Karolina Jankowska

**Name of the Vulnerable Software and Affected Versions** The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress versions up to, and including, 1.9.80 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with Shop Manager-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 1.9.80, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Opal Membership plugin for WordPress versions up to and including 1.2.4 **Description** The issue allows authenticated attackers with subscriber-level access and above to view private notes that should be restricted to administrators. This is possible due to the utilization of WordPress comments in the private notes functionality on payments. **Recommendations** For Opal Membership plugin for WordPress versions up to and including 1.2.4, consider restricting access to the private notes functionality to minimize the risk of sensitive information exposure until a patch is available. As a temporary workaround, restrict the use of WordPress comments for private notes to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Opal Membership plugin for WordPress versions up to, and including, 1.2.4 **Description** The issue is related to Stored Cross-Site Scripting via checkout form fields due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For Opal Membership plugin for WordPress versions up to, and including, 1.2.4, update to a version later than 1.2.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.