James Golovich

**Name of the Vulnerable Software and Affected Versions** cloud-init versions prior to 23.1.2 **Description** The issue allows sensitive data to be exposed in logs, which an attacker could use to find hashed passwords and possibly escalate their privilege. **Recommendations** For versions prior to 23.1.2, update to version 23.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the logs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields WordPress plugin versions prior to 5.12.3 Advanced Custom Fields Pro WordPress plugin versions prior to 5.12.3 **Description** The issue allows unauthenticated users to upload files, limited to those allowed in a default WordPress configuration, if a frontend form is available. This was introduced in the 5.0 rewrite and did not exist prior to that release. **Recommendations** For Advanced Custom Fields WordPress plugin versions prior to 5.12.3, update to version 5.12.3 or later. For Advanced Custom Fields Pro WordPress plugin versions prior to 5.12.3, update to version 5.12.3 or later. As a temporary workaround, consider restricting access to frontend forms until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Elegant Themes Extra theme versions prior to 1.2.4 **Description** The issue allows for privilege escalation. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Elegant Themes Bloom plugin versions prior to 1.1.1 **Description** The issue allows for privilege escalation. **Recommendations** For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Elegant Themes Monarch plugin versions prior to 1.2.7 **Description** The issue allows for privilege escalation. **Recommendations** For versions prior to 1.2.7, update to version 1.2.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue is related to incorrect access control for admin init settings changes in the wp-invoice plugin. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** optinmonster plugin versions prior to 1.1.4.6 **Description** The issue is related to incorrect access control for shortcodes due to a nonce leak. **Recommendations** For versions prior to 1.1.4.6, update to version 1.1.4.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue is related to incorrect access control over updates to payer metadata for the wpi interkassa module. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue is related to incorrect access control over updates to payer metadata for the wpi twocheckout component. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue allows for privilege escalation due to the wpi update user option. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue is related to incorrect access control in the wp-invoice plugin, specifically over the `wpi user id` variable for invoice retrieval. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-invoice plugin versions prior to 4.1.1 **Description** The issue is related to incorrect access control, specifically over updates to payer metadata for PayPal in the wp-invoice plugin. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PeepSo Core plugin versions prior to 1.6.1 **Description** The issue concerns a privilege escalation in the PeepSoProfilePreferencesAjax->save() function. **Recommendations** For PeepSo Core plugin versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MemberSonic Lite plugin for WordPress versions prior to 1.302 **Description** The issue is related to incorrect login access control. It allows access with only the knowledge of an e-mail address, which is insufficient for secure authentication. **Recommendations** For versions prior to 1.302, update to version 1.302 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ninja Forms plugin versions prior to 2.9.42.1 **Description** The issue allows remote attackers to conduct PHP object injection attacks. This is achieved by sending crafted serialized values in a POST request. **Recommendations** For versions prior to 2.9.42.1, update to version 2.9.42.1 or later to resolve the issue.