Kauenavarro

Name of the Vulnerable Software and Affected Versions: MC4WP: Mailchimp for WordPress plugin for WordPress versions 4.9.9 through 4.9.16 Description: The issue is related to Reflected Cross-Site Scripting via the `email` parameter when a placeholder such as {email} is used for the field. This is due to insufficient input sanitization and output escaping, making it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Recommendations: For versions 4.9.9 through 4.9.16, consider disabling the use of the `email` parameter with placeholders until a patch is available. Restrict access to pages that use the `email` parameter to minimize the risk of exploitation. Avoid using the `email` parameter in affected fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Phlox PRO theme for WordPress versions up to, and including, 5.16.4 **Description** The issue is related to Reflected Cross-Site Scripting via search parameters due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 5.16.4, update to a version later than 5.16.4 to resolve the issue. As a temporary workaround, consider restricting access to search parameters to minimize the risk of exploitation. Avoid using search parameters in links or forms until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: wp-eMember WordPress plugin versions prior to 10.6.6 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. Recommendations: For versions prior to 10.6.6, update to version 10.6.6 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress versions up to, and including, 6.4.8 Description: The issue is related to Reflected Cross-Site Scripting via the `country` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Recommendations: For versions up to, and including, 6.4.8, update to a version higher than 6.4.8 to resolve the issue. As a temporary workaround, consider restricting the use of the `country` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** wp-eMember WordPress plugin versions prior to 10.3.9 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the `fieldId` parameter is not properly sanitized and escaped before being outputted back in the page. This allows for potential malicious script injection. **Recommendations** For versions prior to 10.3.9, update to version 10.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fieldId` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** EventON WordPress plugin versions prior to 4.4.1 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EventON-RSVP WordPress plugin versions prior to 2.9.5 **Description** The issue is related to a Reflected Cross-Site Scripting problem, where some parameters are not properly sanitized and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 2.9.5, update to version 2.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.