Joshua Reynolds

**Name of the Vulnerable Software and Affected Versions** LeagueManager plugin versions prior to 3.8.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `league id` parameter in the "leaguemanager-export" page to "wp-admin/admin.php". **Recommendations** For versions prior to 3.8.1, update to version 3.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the leaguemanager-export page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the `league id` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** e107 version 1.0.1 **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that conduct XSS attacks via the `news title` parameter in a create action. **Recommendations** For e107 version 1.0.1, as a temporary workaround, consider restricting access to the `newspost.php` file in the `e107 admin` directory to minimize the risk of exploitation. Avoid using the `news title` parameter in the affected create action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** e107 version 1.0.2 **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the e107 admin/download.php file. The vulnerable parameters include `download url`, `download url extended`, `download author email`, `download author website`, `download image`, `download thumb`, `download visible`, and `download class`. **Recommendations** For e107 version 1.0.2, as a temporary workaround, consider restricting access to the e107 admin/download.php file until a patch is available. Avoid using the vulnerable parameters in this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.