Ivan Kuzymchak

The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save custom fields function in all versions up to, and including, 1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields.

Name of the Vulnerable Software and Affected Versions: The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress versions up to, and including, 4.8.1.1 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the post Meta Description and Canonical URL parameters. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 4.8.1.1, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the post Meta Description and Canonical URL parameters to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress versions up to, and including, 1.8.34 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. The `image id` parameter is specifically vulnerable to this type of attack. Recommendations: For versions up to, and including, 1.8.34, update to a version higher than 1.8.34 to resolve the issue. As a temporary workaround, consider restricting access to the `image id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.7 **Description** The issue is related to blind and time-based SQL Injections via the `rid` and `search` parameters due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This allows authenticated attackers with Subscriber-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For versions up to, and including, 5.9.4.7, consider disabling the `rid` and `search` parameters in the affected plugin until a patch is available. Restrict access to sensitive database information to minimize the risk of exploitation. Avoid using the `rid` and `search` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP All Import Pro plugin for WordPress versions up to, and including, 4.9.3 **Description** The issue is related to Server-Side Request Forgery due to missing SSRF protection on the `pmxi curl download` function. This allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services. On cloud platforms, it may also allow attackers to read Instance metadata. **Recommendations** For versions up to, and including, 4.9.3, consider disabling the `pmxi curl download` function until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of unauthorized web requests. Update to a version higher than 4.9.3 when available.

**Name of the Vulnerable Software and Affected Versions** The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress versions up to, and including, 5.4.6 **Description** The issue is related to generic SQL Injection via the `order by` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with administrator-level permissions and above to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 5.4.6, update to a version that fixes the SQL Injection issue. As a temporary workaround, consider restricting access to the `order by` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.19 **Description** The issue is related to Stored Cross-Site Scripting via form label fields due to insufficient input sanitization and output escaping. This allows authenticated attackers, with access to edit forms (administrator by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.1.19, update to a version later than 5.1.19 to resolve the issue. As a temporary workaround, consider restricting access to edit forms to prevent authenticated attackers from injecting arbitrary web scripts. Additionally, restrict the use of form label fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache plugin for WordPress versions up to, and including, 2.7.5 **Description** The issue allows unauthenticated attackers to expose sensitive information, specifically Google OAuth API secrets stored in plaintext in the plugin source. This can enable attackers to impersonate W3 Total Cache and access user account information under certain conditions. However, this does not impact the WordPress user's site. **Recommendations** For versions up to, and including, 2.7.5, update to a version later than 2.7.5 to resolve the issue. As a temporary workaround, consider restricting access to the Google OAuth API secrets until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LuckyWP Table of Contents plugin for WordPress versions up to, and including, 2.1.4 **Description** The issue is related to Stored Cross-Site Scripting via multiple parameters due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.1.4, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the plugin's functionality for users with Contributor permissions and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including, 0.9.89 **Description** The issue is related to Stored Cross-Site Scripting via admin settings, specifically the `backup path` parameter, due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue only affects multi-site installations and installations where `unfiltered html` has been disabled. **Recommendations** For versions up to, and including, 0.9.89, update to a version higher than 0.9.89 to resolve the issue. As a temporary workaround, consider restricting access to the admin settings and the `backup path` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including, 0.9.89 **Description** The issue is related to Stored Cross-Site Scripting via the `image file path` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 0.9.89, update to a version higher than 0.9.89 to resolve the issue. As a temporary workaround, consider restricting access to the `image file path` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including, 0.9.89 **Description** The issue allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server. This can be a critical issue in shared environments. **Recommendations** For versions up to, and including, 0.9.89, update to a version higher than 0.9.89 to resolve the issue. As a temporary workaround, consider restricting administrative access to trusted users only until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The FiboSearch - AJAX Search for WooCommerce plugin for WordPress versions up to, and including, 1.23.0 **Description** The issue arises from insufficient input sanitization and output escaping in admin settings, allowing authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages. This affects multi-site installations and installations where unfiltered html has been disabled, making it possible for injected scripts to execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.23.0, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Advanced Woo Search plugin for WordPress versions up to, and including, 2.77 **Description** The issue allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages due to insufficient input sanitization and output escaping in admin settings. This makes it possible for the injected scripts to execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For Advanced Woo Search plugin for WordPress versions up to, and including, 2.77, update to a version that addresses the insufficient input sanitization and output escaping issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TaxoPress plugin for WordPress versions up to, and including, 3.6.4 **Description** The issue is related to Stored Cross-Site Scripting via the Related Posts functionality due to insufficient input sanitization and output escaping. This allows authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For TaxoPress plugin for WordPress versions up to, and including, 3.6.4, update to a version later than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting the use of the Related Posts functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TaxoPress plugin for WordPress versions up to, and including, 3.6.4 **Description** The issue is related to Stored Cross-Site Scripting via the Related Posts functionality due to insufficient input sanitization and output escaping. This allows authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For TaxoPress plugin for WordPress versions up to, and including, 3.6.4, update to a version later than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting the use of the Related Posts functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TaxoPress plugin for WordPress versions up to, and including, 3.6.4 **Description** The issue is related to Stored Cross-Site Scripting via the Suggest Terms Title field due to insufficient input sanitization and output escaping. This allows authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For TaxoPress plugin for WordPress versions up to, and including, 3.6.4, update to a version later than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the Suggest Terms Title field to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** All in One SEO Pack plugin for WordPress versions up to, and including, 4.2.9 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.2.9, update to a version higher than 4.2.9 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's configuration pages to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** All in One SEO Pack plugin for WordPress versions up to, and including, 4.2.9 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.2.9, update to a version higher than 4.2.9 to resolve the issue. As a temporary workaround, consider restricting the Contributor+ role to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Quick Restaurant Menu plugin for WordPress versions up to, and including, 2.0.2 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the plugin's settings parameters. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For The Quick Restaurant Menu plugin for WordPress versions up to, and including, 2.0.2, update to a version higher than 2.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings parameters to minimize the risk of exploitation.