Itsfading

**Name of the Vulnerable Software and Affected Versions** Accordion Slider plugin for WordPress versions up to, and including, 1.9.11 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the `html` attribute of an accordion slider. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses the injected page. Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting. **Recommendations** For versions up to, and including, 1.9.11, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the plugin's admin area and limiting the ability of Contributor-level users to inject arbitrary web scripts.

Name of the Vulnerable Software and Affected Versions: Absolute Reviews plugin for WordPress versions up to, and including, 1.1.3 Description: The issue is related to Stored Cross-Site Scripting via the `Name` field of a custom post criteria due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.1.3, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the custom post criteria `Name` field to minimize the risk of exploitation. Additionally, restrict Contributor-level access and above to reduce the potential for arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** Post Snippets WordPress plugin versions prior to 3.1.4 **Description** The issue allows an attacker to make a logged-in admin import arbitrary snippets due to the lack of a CSRF check when importing files. Additionally, the imported snippets are not sanitized and escaped, which could lead to Stored Cross-Site Scripting issues. **Recommendations** For Post Snippets WordPress plugin versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the file import functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LabTools WordPress plugin versions 1.0 and earlier **Description** The issue concerns a lack of proper authorization and CSRF check when deleting publications. This allows any authenticated users, such as subscribers, to delete arbitrary publications. **Recommendations** For LabTools WordPress plugin versions 1.0 and earlier, update to a version that includes proper authorization and CSRF checks for publication deletion. As a temporary workaround, consider restricting publication deletion capabilities to only trusted users until a patch is available.