John Umoru

**Name of the Vulnerable Software and Affected Versions** Really Simple Security WordPress plugin versions prior to 9.5.10.1 **Description** The plugin fails to enforce the second-factor challenge in two of its two-factor authentication REST endpoints. This allows an attacker who possesses a user's password to obtain a WordPress authentication session without completing the email OTP (One-Time Password) challenge. **Recommendations** Update the plugin to version 9.5.10.1 or later.

**Name of the Vulnerable Software and Affected Versions** weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin versions prior to 2.1.3 **Description** The plugin fails to properly escape a user-supplied parameter before reflecting it into an HTML attribute within a non-nonce-protected AJAX response. This allows unauthenticated attackers to perform Reflected Cross-Site Scripting (XSS), which occurs when an application includes untrusted data in a web page without proper validation, allowing the execution of malicious scripts in the victim's browser. This can be executed against any authenticated user, including administrators, via a crafted URL. **Recommendations** Update to version 2.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Custom css-js-php versions prior to 2.0.8 **Description** The plugin fails to properly sanitize user input before incorporating it into a SQL query. The resulting output is then passed to the `eval()` function, which enables unauthenticated users to execute arbitrary PHP code on the server. This process involves a SQL injection (SQLi) leading to Remote Code Execution (RCE), where an attacker can run commands on the host operating system from a remote machine. **Recommendations** Update to a version newer than 2.0.7.