Jack Taylor

**Name of the Vulnerable Software and Affected Versions** Easy Table of Contents plugin for WordPress versions prior to 2.0.79 **Description** The Easy Table of Contents plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `ez-toc` shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the Easy Table of Contents plugin to version 2.0.79 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress Download Manager plugin versions up to and including 3.3.46 **Description** The software is susceptible to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. The issue affects the `redirect to` parameter in the login form shortcode. An unauthenticated attacker can inject arbitrary web scripts into pages, potentially leading to script execution if a user is tricked into performing an action, such as clicking a link. The vulnerable parameter is `redirect to`. The API endpoint involved is the login form shortcode. **Recommendations** Update WordPress Download Manager plugin to a version later than 3.3.46.

**Name of the Vulnerable Software and Affected Versions** Xagio SEO – AI Powered SEO plugin for WordPress versions through 7.1.0.30 **Description** The Xagio SEO – AI Powered SEO plugin for WordPress is susceptible to a Server-Side Request Forgery issue. This allows authenticated attackers with Subscriber-level access or higher to make web requests to arbitrary locations from the web application. This can be used to query and modify information from internal services through the `pixabayDownloadImage` function. **Recommendations** Update the Xagio SEO – AI Powered SEO plugin for WordPress to a version later than 7.1.0.30.

**Name of the Vulnerable Software and Affected Versions** Xagio SEO – AI Powered SEO plugin for WordPress versions up to, and including, 7.1.0.16 **Description** The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `HTTP REFERER` parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 7.1.0.16, update to a version later than 7.1.0.16 to resolve the issue. As a temporary workaround, consider restricting access to the `HTTP REFERER` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Relevanssi – A Better Search plugin for WordPress versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) **Description** The issue is related to Stored Cross-Site Scripting via the Excerpt Highlights due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.24.5 (Free), update to a version later than 4.24.5 to resolve the issue. For versions up to, and including, 2.27.6 (Premium), update to a version later than 2.27.6 to resolve the issue. As a temporary workaround, consider restricting access to the Excerpt Highlights feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Relevanssi – A Better Search plugin for WordPress versions 4.24.4 and earlier (Free) and versions 2.27.4 and earlier (Premium) **Description** The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the `cats` and `tags` query parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries to already existing queries that can be used to extract sensitive information from the database. **Recommendations** For Relevanssi – A Better Search plugin for WordPress versions 4.24.4 and earlier (Free) and versions 2.27.4 and earlier (Premium), update to a version that fixes the SQL Injection issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Relevanssi – A Better Search plugin for WordPress versions up to, and including, 4.24.3 **Description** The issue is related to Stored Cross-Site Scripting via the highlights functionality due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results. **Recommendations** For Relevanssi – A Better Search plugin for WordPress versions up to, and including, 4.24.3, update to a version later than 4.24.3 to resolve the issue. As a temporary workaround, consider disabling the highlights functionality until a patch is available. Restrict access to search results to minimize the risk of exploitation. Avoid using the search functionality with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 **Description** The issue allows unauthenticated attackers to manipulate the quantity of a product to a negative number, effectively subtracting the product cost from the total order cost. This is possible due to missing validation on a user-controlled key in the `process payment data` function. The attack is limited to Manual Checkout mode, as payment processors like PayPal and Stripe do not process payments for negative quantities. **Recommendations** For WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3, consider disabling the Manual Checkout mode until a patch is available to prevent exploitation. Additionally, restrict access to the `process payment data` function to minimize the risk of negative quantity manipulation.

**Name of the Vulnerable Software and Affected Versions** WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'wp cart button' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3, update to a version later than 5.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the 'wp cart button' shortcode for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 **Description** The issue is related to Insecure Direct Object Reference due to the lack of randomization of a user-controlled key. This allows unauthenticated attackers to access customer shopping carts, edit product links, add or delete products, and discover coupon codes. **Recommendations** For WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3, update to a version higher than 5.1.3 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress Simple Shopping Cart plugin versions up to and including 5.1.2 **Description** The issue is related to a logic flaw in the plugin's cart addition process, specifically due to the inconsistent use of parameters. The plugin uses the `product tmp two` parameter for calculating a security hash against price tampering, while using `wspsc product` to display the product. This inconsistency allows an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item. **Recommendations** For WordPress Simple Shopping Cart plugin versions up to and including 5.1.2, update to a version later than 5.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the cart addition process to prevent exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WordPress Simple Shopping Cart plugin versions up to and including 5.1.2 **Description** The issue allows unauthenticated attackers to access potentially sensitive information and download digital products without paying, through the `file url` parameter. This enables attackers to view confidential information. **Recommendations** For versions up to and including 5.1.2, update to a version higher than 5.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the `file url` parameter to prevent unauthorized downloads.

**Name of the Vulnerable Software and Affected Versions** WP-Polls plugin for WordPress versions up to, and including, 2.77.2 **Description** The issue arises from insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible for unauthenticated attackers to append additional SQL queries into already existing queries. Although the results of these queries are not displayed to the attacker and thus cannot be exploited to obtain additional information about the database, a properly configured payload allows for the injection of malicious JavaScript, resulting in Stored Cross-Site Scripting. **Recommendations** For WP-Polls plugin for WordPress versions up to, and including, 2.77.2, update to a version later than 2.77.2 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** PowerPress Podcasting plugin by Blubrry plugin for WordPress versions up to, and including, 11.9.18 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 11.9.18, update to a version that addresses the insufficient input sanitization and output escaping issue in the 'skipto' shortcode. As a temporary workaround, consider restricting access to the 'skipto' shortcode for users with contributor-level access and above until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress versions up to, and including, 2.8.6 Description: The issue is related to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the `admin init` or `user action hook` function. This allows unauthenticated attackers to modify a user's membership status via a forged request if they can trick a site administrator into performing an action, such as clicking on a link. Recommendations: For versions up to, and including, 2.8.6, update to a version that includes the fix for the nonce validation issue in the `admin init` or `user action hook` function. As a temporary workaround, consider restricting access to the `admin init` and `user action hook` functions until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress versions up to, and including, 2.8.6 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'um loggedin' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 2.8.6, update to a version higher than 2.8.6 to resolve the issue. As a temporary workaround, consider restricting access to the 'um loggedin' shortcode until a patch is available. Additionally, restrict contributor-level access and above to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Download Manager plugin for WordPress versions up to, and including, 3.2.97 Description: The issue is related to Stored Cross-Site Scripting in the Download Manager plugin for WordPress. This occurs via the plugin's 'wpdm all packages' shortcode due to insufficient input sanitization and output escaping on the `cols` parameter. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. Recommendations: For versions up to, and including, 3.2.97, update to a version higher than 3.2.97 to resolve the issue. As a temporary workaround, consider restricting access to the 'wpdm all packages' shortcode until a patch is available. Avoid using the `cols` parameter in the 'wpdm all packages' shortcode until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Custom Field Suite plugin for WordPress versions up to, and including, 2.6.7 **Description** The issue is related to Stored Cross-Site Scripting via the `cfs[post title]` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.6.7, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `cfs[post title]` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Custom Field Suite plugin for WordPress versions up to, and including, 2.6.7 **Description** The issue is related to insufficient sanitization of input prior to being used in a call to the `eval()` function, which makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code on the server. This is achieved via the Loop custom field. **Recommendations** For versions up to, and including, 2.6.7, update to a version that fixes the PHP Code Injection issue to prevent authenticated attackers from executing arbitrary PHP code on the server. As a temporary workaround, consider restricting access to the Loop custom field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Custom Field Suite plugin for WordPress versions up to, and including, 2.6.7 **Description** The issue allows authenticated attackers with contributor-level access and above to perform SQL Injection via the `Term` custom field. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible to append additional SQL queries into already existing queries to extract sensitive information from the database. **Recommendations** For versions up to, and including, 2.6.7, update to a version higher than 2.6.7 to resolve the issue. As a temporary workaround, consider restricting access to the `Term` custom field to minimize the risk of exploitation.