff' shortcode. **Recommendations** Versions prior to 1.8.6 are affected. Update to a version newer than 1.8.6. Limit access to the page containing the 'truelysell edit staff' shortcode. Enable multi-factor authentication. Monitor system activity for suspicious behavior.

**Name of the Vulnerable Software and Affected Versions** Felan Framework versions up to and including 1.1.4 **Description** The Felan Framework plugin for WordPress has an authentication issue due to hardcoded passwords in the `fb ajax login or register` and `google ajax login or register` functions. This allows unauthenticated attackers to log in as any existing user who registered with Facebook or Google social login and did not change their password. **Recommendations** Update Felan Framework to a version newer than 1.1.4.

Name of the Vulnerable Software and Affected Versions: Mikado Core plugin for WordPress versions up to and including 1.5.2 Description: The Mikado Core plugin for WordPress is susceptible to Stored Cross-Site Scripting through shortcodes due to inadequate input sanitization and output escaping of user-supplied attributes. This allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. Recommendations: Update the Mikado Core plugin to a version newer than 1.5.2.

Name of the Vulnerable Software and Affected Versions: Wilmer Core plugin for WordPress versions up to and including 2.4.5 Description: The Wilmer Core plugin for WordPress is susceptible to Stored Cross-Site Scripting through shortcodes due to inadequate input sanitization and output escaping of user-supplied attributes. This allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. Recommendations: Update the Wilmer Core plugin to a version newer than 2.4.5.

Name of the Vulnerable Software and Affected Versions: Doccure theme for WordPress versions through 1.4.8 Description: The Doccure theme for WordPress is susceptible to arbitrary file uploads due to the absence of file type validation within the `doccure temp upload to media` function. This flaw allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. Recommendations: Update the Doccure theme to a version beyond 1.4.8.

Name of the Vulnerable Software and Affected Versions: Doccure theme for WordPress versions through 1.4.8 Description: The Doccure theme for WordPress is susceptible to arbitrary file uploads due to inadequate file type validation within the `doccure temp file uploader` function. Authenticated attackers possessing subscriber-level permissions or higher can upload arbitrary files to the server, potentially leading to remote code execution. Recommendations: Update Doccure theme to a version newer than 1.4.8.

Name of the Vulnerable Software and Affected Versions: Doccure versions prior to 1.4.9 Description: The Doccure theme for WordPress is susceptible to unauthorized modification of user passwords. This occurs because the plugin allows user-controlled access to objects, enabling bypass of authorization and access to system resources. This allows unauthenticated attackers to alter user passwords and potentially compromise administrator accounts. Recommendations: Update Doccure to version 1.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** Biagiotti Core plugin for WordPress versions prior to 2.1.4 **Description** The Biagiotti Core plugin for WordPress is susceptible to Stored Cross-Site Scripting through shortcodes due to inadequate input sanitization and output escaping of user-supplied attributes. This allows authenticated attackers with contributor-level or higher permissions to inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page. **Recommendations** Update Biagiotti Core plugin to version 2.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Eventin versions through 4.0.34 **Description** The Eventin plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately validate a user’s identity or capabilities before allowing updates to user details, such as email addresses. Specifically, the `update item` function within the `EventinSpeakerApiSpeakerController` class is affected. Unauthenticated attackers with contributor-level permissions or higher can exploit this flaw to modify the email addresses of any user, including administrators, and subsequently reset passwords to gain unauthorized access. **Recommendations** Eventin versions prior to 4.0.34 are affected. Update to a version later than 4.0.34. As a temporary workaround, restrict access to the `update item` function within the `EventinSpeakerApiSpeakerController` class.

**Name of the Vulnerable Software and Affected Versions:** Lana Downloads Manager versions prior to 1.10.0 **Description:** The Lana Downloads Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting through insufficient input sanitization and output escaping on user-supplied attributes within endpoint parameters. This allows authenticated attackers with administrator-level or higher permissions to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. **Recommendations:** Update Lana Downloads Manager to a version later than 1.10.0.

Name of the Vulnerable Software and Affected Versions: AI Engine plugin for WordPress version 2.8.4 Description: The issue is due to an insecure OAuth implementation, specifically the lack of validation for the `redirect uri` parameter during the authorization flow. This allows unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Recommendations: For version 2.8.4, update to version 2.8.5, where OAuth is disabled and the 'Meow MWAI Labs OAuth' class is not loaded, thus mitigating the open redirect vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress AI Engine plugin (affected versions not specified) **Description** A critical flaw in WordPress's AI Engine plugin allows subscribers to escalate privileges and take over websites with Dev Tools/MCP enabled. **Recommendations** Update the WordPress AI Engine plugin to the latest version. As a temporary workaround, consider disabling the Dev Tools/MCP feature until a patch is available. Restrict subscriber-level access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Art Theme for WordPress versions up to, and including, 3.12.2.3 **Description** The issue is related to unauthorized access due to a missing capability check on the 'arttheme theme option restore' AJAX function. This allows authenticated attackers with subscriber-level access and above to delete the theme option. **Recommendations** For versions up to, and including, 3.12.2.3, consider disabling the `arttheme theme option restore` AJAX function until a patch is available to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** BM Content Builder plugin for WordPress versions up to, and including, 3.16.2.1 **Description** The issue is related to a missing capability check on the `ux cb page options save` function, allowing authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For BM Content Builder plugin for WordPress versions up to, and including, 3.16.2.1, update to a version higher than 3.16.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the `ux cb page options save` function to prevent unauthorized modification of data.