Juampa Rodríguez

**Name of the Vulnerable Software and Affected Versions** The Cab fare calculator plugin for WordPress versions up to, and including, 1.1.6 **Description** The issue is related to Stored Cross-Site Scripting via the vehicle title setting due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 1.1.6, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the vehicle title setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** moziloCMS version 2.0 **Description** The issue is related to a Cross-Site Scripting vulnerability. By sending a POST request to the "/install.php" endpoint, a JavaScript payload could be executed in the `username` parameter. **Recommendations** For moziloCMS version 2.0, as a temporary workaround, consider restricting access to the "/install.php" endpoint until a patch is available. Avoid using the `username` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NXLog Manager version 5.6.5633 **Description** A Cross-Site Request Forgery (CSRF) issue allows an attacker to manipulate and delete user accounts within the platform by sending a specifically crafted query to the server. This is due to the lack of proper validation of the origin of incoming requests. **Recommendations** For NXLog Manager version 5.6.5633, consider disabling access to user account management features until a patch is available to prevent exploitation of the CSRF vulnerability. Restrict access to the server to minimize the risk of malicious queries being sent. Avoid using the platform for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NXLog Manager version 5.6.5633 **Description** A Cross-Site Scripting (XSS) issue allows an attacker to inject malicious JavaScript into the `Full Name` field during user edit, due to improper sanitization of the input parameter. This enables the attacker to execute arbitrary JavaScript code. **Recommendations** For NXLog Manager version 5.6.5633, as a temporary workaround, consider restricting access to the user edit functionality until a patch is available. Avoid using the `Full Name` field in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NXLog Manager version 5.6.5633 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to eliminate roles within the platform by sending a specifically crafted query to the server. This is due to the absence of proper validation of the origin of incoming requests. **Recommendations** For NXLog Manager version 5.6.5633, consider implementing proper validation of the origin of incoming requests to prevent CSRF attacks. As a temporary workaround, restrict access to sensitive role management functions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Never5 Post Connector plugin versions prior to 1.0.9 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects users with admin+ authentication. This type of vulnerability allows an attacker to inject malicious scripts into the website, which can then be executed by other users. **Recommendations** For Never5 Post Connector plugin versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Call Now Accessibility Button WordPress plugin versions prior to 1.1 **Description** The issue allows high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization of some settings. This can occur even when the unfiltered html capability is disallowed, such as in a multisite setup. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** StPeteDesign Call Now Accessibility Button plugin versions <= 1.1 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin or higher privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices worldwide is not available. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For StPeteDesign Call Now Accessibility Button plugin versions <= 1.1, update to a version higher than 1.1 to resolve the issue. At the moment, there is no information about additional mitigation measures or workarounds for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aajoda Testimonials WordPress plugin versions prior to 2.2.2 **Description** The issue is related to the lack of sanitization and escaping of some settings in the Aajoda Testimonials WordPress plugin, which could allow high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed, for example, in a multisite setup. The vulnerability may allow a remote attacker to conduct cross-site scripting attacks. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Autoptimize WordPress plugin versions prior to 3.1.7 **Description** The issue allows high privileged users, such as administrators, to inject arbitrary javascript into the admin panel. This can occur even when the unfiltered html capability is disabled, for example, in a multisite setup. The problem arises from the plugin's failure to properly sanitise and escape settings imported from a previous export. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPMobile.App versions prior to 11.20 **Description** A Stored Cross-Site Scripting (XSS) vulnerability exists, allowing authentication bypass for admin+ users. **Recommendations** For versions prior to 11.20, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** 0mk Shortener plugin for WordPress versions up to, and including, 0.2 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `zeromk options page` function. This allows unauthenticated attackers to inject malicious web scripts via the `zeromk user` and `zeromk apikluc` parameters through a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 0.2, consider disabling the `zeromk options page` function until a patch is available to prevent exploitation. Restrict access to the parameters `zeromk user` and `zeromk apikluc` to minimize the risk of malicious script injection. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Chat Bubble WordPress plugin versions prior to 2.3 **Description** The issue allows unauthenticated attackers to set Stored Cross-Site Scripting payloads in some contact parameters, which will trigger when an admin views the related contact message. This is due to the plugin not sanitising and escaping these parameters. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the contact message viewing functionality for admins until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP-UserOnline plugin for WordPress versions up to, and including 2.88.0 **Description** The issue is due to the lack of proper sanitization and escaping of user input in the "Naming Conventions" section, allowing authenticated attackers with administrative privileges to inject JavaScript code. This affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including 2.88.0, update to a version that properly sanitizes user input in the "Naming Conventions" section to prevent JavaScript code injection. As a temporary workaround, consider restricting access to the "Naming Conventions" section for users with administrative privileges until a patch is available.