Ivan Cese

**Name of the Vulnerable Software and Affected Versions** Career Section plugin for WordPress versions prior to 1.7 **Description** The plugin is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a logged-in user into executing unwanted actions. This issue leads to Path Traversal and Arbitrary File Deletion due to missing nonce validation and insufficient file path validation within the `appform options page html()` function. Unauthenticated attackers can delete arbitrary files on the server by inducing a site administrator to click a forged link. **Recommendations** Update the plugin to a version later than 1.6. As a temporary workaround, restrict access to the `appform options page html()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bucketlister plugin for WordPress versions up to and including 0.1.5 **Description** The software contains a SQL Injection issue through the `category` and `id` attributes within its shortcode. Insufficient escaping of user-supplied parameters and inadequate preparation of the SQL query allow authenticated attackers with Contributor-level access or higher to inject additional SQL queries. This can lead to the extraction of sensitive information from the database. The vulnerable parameters are `category` and `id`. **Recommendations** Update the Bucketlister plugin to a version beyond 0.1.5.

**Name of the Vulnerable Software and Affected Versions** The Bucketlister plugin for WordPress versions up to and including 0.1.5 **Description** The software contains a flaw that allows unauthorized modification of data. This is due to a missing capability check on the `bucketlister do admin ajax()` function. Authenticated attackers with Subscriber-level access or higher can add, delete, or modify bucket list items. **Recommendations** Update The Bucketlister plugin to a version later than 0.1.5.

**Name of the Vulnerable Software and Affected Versions** WaveSurfer-WP plugin for WordPress versions up to and including 2.8.3 **Description** The WaveSurfer-WP plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s audio shortcode. This is due to inadequate input sanitization and output escaping on the `src` attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the WaveSurfer-WP plugin to a version newer than 2.8.3.

**Name of the Vulnerable Software and Affected Versions** GetContentFromURL plugin for WordPress versions prior to 1.1 **Description** The GetContentFromURL plugin for WordPress is susceptible to Server-Side Request Forgery in versions up to and including 1.0. The issue stems from the plugin utilizing `wp remote get()` instead of `wp safe remote get()` when retrieving content from a URL provided by the user through the `url` parameter within the [gcfu] shortcode. This allows authenticated attackers with Contributor-level access or higher to initiate web requests to arbitrary locations from the web application, potentially enabling them to query and modify information from internal services. **Recommendations** Update the GetContentFromURL plugin to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** PDF Resume Parser plugin for WordPress versions prior to 1.1 **Description** The PDF Resume Parser plugin for WordPress has a flaw that allows exposure of sensitive information. An AJAX action handler is accessible to users without authentication, revealing SMTP configuration data, including credentials. This allows unauthenticated attackers to extract SMTP credentials (`username` and `password`) from the WordPress configuration. Compromised email accounts and potential unauthorized access to other systems using the same credentials are possible consequences. **Recommendations** Update the PDF Resume Parser plugin to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** AA Block Country plugin for WordPress versions up to and including 1.0.1 **Description** The AA Block Country plugin for WordPress is susceptible to IP Address Spoofing. The plugin relies on user-provided headers, specifically the HTTP X FORWARDED FOR header, to identify the client’s IP address without sufficient validation. This lack of validation is particularly problematic when the server is located behind a trusted proxy. An unauthenticated attacker can exploit this flaw to circumvent IP-based access controls by manipulating the X-Forwarded-For header and spoofing their IP address. **Recommendations** Update the AA Block Country plugin to a version beyond 1.0.1.

**Name of the Vulnerable Software and Affected Versions** The Shortcode Ajax plugin for WordPress versions prior to 1.1 **Description** The Shortcode Ajax plugin for WordPress is susceptible to arbitrary shortcode execution due to insufficient input validation before running the `do shortcode` function. This allows unauthenticated attackers to execute arbitrary shortcodes. **Recommendations** Update The Shortcode Ajax plugin to version 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Solutions Ad Manager plugin for WordPress versions prior to 1.0.1 **Description** The software is susceptible to an Open Redirect issue because of inadequate validation of the redirect URL provided through the `sam-redirect-to` parameter. This allows unauthenticated attackers to redirect users to potentially harmful websites if they can trick users into taking a specific action. **Recommendations** Update the Solutions Ad Manager plugin to version 1.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** The Simple CSV Table versions up to and including 1.0.1 **Description** The Simple CSV Table plugin for WordPress is susceptible to a Directory Traversal issue due to inadequate path validation. Specifically, the `href` parameter within the `[csv]` shortcode does not properly sanitize user-supplied input before incorporating it into a base directory path. This allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server. These files may contain sensitive data, including database credentials and authentication keys. The API endpoint involved is the `[csv]` shortcode, and the vulnerable parameter is `href`. **Recommendations** Versions prior to and including 1.0.1 should be updated to a newer, fixed version if available.

**Name of the Vulnerable Software and Affected Versions** Visitor Logic Lite plugin for WordPress versions up to and including 1.0.3 **Description** The Visitor Logic Lite plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input from the `lpblocks` cookie. The `lp track()` function passes unsanitized cookie data directly to the `unserialize()` function, allowing potential attackers to inject a PHP Object. While no known POP chain exists within the vulnerable software itself, the presence of a POP chain via an additional plugin or theme could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code, provided they have access to the WordPress site. **Recommendations** Update the Visitor Logic Lite plugin to a version beyond 1.0.3.

**Name of the Vulnerable Software and Affected Versions** CSV to SortTable WordPress plugin versions through 4.2 **Description** The software does not properly check certain shortcode attributes before using them to create file paths that are then used with include functions. This allows users with contributor-level access to potentially perform Local File Inclusion (LFI) attacks. **Recommendations** Update to a version beyond 4.2.

**Name of the Vulnerable Software and Affected Versions** WP Landing Page plugin for WordPress versions up to and including 0.9.3 **Description** The WP Landing Page plugin for WordPress is susceptible to Cross-Site Request Forgery, allowing unauthenticated attackers to update arbitrary post meta via a forged request. This is possible due to missing nonce validation on the `wplp api update text` function. An attacker could trick a site administrator into performing an action, such as clicking a link, to execute the malicious request. **Recommendations** Update the WP Landing Page plugin to a version later than 0.9.3.

**Name of the Vulnerable Software and Affected Versions** User Generator and Importer plugin for WordPress versions up to and including 1.2.2 **Description** The plugin is susceptible to Cross-Site Request Forgery due to missing nonce validation in the "Import Using CSV File" function. This allows unauthenticated attackers to potentially create arbitrary accounts with administrator privileges by forging a request, if they can trick a site administrator into performing an action. The `Import Using CSV File` function lacks proper validation, enabling this issue. **Recommendations** Update the User Generator and Importer plugin to a version newer than 1.2.2.

**Name of the Vulnerable Software and Affected Versions** Weekly Planner plugin for WordPress versions prior to 1.0 **Description** The Weekly Planner plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update the Weekly Planner plugin to a version newer than 1.0.

**Name of the Vulnerable Software and Affected Versions** StaffList plugin for WordPress versions prior to 3.2.7 **Description** The StaffList plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. This issue only impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update the StaffList plugin to version 3.2.7 or later.

**Name of the Vulnerable Software and Affected Versions** ProjectList plugin for WordPress versions up to and including 0.3.0 **Description** The ProjectList plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation. This allows authenticated attackers with Editor-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Update the ProjectList plugin to a version newer than 0.3.0.

**Name of the Vulnerable Software and Affected Versions** ProjectList plugin for WordPress versions up to and including 0.3.0 **Description** The ProjectList plugin for WordPress is susceptible to time-based SQL Injection. This is due to inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries, specifically through the `id` parameter. Authenticated attackers with Editor-level access or higher can append additional SQL queries to existing ones, potentially extracting sensitive information from the database. **Recommendations** Update the ProjectList plugin to a version newer than 0.3.0.

**Name of the Vulnerable Software and Affected Versions** Local Syndication plugin for WordPress versions prior to 1.5a **Description** The Local Syndication plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) in versions up to and including 1.5a. The issue stems from the use of `wp remote get()` instead of `wp safe remote get()`, which lacks safeguards against requests to internal or private IP addresses and localhost. This allows authenticated attackers with Contributor-level access or higher to make web requests to arbitrary locations from the web application. Exploitation can lead to querying and modifying information from internal services, scanning internal networks, and accessing resources that should not be externally accessible. The vulnerability is triggered through the `url` parameter within the `[syndicate local]` shortcode. **Recommendations** Update the Local Syndication plugin to a version later than 1.5a.

**Name of the Vulnerable Software and Affected Versions** Download Panel plugin for WordPress versions up to and including 1.3.3 **Description** The Download Panel plugin for WordPress is susceptible to unauthorized settings modification. This is caused by a missing capability check on the 'wp ajax save settings' AJAX action. Specifically, the `dlpn save settings()` function lacks capability verification, allowing authenticated attackers with Subscriber-level access or higher to modify plugin settings. These settings include display text, download links, button colors, and other visual customizations. **Recommendations** Update the Download Panel plugin to a version later than 1.3.3.