Jrxnm

**Name of the Vulnerable Software and Affected Versions** The Gallery Plugin for WordPress versions prior to 1.8.4.7 **Description** The issue concerns the failure to escape the `REQUEST URI` parameter before outputting it back in an attribute. This could lead to Reflected Cross-Site Scripting in old web browsers. **Recommendations** For versions prior to 1.8.4.7, update to version 1.8.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Contact Form DB WordPress plugin versions prior to 1.8.0 **Description** The issue is related to Reflected Cross-Site Scripting. It occurs because the plugin does not properly sanitise and escape some parameters before outputting them back in attributes. **Recommendations** For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Crowdsignal Dashboard WordPress plugin versions prior to 3.0.8 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a `parameter` is not properly sanitised and escaped before being outputted back in the page. This allows for malicious scripts to be injected and executed. **Recommendations** For versions prior to 3.0.8, update to version 3.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Crowdsignal Dashboard WordPress plugin until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Advanced WordPress Reset WordPress plugin versions prior to 1.6 **Description** The issue concerns Reflected Cross-Site Scripting. It occurs because some generated URLs are not properly escaped before being outputted back in href attributes of admin dashboard pages. **Recommendations** For versions prior to 1.6, update to version 1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CAPTCHA 4WP WordPress plugin versions prior to 7.1.0 **Description** The issue allows user input to reach a sensitive require once call in one of its admin-side templates. This can be exploited by attackers via a Cross-Site Request Forgery attack to run arbitrary code on the server. **Recommendations** For versions prior to 7.1.0, update to version 7.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin-side templates to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Video Lightbox WordPress plugin versions prior to 1.9.5 **Description** The issue concerns the WP Video Lightbox WordPress plugin, where it fails to properly escape the `REQUEST URI` parameter before outputting it back in an attribute. This could potentially lead to Reflected Cross-Site Scripting in older web browsers. **Recommendations** For WP Video Lightbox WordPress plugin versions prior to 1.9.5, update to version 1.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Popup Anything WordPress plugin versions prior to 2.1.7 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in a frontend page. **Recommendations** For versions prior to 2.1.7, update to version 2.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the frontend page where the parameter is outputted until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Advanced Database Cleaner WordPress plugin versions prior to 3.1.1 **Description** The issue is related to Reflected Cross-Site Scripting. It occurs because the plugin does not properly escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages. **Recommendations** For versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Discount Rules for WooCommerce WordPress plugin versions prior to 2.4.2 **Description** The issue concerns a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly escaped before being outputted in an attribute on the plugin's discount rule page. **Recommendations** For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 Captcha WordPress plugin versions prior to 0.1.2 **Description** The issue arises from the failure to escape the `REQUEST URI` parameter before outputting it back in an attribute, potentially leading to Reflected Cross-Site Scripting in older web browsers. **Recommendations** For versions prior to 0.1.2, update to version 0.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to attributes that use the `REQUEST URI` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Download Manager WordPress plugin versions prior to 3.2.44 **Description** The issue is related to Reflected Cross-Site Scripting. It occurs because a generated URL is not properly escaped before being outputted back in an attribute of the history dashboard. This allows for malicious scripts to be injected. **Recommendations** For versions prior to 3.2.44, update to version 3.2.44 or later to resolve the issue. As a temporary workaround, consider restricting access to the history dashboard to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WooCommerce PDF Invoices & Packing Slips versions prior to 2.16.0 **Description** The issue allows attackers to conduct reflected cross-site scripting attacks due to a parameter on the setting page not being properly escaped. This makes it possible for attackers to inject malicious scripts into the page. **Recommendations** For versions prior to 2.16.0, update to version 2.16.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the setting page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Redirection for Contact Form 7 WordPress plugin versions prior to 2.5.0 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the plugin does not properly escape a link generated before outputting it in an attribute. This can lead to malicious scripts being executed. **Recommendations** For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider disabling the plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ocean Extra WordPress plugin versions prior to 1.9.5 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the plugin does not properly escape generated links when the OceanWP is active. **Recommendations** For versions prior to 1.9.5, update to version 1.9.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XML Sitemaps WordPress plugin versions prior to 4.1.3 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping settings before outputting them in the Debug page. **Recommendations** For versions prior to 4.1.3, update to version 4.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Debug page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Check & Log Email WordPress plugin versions prior to 1.0.6 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in an attribute on an admin page. **Recommendations** For versions prior to 1.0.6, update to version 1.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Call Now Button WordPress plugin versions prior to 1.1.2 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs when a parameter is not properly escaped before being outputted back in an attribute of a hidden input, and this happens when the premium feature is enabled. **Recommendations** For Call Now Button WordPress plugin versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the premium feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery by 10Web WordPress plugin versions prior to 1.6.3 **Description** The issue arises from the improper sanitization of the `image url` variable in the $ GET request, which is reflected back to users during the execution of the editimage bwg AJAX action. This can lead to potential security risks. **Recommendations** For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the editimage bwg AJAX action until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery WordPress plugin versions 1.6.3 and earlier **Description** The issue arises from the improper escaping of the `filter tag` parameter in the SQL query, allowing for SQL Injection attacks. This occurs when user input from the `$ POST['filter tag']` parameter is directly appended to an SQL query without proper sanitization. **Recommendations** For versions 1.6.3 and earlier, update to a version later than 1.6.3 to resolve the issue. As a temporary workaround, consider restricting access to the SQL query that utilizes the `filter tag` parameter until a patch is available. Avoid using the `filter tag` parameter in affected queries until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** All In One WP Security & Firewall WordPress plugin versions prior to 4.4.11 **Description** The issue arises from the lack of validation, sanitization, and escaping of the `redirect to` parameter, which can lead to Arbitrary Redirect and Cross-Site Scripting issues when the Rename Login Page feature is active. Exploitation requires knowledge of the Login Page URL value, which is considered hard to guess, thereby reducing the risk. **Recommendations** For versions prior to 4.4.11, update to version 4.4.11 or later to resolve the issue. As a temporary workaround, consider disabling the Rename Login Page feature until a patch is available. Restrict access to the login page to minimize the risk of exploitation. Avoid using the `redirect to` parameter in the affected plugin until the issue is resolved.