Jarno Vos

**Name of the Vulnerable Software and Affected Versions** ThemeHunk Gutenberg Blocks versions through 1.2.8 **Description** A flaw exists in ThemeHunk Gutenberg Blocks that allows for Reflected Cross-Site Scripting (XSS). This issue is due to improper neutralization of input during web page generation. The vulnerability could potentially allow an attacker to inject malicious scripts into web pages viewed by users. The affected API endpoints and vulnerable parameters were not specified. **Recommendations** Update ThemeHunk Gutenberg Blocks to a version later than 1.2.8.

**Name of the Vulnerable Software and Affected Versions** Dotstore Fraud Prevention For Woocommerce versions through 2.3.3 **Description** An authorization issue exists in Dotstore Fraud Prevention For Woocommerce due to incorrectly configured access control security levels. This allows for exploitation of the system. **Recommendations** Update Dotstore Fraud Prevention For Woocommerce to a version later than 2.3.3.

**Name of the Vulnerable Software and Affected Versions** Dotstore Fraud Prevention For Woocommerce versions n/a through 2.3.1 **Description** A flaw exists in Dotstore Fraud Prevention For Woocommerce that allows retrieval of embedded sensitive data, potentially exposing system information to unauthorized parties. **Recommendations** Update Dotstore Fraud Prevention For Woocommerce to a version newer than 2.3.1.

**Name of the Vulnerable Software and Affected Versions** Audiomack versions through 1.4.8 **Description** Audiomack is susceptible to a cross-site scripting (XSS) issue due to improper neutralization of input during web page generation. This allows for stored XSS attacks. The issue involves the potential for malicious scripts to be stored and executed within the application, potentially impacting users who interact with the affected content. The API endpoint and vulnerable parameters are not specified. **Recommendations** Update Audiomack to a version later than 1.4.8.

**Name of the Vulnerable Software and Affected Versions** Curator.Io versions through 1.9.5 **Description** A flaw exists in Curator.Io that allows for Stored Cross-site Scripting (XSS). This issue involves improper neutralization of input during web page generation. The vulnerability could potentially allow an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** Update Curator.Io to a version later than 1.9.5.

**Name of the Vulnerable Software and Affected Versions** Mobile Builder versions through 1.4.2 **Description** Mobile Builder is susceptible to an authentication bypass, allowing authentication abuse. This allows attackers to gain full control without valid credentials. The issue concerns a completely broken authentication mechanism within the WordPress Mobile Builder plugin, enabling trivial remote access. **Recommendations** Update Mobile Builder to a version later than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** 6Storage versions prior to 2.20.0 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in 6Storage Rentals. This issue allows for Server Side Request Forgery. **Recommendations** Update 6Storage to version 2.20.0 or later.

**Name of the Vulnerable Software and Affected Versions** The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress versions up to and including 2.0.5 **Description** The software is susceptible to IP Address Spoofing because of inadequate IP address validation and reliance on user-provided HTTP headers for IP address retrieval. This allows unauthenticated attackers to retrieve the output of the `phpinfo()` function. **Recommendations** Update the The BigBuy Dropshipping Connector for WooCommerce plugin to a version later than 2.0.5.

**Name of the Vulnerable Software and Affected Versions** Blappsta Mobile App Plugin versions prior to 0.8.8.9 **Description** The Blappsta Mobile App Plugin for WordPress is susceptible to SQL Injection due to inadequate input sanitization and query preparation. Specifically, the `nh ynaa comments()` function lacks sufficient escaping of user-supplied parameters, allowing attackers to inject malicious SQL queries. This can enable unauthenticated attackers to extract sensitive information from the database by appending additional SQL queries to existing ones. **Recommendations** Update to version 0.8.8.9 or later.

Name of the Vulnerable Software and Affected Versions: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress versions through 11.58 Description: The plugin is susceptible to unauthorized data access due to an inadequate capability check within the `stopbadbots check wordpress logged in cookie` function. This allows unauthenticated attackers to circumvent security measures such as blocklists and rate limits. Recommendations: Update the plugin to a version beyond 11.58.