Itztrq

**Name of the Vulnerable Software and Affected Versions** MotoPress Hotel Booking versions prior to 6.0.2 **Description** The MotoPress Hotel Booking plugin for WordPress contains an authorization bypass flaw resulting from improper verification of user permissions. Unauthenticated attackers can overwrite or delete internal notes by providing an arbitrary booking ID. This is possible because the required nonce is exposed in the HTML source of all public pages via `wp localize script` in the `MPHB. data.nonces` variable, allowing any visitor to perform the action without an account. The affected variable is ` mphb booking internal notes`. **Recommendations** Update to version 6.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 149.0.7827.53 **Description** An inappropriate implementation in the WebUI allows a remote attacker to perform domain spoofing by using a crafted domain name. **Recommendations** Update to version 149.0.7827.53 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 149.0.7827.53 **Description** Insufficient validation of untrusted input in the Network component allows a remote attacker who has compromised the renderer process to bypass the same origin policy, which is a security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin, by using a crafted HTML page. **Recommendations** Update to version 149.0.7827.53 or later.

**Name of the Vulnerable Software and Affected Versions** WPBookit versions up to and including 1.0.8 **Description** The WPBookit plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the `wpb user name` and `wpb user email` parameters. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. **Recommendations** Update WPBookit to a version later than 1.0.8.

**Name of the Vulnerable Software and Affected Versions** SEATT: Simple Event Attendance plugin for WordPress versions prior to 1.5.1 **Description** The SEATT: Simple Event Attendance plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is caused by a lack of nonce validation when deleting events. An unauthenticated attacker could potentially delete events by tricking an administrator into performing an action, such as clicking a malicious link. The vulnerable functionality involves event deletion. **Recommendations** Update the SEATT: Simple Event Attendance plugin to version 1.5.1 or later.