John Jefferson Li

**Name of the Vulnerable Software and Affected Versions** Popup Box WordPress plugin versions prior to 20.9.0 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks even when unfiltered html is disallowed, due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 20.9.0, update to version 20.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Support Board WordPress plugin versions prior to 3.3.5 Description: The issue allows authenticated users with Agent+ permissions to perform Cross-Site Scripting attacks by placing a payload in the `notes` field. When an administrator or any authenticated user visits the chat, the XSS payload will be automatically executed. Recommendations: For versions prior to 3.3.5, update to version 3.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the notes field for Agent+ users until the update is applied.

Name of the Vulnerable Software and Affected Versions: The Support Board WordPress plugin versions prior to 3.3.4 Description: The issue concerns SQL injections that are exploitable by unauthenticated users due to the failure to escape multiple POST parameters, such as `status code`, `department`, `user id`, `conversation id`, `conversation status code`, and `recipient id`, before using them in SQL statements. Recommendations: For versions prior to 3.3.4, update to version 3.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.