Jeremie Amsellem

**Name of the Vulnerable Software and Affected Versions** Cryptocurrency Pricing list and Ticker WordPress plugin versions prior to 1.5 **Description** The issue arises from the plugin's failure to properly sanitise and escape the `ccpw setpage` parameter, leading to a Reflected Cross-Site Scripting issue when its shortcode is embedded in pages. **Recommendations** For versions prior to 1.5, as a temporary workaround, consider restricting access to the shortcode that embeds the `ccpw setpage` parameter until a patch is available. Avoid using the `ccpw setpage` parameter in affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDPay for Contact Form 7 WordPress plugin versions 2.1.2 and earlier **Description** The issue concerns a Reflected Cross-Site Scripting problem. It occurs because the `idpay error` parameter is not properly sanitised and escaped before being outputted back on the page. This allows for malicious scripts to be injected and executed. **Recommendations** For IDPay for Contact Form 7 WordPress plugin versions 2.1.2 and earlier, consider updating to a version where this issue is fixed, as the current version does not properly sanitise the `idpay error` parameter. As a temporary workaround, consider restricting access to the `idpay error` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MOLIE WordPress plugin versions 0.5 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `course id` parameter is not properly escaped before being outputted back in the admin dashboard. This allows for malicious scripts to be injected. **Recommendations** For MOLIE WordPress plugin versions 0.5 and earlier, update to a version that properly escapes the `course id` parameter to prevent Reflected Cross-Site Scripting. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MOLIE WordPress plugin versions prior to 0.5 **Description** The issue arises from the lack of validation and escaping of a post parameter before its use in a SQL statement, leading to an SQL Injection. **Recommendations** For MOLIE WordPress plugin versions prior to 0.5, update to version 0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP User WordPress plugin versions prior to 7.0 **Description** The issue arises from the lack of proper sanitization and escaping of certain parameters in pages where the `[wp user]` shortcode is used, leading to Reflected Cross-Site Scripting issues. **Recommendations** For versions prior to 7.0, update to version 7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Backup and Staging by WP Time Capsule WordPress plugin versions prior to 1.22.7 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `error` parameter is not properly sanitised and escaped before being outputted back in an admin page. This allows for potential malicious script injection. **Recommendations** For versions prior to 1.22.7, update to version 1.22.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin page where the `error` parameter is outputted to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Booster for WooCommerce WordPress plugin versions prior to 5.4.9 **Description** The issue arises from the lack of sanitization and escaping of the `wcj create products xml result` parameter in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue. **Recommendations** For versions prior to 5.4.9, update to version 5.4.9 or later to resolve the issue. As a temporary workaround, consider disabling the Product XML Feeds module until a patch is available. Restrict access to the admin dashboard to minimize the risk of exploitation. Avoid using the `wcj create products xml result` parameter in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Booster for WooCommerce WordPress plugin versions prior to 5.4.9 **Description** The issue arises from the lack of sanitization and escaping of the `wcj notice` parameter in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting. **Recommendations** For versions prior to 5.4.9, update to version 5.4.9 or later to resolve the issue. As a temporary workaround, consider disabling the Pdf Invoicing module until a patch is available. Restrict access to the admin dashboard to minimize the risk of exploitation. Avoid using the `wcj notice` parameter in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Booster for WooCommerce WordPress plugin versions prior to 5.4.9 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `wcj delete role` parameter is not properly sanitised and escaped before being outputted in the admin dashboard when the General module is enabled. **Recommendations** For versions prior to 5.4.9, update to version 5.4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard or disabling the General module until the update is applied. Avoid using the `wcj delete role` parameter in the affected area until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** myCred WordPress plugin versions prior to 1.7.8 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `user` parameter is not properly sanitised and escaped before being outputted in the Points Log admin dashboard. This allows for malicious scripts to be injected and executed. **Recommendations** For versions prior to 1.7.8, update to version 1.7.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Points Log admin dashboard to minimize the risk of exploitation.