Jamaal

**Name of the Vulnerable Software and Affected Versions** CM Ad Changer versions prior to 2.0.8 **Description** The CM Ad Changer plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into executing unwanted actions. This occurs due to missing or incorrect nonce validation within the `cmac campaigns action()` function. Unauthenticated attackers can exploit this to permanently delete arbitrary advertising campaigns, including associated banner records and uploaded files, by inducing a site administrator to click a malicious link. **Recommendations** Update the plugin to version 2.0.8 or later. As a temporary workaround, restrict administrative access to the plugin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Custom 404 Pro plugin for WordPress versions prior to 3.13.0 **Description** The Custom 404 Pro plugin for WordPress is susceptible to time-based SQL Injection through the `path` parameter. This is due to inadequate input sanitization and insufficient query preparation. An authenticated attacker with Administrator-level access or higher can append SQL queries to existing ones, potentially extracting sensitive information from the database. **Recommendations** Update the Custom 404 Pro plugin to version 3.13.0 or later.