Jonah Burgess

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress versions prior to 1.8.42 **Description** Insufficient escaping of user-supplied parameters and lack of proper preparation of SQL queries allow authenticated attackers with contributor-level access or higher to perform time-based SQL Injection. This occurs via the `compact album order by` shortcode parameter, enabling the extraction of sensitive information from the database. The malicious payload is stored through the 'shortcode bwg' AJAX handler, which can be accessed by contributors without a valid nonce by omitting the `page` parameter. The injection is subsequently triggered by the unauthenticated 'bwg frontend data' AJAX handler. **Recommendations** Update the plugin to a version later than 1.8.41.

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Controller (affected versions not specified) Cisco Catalyst SD-WAN Manager (affected versions not specified) Cisco Catalyst SD-WAN versions prior to 20.12.6.2 **Description** A critical authentication bypass exists in the peering authentication mechanism of the control connection handshaking process. The flaw resides in the `vdaemon` service, where the system fails to properly validate incoming certificates and tokens if specific header options are altered. An unauthenticated remote attacker can exploit this by mimicking a legitimate network controller or vHub, sending crafted handshake packets or DTLS connections with self-signed certificates to induce a state-mismatch. This causes the validation subsystem to fall back to a permissive state, granting the attacker an administrative session token as a high-privileged internal user. Successful exploitation provides access to NETCONF, allowing the attacker to manipulate global routing tables, inject malicious routing policies, modify network configurations for the SD-WAN fabric, and potentially escalate to root privileges. Real-world incidents involve a state-sponsored actor designated as UAT-8616, who has used this flaw to add SSH keys, deploy web shells, run XMRig miners, and steal AWS keys. **Recommendations** Update Cisco Catalyst SD-WAN to version 20.12.6.2 or newer. Modify edge firewall rules to drop all traffic targeting controller management or synchronization ports unless it originates from pre-verified static IP addresses of known infrastructure peers. Restrict all inbound external access to NETCONF endpoints globally. Audit controller logs for unauthorized peering attachment sequences or abrupt configuration changes. Perform a full user inventory via the CLI to identify unauthorized secondary administrative accounts. Export global routing and security policy tables to perform a diff analysis against known-good backup baselines.

**Name of the Vulnerable Software and Affected Versions** ProfileGrid versions prior to 5.9.8.5 **Description** The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress contains a blind SQL Injection flaw. This issue occurs due to insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query. Authenticated attackers with Subscriber-level access or higher can append additional SQL queries via the `rid` parameter to extract sensitive information from the database. **Recommendations** Update the plugin to a version later than 5.9.8.4. As a temporary workaround, restrict access to the `rid` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProfileGrid – User Profiles, Groups and Communities versions prior to 5.9.8.5 **Description** The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress allows unauthorized access because the `pm invite user()` function lacks a capability check. Authenticated attackers with Subscriber-level access or higher can exploit this to add themselves or other registered users to any group, including closed and paid groups, effectively bypassing authorization and payment gates. **Recommendations** Update the plugin to a version later than 5.9.8.4. As a temporary workaround, restrict access to the `pm invite user()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder versions prior to 4.0.5 **Description** Insufficient input sanitization in the processing of form-encoded REST API requests allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. The plugin registers the ` elementor data` meta field with `show in rest` but lacks a `sanitize callback`. It relies on a `rest pre insert post` filter via the `sanitize post data()` function, which only sanitizes JSON-encoded request bodies. When a form-encoded PATCH request is sent to the WordPress REST API, the `json decode()` call returns null, bypassing all sanitization. The unsanitized data is stored using `update post meta()` and subsequently output without escaping through various widget sinks, including the HTML widget's `print unescaped setting()` function, enabling the execution of arbitrary web scripts when a user accesses the affected page. **Recommendations** Update to a version newer than 4.0.4.