Kévin Mosbahi

**Name of the Vulnerable Software and Affected Versions** Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress versions up to, and including, 2.2.5 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `ctf clear cache admin()` function. This allows unauthenticated attackers to reset the plugin's cache by tricking a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 2.2.5, consider disabling the `ctf clear cache admin()` function until a patch is available to prevent cache reset via forged requests. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress versions up to, and including, 1.6 **Description** The issue is related to unauthorized modification of data due to a missing capability check on the `wpsslwp reset settings()` function. This allows authenticated attackers with Subscriber-level access and above to reset the plugin's settings. **Recommendations** For versions up to, and including, 1.6, consider disabling the `wpsslwp reset settings()` function until a patch is available to prevent unauthorized modification of data. Restrict access to the plugin's settings to minimize the risk of exploitation. Update to a version that includes a fix for this issue once it becomes available.

**Name of the Vulnerable Software and Affected Versions** LazyLoad Background Images plugin for WordPress versions up to and including 1.0.7 **Description** The issue arises from a missing capability check on the `pblzbg save settings()` function, allowing authenticated attackers with Subscriber-level access or higher to update the plugin's settings. This enables unauthorized modification of data. **Recommendations** For versions up to and including 1.0.7, update to a version higher than 1.0.7 to resolve the issue. As a temporary workaround, consider restricting access to the `pblzbg save settings()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** de:branding plugin for WordPress versions up to and including 1.0.2 **Description** The issue allows unauthorized modification of data, potentially leading to privilege escalation due to a missing capability check on the `debranding save()` function. This enables authenticated attackers with subscriber-level access and above to update arbitrary options on the WordPress site, which can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site. **Recommendations** For versions up to and including 1.0.2, update to a version higher than 1.0.2 to resolve the issue. As a temporary workaround, consider disabling the `debranding save()` function until a patch is available. Restrict access to the de:branding plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SMS for Lead Capture Forms plugin for WordPress versions up to, and including, 1.1.0 **Description** The issue is caused by a missing capability check on the `delete message()` function, allowing authenticated attackers with Subscriber-level access and above to delete arbitrary messages. This results in unauthorized modification of data. **Recommendations** For versions up to, and including, 1.1.0, update to a version that includes a fix for the missing capability check on the `delete message()` function. As a temporary workaround, consider restricting access to the `delete message()` function to prevent unauthorized data modification. Restrict Subscriber-level access and above to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress versions up to, and including, 3.3 **Description** The issue is related to unauthorized access of data due to a missing capability check on the `get setting()` function. This allows authenticated attackers with Subscriber-level access and above to view settings for playlists. **Recommendations** For versions up to, and including, 3.3, update to a version that includes a capability check on the `get setting()` function to prevent unauthorized access. As a temporary workaround, consider restricting access to the `get setting()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress versions up to, and including, 3.3 **Description** The issue is related to a missing capability check on the `del ytsingvid()` function, allowing authenticated attackers with Subscriber-level access and above to delete single playlists. This enables unauthorized modification of data. **Recommendations** For versions up to, and including, 3.3, update to a version that includes a fix for the missing capability check on the `del ytsingvid()` function to prevent unauthorized playlist deletion. As a temporary workaround, consider restricting access to the `del ytsingvid()` function to prevent unauthorized modifications until a patch is available.

Name of the Vulnerable Software and Affected Versions: myCred – Loyalty Points and Rewards plugin for WordPress versions up to, and including, 2.7.3 Description: The issue allows unauthorized modification of data due to a missing capability check on the `mycred update database()` function. This makes it possible for unauthenticated attackers to upgrade an out of date database. Recommendations: For versions up to, and including, 2.7.3, update to a version higher than 2.7.3 to resolve the issue. As a temporary workaround, consider disabling the `mycred update database()` function until a patch is available.