Jorgson

**Name of the Vulnerable Software and Affected Versions** Contact Form to Any API plugin for WordPress versions 1.2.2 and earlier **Description** The issue is related to Stored Cross-Site Scripting via Contact Form 7 form fields due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions 1.2.2 and earlier, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the Contact Form 7 form fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress versions up to, and including, 5.13.2 **Description** The issue is related to arbitrary file uploads due to missing file extension sanitization in the `adrotate insert media()` function. This allows authenticated attackers with administrator-level access and above to upload arbitrary files with double extensions on the affected site's server, potentially making remote code execution possible. The exploitability of this issue is limited to select instances where the configuration will execute the first extension present. **Recommendations** For versions up to, and including, 5.13.2, consider disabling the `adrotate insert media()` function until a patch is available to prevent arbitrary file uploads. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GetPaid WordPress plugin versions prior to 2.3.4 **Description** The issue concerns the GetPaid WordPress plugin, where users with the contributor role and above can create a new Payment Form. However, the Label and Help Text input fields were not properly sanitized, allowing the injection of malicious content such as img tags. This leads to a Stored Cross-Site Scripting issue, which is triggered when the form is edited, for example, when an admin reviews it, and could lead to privilege escalation. **Recommendations** For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider restricting the ability of users with the contributor role and above to create new Payment Forms until the update is applied. Additionally, restrict access to the Label and Help Text input fields to minimize the risk of exploitation.