Jude Nwadinobi

**Name of the Vulnerable Software and Affected Versions** Divi Form Builder versions prior to 5.1.3 **Description** The Divi Form Builder plugin for WordPress allows unauthenticated attackers to create administrator accounts. This occurs because the plugin accepts a user-controlled `role` parameter from POST data during user registration without validating it against the configured `default user role` setting, leading to privilege escalation. **Recommendations** Update to a version later than 5.1.2.

**Name of the Vulnerable Software and Affected Versions** Piotnet Forms versions prior to 2.1.41 **Description** An arbitrary file upload issue exists due to missing file type validation within the `piotnetforms ajax form builder()` function. The software employs an incomplete extension blacklist that blocks only php, phpt, php5, php7, and exe extensions, while permitting dangerous extensions such as .phar or .phtml. This allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. This issue is only exploitable if a file field has been added to the form. **Recommendations** Update to a version later than 2.1.40. As a temporary workaround, avoid adding file fields to forms until the update is applied.

**Name of the Vulnerable Software and Affected Versions** User Registration Advanced Fields versions prior to 1.6.21 **Description** The User Registration Advanced Fields plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the server. This issue stems from missing file type validation within the `method upload()` function of the 'URAF AJAX' class, which could lead to remote code execution. This flaw is only exploitable if a "Profile Picture" field has been added to the registration form. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum versions prior to 3.0.6 **Description** The plugin is subject to arbitrary file deletion. This occurs because the `Members::update()` method fails to validate or restrict values for file-type custom profile fields, enabling authenticated users to store arbitrary paths. Additionally, the `wpforo fix upload dir()` sanitization function within `ucf file delete()` only remaps paths matching a specific pattern before they are passed to the `unlink()` function. Authenticated attackers with subscriber-level access or higher can exploit this to delete arbitrary files on the server, which may lead to remote code execution if critical files like 'wp-config.php' are removed. This issue requires the wpForo - User Custom Fields addon plugin to be active. **Recommendations** Update to a version newer than 3.0.5.

**Name of the Vulnerable Software and Affected Versions** Visa Acceptance Solutions versions prior to 2.1.1 **Description** The Visa Acceptance Solutions plugin for WordPress allows unauthenticated attackers to log in as any existing user, including administrators. This occurs because the `express pay product page pay for order()` function logs users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. An attacker can achieve complete account takeover and site compromise by providing the target user's email address in the `billing details` parameter. **Recommendations** Update the plugin to a version later than 2.1.0.

**Name of the Vulnerable Software and Affected Versions** Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress versions prior to 1.11.1 **Description** Insecure token-based authentication allows unauthenticated attackers to escalate privileges to administrator. The issue stems from the plugin trusting a user-supplied Base64-encoded user ID within the `token` parameter to identify users. Additionally, valid authentication tokens are leaked through the 'barcodeScannerConfigs' action, and the 'setUserMeta' action lacks meta-key restrictions. An attacker can spoof an administrator user ID to leak their authentication token and subsequently use that token to update the `wp capabilities` meta of any user to gain full administrative access. **Recommendations** Update to a version newer than 1.11.0.

**Name of the Vulnerable Software and Affected Versions** User Registration & Membership plugin for WordPress versions up to and including 5.1.2 **Description** The User Registration & Membership plugin for WordPress is affected by an authentication bypass. This is caused by incorrect authentication in the `register member` function. An unauthenticated attacker can log in as a newly registered user if that user has the `urm user just created` user meta set. **Recommendations** Update the User Registration & Membership plugin to a version newer than 5.1.2.

**Name of the Vulnerable Software and Affected Versions** Unlimited Elements For Elementor plugin for WordPress versions prior to 2.1 **Description** The Unlimited Elements For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG File uploads. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages when a user accesses the SVG file. Exploitation requires a form with a file upload field created using the premium version of the plugin, but the issue remains exploitable even after deactivation or uninstallation of the premium version. **Recommendations** Update to version 2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Lexicata plugin for WordPress versions up to, and including, 1.0.16 **Description** The issue arises from the use of `add query arg` without proper escaping on the URL, leading to Reflected Cross-Site Scripting. This allows unauthenticated attackers to inject arbitrary web scripts, which execute when a user performs a specific action, such as clicking a specially crafted link. **Recommendations** For versions up to, and including, 1.0.16, update to a version higher than 1.0.16 to resolve the issue. As a temporary workaround, consider restricting access to the `add query arg` function until a patch is available. Avoid using the `add query arg` function in URLs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Bitcoin Lightning Publisher for WordPress versions up to, and including, 1.4.1 **Description** The issue is related to Reflected Cross-Site Scripting due to the use of `add query arg` without appropriate escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.4.1, update to a version higher than 1.4.1 to resolve the issue. As a temporary workaround, consider restricting user interactions with potentially vulnerable pages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Analytics Cat – Google Analytics Made Easy plugin for WordPress versions up to, and including, 1.1.2 **Description** The issue is related to Reflected Cross-Site Scripting due to the use of `add query arg` without appropriate escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link. **Recommendations** For versions up to, and including, 1.1.2, update to a version higher than 1.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until a patch is available. Avoid using the `add query arg` function without proper escaping in the affected URL until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kudos Donations – Easy donations and payment with Mollie plugin for WordPress versions up to and including 3.2.9 **Description** The issue is related to Reflected Cross-Site Scripting due to the use of `add query arg` without proper escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts that execute if they can trick a user into performing an action, such as clicking on a specially crafted link. **Recommendations** For versions up to and including 3.2.9, update to a version higher than 3.2.9 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until a patch is available.