Jinson Varghese Behanan

**Name of the Vulnerable Software and Affected Versions** Cervantes versions through 0.5-alpha **Description** The issue allows stored XSS. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions through 0.5-alpha, update to a version that includes a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cervantes versions through 0.5-alpha **Description** The issue allows for insecure file uploads. **Recommendations** For versions through 0.5-alpha, consider restricting file upload functionality until a secure version is available. As a temporary workaround, restrict access to file upload features to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Cooked Pro WordPress plugin versions prior to 1.7.5.6 Description: The issue is related to unauthenticated reflected Cross-Site Scripting, caused by improper sanitisation of user input. This input is then output back in pages as an arbitrary attribute, allowing for potential malicious script execution. Recommendations: For versions prior to 1.7.5.6, update to version 1.7.5.6 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Ivory Search WordPress plugin versions prior to 4.6.1 Description: The issue arises from improper sanitization of the `tab` parameter in the Search Forms page, leading to a reflected Cross-Site Scripting issue. This can occur when a high-privilege user opens a maliciously crafted link. The attack requires knowledge of a form id. Recommendations: For versions prior to 4.6.1, update to version 4.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Search Forms page for high-privilege users until the update is applied. Avoid using the `tab` parameter in the affected page until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Online Invoicing System (OIS) versions 4.3 and below Description: A CSV injection issue allows users to perform malicious actions, such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to. Recommendations: For versions 4.3 and below, update to a version above 4.3 to resolve the issue. As a temporary workaround, consider restricting access to sensitive client details and implementing additional security measures to prevent redirection to harmful websites.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 versions prior to 5.3.2 **Description** The issue is related to an Unrestricted File Upload vulnerability in the Contact Form 7 plugin for WordPress, which can lead to remote code execution. This is because a filename may contain special characters. The vulnerability affects over 5 million active installations. It allows an attacker to upload files of arbitrary type and execute arbitrary code. **Recommendations** For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to prevent exploitation until the update is applied. Avoid using filenames that contain special characters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Genexis Platinum 4410 V2 version 2.1 (software version P4410-V2-1.28) **Description** The issue allows for changing the Wi-Fi password remotely due to Broken Access Control and CSRF. This could potentially be exploited to gain unauthorized access to the Wi-Fi network. **Recommendations** For Genexis Platinum 4410 V2 version 2.1 (software version P4410-V2-1.28), as a temporary workaround, consider disabling remote access to the router's configuration until a patch is available. Restrict access to the router's web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenCart Journal theme versions prior to 3.1.0 **Description** The issue allows exposure of sensitive data via SQL errors. **Recommendations** For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SeedProd coming-soon plugin versions prior to 5.1.1 **Description** The issue allows for XSS. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPForms Contact Form plugin versions prior to 1.5.9 **Description** A stored cross-site scripting (XSS) issue exists in the WPForms Contact Form plugin for WordPress. This allows for malicious scripts to be stored and executed on the site. **Recommendations** For versions prior to 1.5.9, update to version 1.5.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Export Users to CSV plugin versions prior to 1.4.3 **Description** The issue allows CSV Injection. **Recommendations** For Export Users to CSV plugin versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS plugin versions prior to 1.5.3 **Description** A CSRF issue can result in an attacker approving themselves as an instructor and performing other malicious actions, such as blocking legitimate instructors. **Recommendations** For versions prior to 1.5.3, update to version 1.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Strong Testimonials plugin versions prior to 2.40.1 **Description** The issue allows an attacker to perform malicious actions, such as stealing session tokens, by exploiting a Stored XSS vulnerability in the Strong Testimonials plugin for WordPress. **Recommendations** For versions prior to 2.40.1, update to version 2.40.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LearnDash LMS plugin versions prior to 3.1.2 **Description** The issue allows for XSS via the `ld-profile` search field. **Recommendations** For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue.