Jörgson

**Name of the Vulnerable Software and Affected Versions** WPMU DEV Forminator versions 1.14.11 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. The vulnerability can be exploited without authentication, enabling Unauth. Stored Cross-Site Scripting (XSS) attacks. **Recommendations** For versions 1.14.11 and earlier, update to a version later than 1.14.11 to resolve the issue. As a temporary workaround, consider restricting access to the Forminator plugin until a patch is available. Avoid using the Forminator plugin for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Simple SEO plugin for WordPress versions up to, and including 1.7.91 **Description** The issue is related to attribute-based stored Cross-Site Scripting due to insufficient sanitization or escaping on the `SEO social` and `standard title` parameters. This can be exploited by authenticated users with Contributor and above permissions to inject arbitrary web scripts into posts/pages that execute whenever an administrator accesses the page. **Recommendations** For Simple SEO plugin for WordPress versions up to, and including 1.7.91, update to a version that includes proper sanitization or escaping of the SEO social and standard title parameters to prevent Cross-Site Scripting. As a temporary workaround, consider restricting access to the SEO social and standard title parameters for users with Contributor and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** weDevs WP Project Manager plugin versions <= 2.4.13 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with certain privileges, such as a subscriber or higher user role, can inject malicious scripts into the application, which are then stored and executed by the application, potentially affecting other users. **Recommendations** For weDevs WP Project Manager plugin versions <= 2.4.13, update to a version higher than 2.4.13 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** AGCA - Absolutely Glamorous Custom Admin (WordPress plugin) versions n/a through 6.8 **Description** The issue affects the AGCA - Absolutely Glamorous Custom Admin WordPress plugin, allowing Stored XSS due to improper neutralization of input during web page generation. This can occur via unsanitized input fields of the plugin settings. Some payloads could make the frontend and backend inaccessible. **Recommendations** For versions n/a through 6.8, update to a version later than 6.8 to resolve the issue. As a temporary workaround, consider restricting access to the plugin settings to minimize the risk of exploitation. Avoid using unsanitized input fields in the plugin settings until the issue is resolved.