Joy Gilbert

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action remove abandoned() function, which is registered to both the wp ajax remove abandoned and wp ajax nopriv remove abandoned hooks. The handler takes a user-supplied recover id parameter from $ POST and passes it directly to wp delete post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.

**Name of the Vulnerable Software and Affected Versions** 6Storage Rentals versions prior to 2.22.1 **Description** An authorization bypass exists in the 6Storage Rentals plugin for WordPress. Unauthenticated attackers can read and modify arbitrary tenant profile data, including names, email addresses, phone numbers, physical addresses, and Social Security Numbers (SSN). This occurs because the `six storage getUserInfo()` and `six storage updateProfile()` functions are registered on `wp ajax nopriv *` hooks and accept a tenant identifier via the `userId` parameter in the 'six storage get user info' and 'six storage update profile' AJAX actions without performing ownership verification, session binding, or nonce validation. This allows the use of an enumerated `userId` value in crafted requests to access or alter data. **Recommendations** Update the plugin to a version later than 2.22.0. As a temporary mitigation, restrict access to the 'six storage get user info' and 'six storage update profile' AJAX actions or avoid using the `userId` parameter in these endpoints until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Login with NEAR plugin for WordPress versions prior to 0.3.4 **Description** The plugin contains an authentication bypass flaw within the `ajaxLoginWithNear()` function. This function is registered as a `wp ajax nopriv` action, making it accessible to unauthenticated users. It accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based only on a substring check for `.near`. The process lacks nonce verification, cryptographic signature validation, challenge-response exchanges, or proof of wallet ownership. Consequently, unauthenticated attackers can log in as any existing user, including administrators, whose email matches the `<account>@near.org` pattern. If no matching user is found, the system automatically creates and authenticates a new account for the identifier provided. **Recommendations** Update the plugin to a version later than 0.3.3. As a temporary workaround, restrict access to the `ajaxLoginWithNear()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw in the OpenID Connect (OIDC) Introspection feature occurs when both realm-level and client-level `notBefore` revocation policies are configured. In this scenario, the system fails to properly honor the realm-level policy, allowing tokens that should have been revoked to remain active. This can lead to unauthorized access or continued session validity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A security bypass exists in Keycloak where a remote attacker can circumvent security measures by submitting a valid Security Assertion Markup Language (SAML) response from an external Identity Provider (IdP) to the Keycloak SAML endpoint. This occurs during IdP-initiated broker logins, allowing attackers to complete logins even when the SAML Identity Provider is disabled, resulting in unauthorized authentication. The affected API endpoint is the Keycloak SAML endpoint. The vulnerability involves manipulating the SAML response to bypass authentication checks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** An authorization bypass issue exists in the Keycloak Admin API. This allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim’s unique identifier (UUID) and the Organizations feature is enabled. The API endpoint involved is the Keycloak Admin API. The vulnerable parameter is the victim’s unique identifier (`UUID`). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw exists in Keycloak’s invitation token registration mechanism. The server does not verify the cryptographic signature of the JSON Web Token (JWT). An attacker can modify the organization ID (`org id`) and target email within a legitimate invitation token’s JWT payload to register an account in an unauthorized organization. This can lead to unauthorized access, bypassing invite-only onboarding, access to resources through Single Sign-On (SSO), and potential privilege escalation through Role-Based Access Control (RBAC). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.