Itthidej Aramsri

**Name of the Vulnerable Software and Affected Versions** Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress versions prior to 2.1.0 **Description** Insufficient input sanitization and output escaping in the Anchor block allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This enables the injection of arbitrary web scripts into pages, which execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 2.0.9.

**Name of the Vulnerable Software and Affected Versions** Recipe Card Blocks Lite versions prior to 3.4.14 **Description** The Recipe Card Blocks Lite plugin for WordPress contains a Stored Cross-Site Scripting issue. The `WPZOOM Helpers::deserialize block attributes()` function converts unicode-encoded sequences back into HTML characters after sanitization is performed. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts through the `summary` and `notes` attributes of the recipe block. These scripts execute when a user views the published post or the print view of the affected recipe. **Recommendations** Update the plugin to a version later than 3.4.13.

**Name of the Vulnerable Software and Affected Versions** Master Addons For Elementor versions prior to 3.1.1 **Description** The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. Authenticated attackers with author-level access or higher can inject arbitrary web scripts into pages. This is achieved by bypassing UI-level restrictions and sending a crafted POST request to the endpoint "admin-ajax.php?action=elementor ajax" to manipulate the `jtlma custom js` page setting. The scripts execute whenever a user visits the affected page. **Recommendations** Update the plugin to a version later than 3.1.0. As a temporary mitigation, restrict author-level users from making POST requests to the "admin-ajax.php?action=elementor ajax" endpoint.

**Name of the Vulnerable Software and Affected Versions** Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns versions prior to 2.5.1 **Description** The plugin for WordPress is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The issue exists in the '/wp-json/agwp/v1/tokens/save' endpoint within the kit title parameter due to insufficient input sanitization and output escaping in an admin attribute context. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user accesses the affected page. **Recommendations** Update to a version later than 2.5.0. Avoid using the kit title parameter in the '/wp-json/agwp/v1/tokens/save' endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FastX theme for WordPress versions prior to 1.0.3 **Description** The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability checks in the `ultp install callback()` and `ultp activate callback()` functions. **Recommendations** Update to a version later than 1.0.2. As a temporary workaround, restrict access to the `ultp install callback()` and `ultp activate callback()` functions.

**Name of the Vulnerable Software and Affected Versions** Quick Playground versions prior to 1.3.4 **Description** The Quick Playground plugin for WordPress contains a path traversal flaw. This occurs because the `qckply zip theme()` function fails to properly validate the `stylesheet` parameter, which is appended to the theme root directory path without sanitizing directory traversal sequences. Consequently, unauthenticated attackers can trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem, such as the `wp-config` file. **Recommendations** Update the plugin to a version later than 1.3.3. As a temporary workaround, restrict access to the `qckply zip theme()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Envira Gallery Lite versions prior to 1.12.5 **Description** Stored Cross-Site Scripting is possible via the REST API due to insufficient input sanitization in the `update gallery data()` function and improper output escaping in the `gallery init()` function. Specifically, the `sanitize config values()` function fails to sanitize the `arrows` parameter, only processing `justified gallery theme` and `justified row height`. When the `arrows` value is output in the inline JavaScript configuration, the use of `esc attr()`—which is intended for HTML attributes rather than JavaScript contexts—allows for JavaScript expression injection. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page. **Recommendations** Update to a version later than 1.12.4. As a temporary workaround, restrict access to the REST API or limit user permissions to prevent users with Author-level access from modifying gallery data.

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab cancel booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.

**Name of the Vulnerable Software and Affected Versions** LifePress versions prior to 2.2.3 **Description** The LifePress plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `wp ajax nopriv lp update mds` function is registered without capability checks or nonce verification (a unique token used to prevent cross-site request forgery), and fails to properly sanitize input and escape output when rendering the series name in the admin settings page. Unauthenticated attackers can exploit this by sending arbitrary web scripts through the 'n' parameter of the 'lp update mds' AJAX action, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 2.2.2. As a temporary workaround, restrict access to the 'lp update mds' AJAX action or the 'n' parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Liaison Site Prober versions prior to 1.2.2 **Description** The plugin is subject to information exposure through the '/wp-json/site-prober/v1/logs' REST API endpoint. The `permissions read()` permission callback uses ` return true()`, which unconditionally grants access instead of verifying user capabilities. This allows unauthenticated attackers to access sensitive audit log data, including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and activity descriptions. **Recommendations** Update the plugin to a version later than 1.2.1. As a temporary workaround, restrict access to the '/wp-json/site-prober/v1/logs' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Table Manager versions prior to 1.0.1 **Description** The Table Manager plugin for WordPress allows authenticated attackers with Contributor-level access and above to extract sensitive data from arbitrary WordPress database tables. The issue occurs because the shortcode handler `tablemanager render table shortcode()` processes a user-controlled `table` attribute using only `sanitize key()` for sanitization. This value is concatenated with `$wpdb->prefix` to execute `DESC` and `SELECT *` queries, rendering all rows and columns to the frontend. The system fails to implement an allowlist check to verify that only plugin-created tables are accessed, as the `tablemanager created tables` option is not utilized within the shortcode handler. **Recommendations** Update the plugin to a version later than 1.0.0. As a temporary workaround, restrict the use of the 'table manager' shortcode to trusted users with higher privileges.

**Name of the Vulnerable Software and Affected Versions** Gutentools versions prior to 1.1.4 **Description** The Gutentools plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because of insufficient input sanitization and output escaping, combined with a custom unescaping routine that reintroduces dangerous characters. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts via the `block id` attribute of the Post Slider block, which execute when a user visits the affected page. **Recommendations** Update to a version newer than 1.1.3.

**Name of the Vulnerable Software and Affected Versions** Contextual Related Posts versions prior to 4.2.2 **Description** The Contextual Related Posts plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages via the `other attributes` parameter due to insufficient input sanitization and output escaping. These scripts execute whenever a user visits the affected page. **Recommendations** Update to a version newer than 4.2.1. Avoid using the `other attributes` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Flipbox Addon for Elementor versions prior to 2.1.2 **Description** Insufficient validation of custom attribute names in the Flipbox widget's button URL `custom attributes` field allows authenticated attackers with author-level access and above to inject arbitrary web scripts. The plugin uses `esc html()` on the attribute name, which fails to prevent the use of event handler attributes such as `onmouseover` or `onclick`. These scripts execute whenever a user accesses an affected page. **Recommendations** Update to a version later than 2.1.1.

**Name of the Vulnerable Software and Affected Versions** Customer Reviews for WooCommerce versions prior to 5.101.1 **Description** The Customer Reviews for WooCommerce plugin for WordPress contains a Reflected Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping in the `crsearch` parameter. Unauthenticated attackers can exploit this by injecting arbitrary web scripts into pages, which execute when a user is tricked into clicking a malicious link. **Recommendations** Update the plugin to a version later than 5.101.0. As a temporary workaround, restrict access to or avoid using the `crsearch` parameter until the update is applied.

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Name of the Vulnerable Software and Affected Versions The List category posts plugin for WordPress versions up to and including 0.94.0 Description The List category posts plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'catlist' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allow authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. Recommendations Update to a version later than 0.94.0

Name of the Vulnerable Software and Affected Versions The Quick Playground plugin for WordPress versions up to and including 1.3.1 Description The Quick Playground plugin for WordPress is susceptible to Remote Code Execution due to inadequate authorization checks on REST API endpoints. These endpoints expose a sync code and permit arbitrary file uploads. This allows unauthenticated attackers to retrieve the sync code, upload PHP files using path traversal techniques, and ultimately achieve remote code execution on the server. Recommendations Update the Quick Playground plugin to a version later than 1.3.1.

Name of the Vulnerable Software and Affected Versions The Ultimate FAQ Accordion plugin for WordPress versions through 2.4.7 Description The Ultimate FAQ Accordion plugin for WordPress is susceptible to Stored Cross-Site Scripting through FAQ content. This occurs because the plugin uses `html entity decode()` on post content during rendering in the `set display variables()` function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML. Insufficient output escaping in the `faq-answer.php` template, where the decoded content is echoed without `wp kses post()` or other sanitization, further contributes to the issue. The `ufaq` custom post type is registered with `show in rest` set to true and defaults to the `post` capability type, allowing Author-level users to create and publish FAQs via the REST API. An attacker with Author-level access or higher can submit entity-encoded malicious HTML (e.g., `<img src=x onerror=alert()>`) that bypasses WordPress's kses sanitization at save time, but is then decoded back into executable HTML at render time. This allows the injection of arbitrary web scripts in FAQ pages that execute when a user accesses the injected FAQ, either directly or via the `[ultimate-faqs]` shortcode. Recommendations Update to a version later than 2.4.7.

Name of the Vulnerable Software and Affected Versions The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress versions up to and including 5.1.2 Description The User Registration & Membership plugin for WordPress is susceptible to SQL Injection via the `membership ids[]` parameter. Insufficient input sanitization and inadequate SQL query preparation allow authenticated attackers with Subscriber-level access or higher to inject additional SQL queries, potentially leading to the extraction of sensitive database information. Recommendations Update the User Registration & Membership plugin to a version newer than 5.1.2.