John Blackbourn

**Name of the Vulnerable Software and Affected Versions** WordPress versions through 6.8.2 **Description** A flaw exists in Automattic WordPress that allows for Stored Cross-site Scripting (XSS). An attacker with Author or higher user privileges can exploit this issue. The vulnerability stems from improper neutralization of input during web page generation. **Recommendations** Update WordPress to a version later than 6.8.2.

**Name of the Vulnerable Software and Affected Versions** WordPress versions through 6.8.2 **Description** A flaw exists in WordPress that could allow retrieval of embedded sensitive data through insertion of sensitive information into sent data. The issue is considered low severity and requires contributor-level privileges to exploit. **Recommendations** Update WordPress to a version later than 6.8.2.

**Name of the Vulnerable Software and Affected Versions** WordPress Core versions up to 6.0.2 **Description** The issue allows users with access to the WordPress post and page editor, typically Authors, Contributors, and Editors, to inject arbitrary web scripts into posts and pages. These scripts execute if the `the meta()` function is called on that page. This can be exploited by users with access to the editor, making it possible to inject malicious scripts. **Recommendations** For WordPress Core versions up to 6.0.2, update to a version later than 6.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the post and page editor to minimize the risk of exploitation. Additionally, avoid using the `the meta()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LiteSpeed Cache versions 1.9 through 6.3.0.1 **Description** A critical flaw in the LiteSpeed Cache plugin could allow attackers to gain admin access to WordPress sites. This issue affects over 5 million sites, leaving businesses exposed to severe security risks. The vulnerability stems from a weak security hash in the plugin's user simulation feature, making it possible for a remote unauthenticated attacker to obtain administrator rights. The hash has only a million possible values, allowing for brute-force attacks that can take from several hours to a week. The vulnerability is being actively exploited, with over 30,000 attack attempts blocked in just 24 hours. **Recommendations** Update to version 6.4 or higher to secure your site. As a temporary workaround, consider disabling the vulnerable plugin until a patch is available. Restrict access to the plugin's user simulation feature to minimize the risk of exploitation. Avoid using the plugin's caching functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Geek Code Lab Login As Users versions 1.4.2 and earlier **Description** The issue is related to Improper Privilege Management, allowing Privilege Escalation. This can be exploited in the Login As Users feature. **Recommendations** For versions 1.4.2 and earlier, update to a version later than 1.4.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WordPress Core versions 6.0 through 6.0.7 WordPress Core versions 6.1 through 6.1.5 WordPress Core versions 6.2 through 6.2.4 WordPress Core versions 6.3 through 6.3.3 WordPress Core versions 6.4 through 6.4.3 WordPress Core versions 6.5 through 6.5.2 Description: The issue is related to a stored Cross-Site Scripting (XSS) flaw in the WordPress Core, specifically in the Avatar block. This vulnerability allows attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The flaw is due to insufficient output escaping on the display name. Both unauthenticated and authenticated attackers can exploit this issue under varying circumstances. Recommendations: For WordPress Core versions 6.0 through 6.0.7, update to a version later than 6.0.7 or disable the Avatar block until a patch is available. For WordPress Core versions 6.1 through 6.1.5, update to a version later than 6.1.5 or disable the Avatar block until a patch is available. For WordPress Core versions 6.2 through 6.2.4, update to a version later than 6.2.4 or disable the Avatar block until a patch is available. For WordPress Core versions 6.3 through 6.3.3, update to a version later than 6.3.3 or disable the Avatar block until a patch is available. For WordPress Core versions 6.4 through 6.4.3, update to a version later than 6.4.3 or disable the Avatar block until a patch is available. For WordPress Core versions 6.5 through 6.5.2, update to a version later than 6.5.2 or disable the Avatar block until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue concerns the oEmbed protocol implementation, allowing remote attackers to cause a denial of service via unspecified vectors. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.5.3 **Description** The issue allows remote attackers to bypass the sanitize file name protection mechanism. **Recommendations** For versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue.