Kazet1234

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery by 10Web WordPress plugin versions prior to 1.8.3 **Description** The issue arises from the plugin's failure to validate and escape certain parameters before outputting them in JS code on another page. This could lead to a Stored XSS issue when an attacker tricks a logged-in admin into opening a malicious URL or page. **Recommendations** For versions prior to 1.8.3, update to version 1.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for logged-in admins until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP Popup Builder versions prior to 1.2.9 **Description** The issue concerns a lack of authorization and CSRF check in an AJAX action within the WP Popup Builder WordPress plugin. This allows any authenticated users, such as subscribers, to delete arbitrary popups. **Recommendations** For versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action or disabling it until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP Hide & Security Enhancer WordPress plugin versions prior to 1.8 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly escaped before being outputted back in an attribute of a backend page. This can lead to malicious scripts being executed. **Recommendations** For WP Hide & Security Enhancer WordPress plugin versions prior to 1.8, update to version 1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the backend page where the vulnerable parameter is outputted to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Coder WordPress plugin versions prior to 2.5.3 **Description** The issue is related to the lack of a CSRF check when deleting code created by the plugin. This could allow attackers to make a logged-in admin delete arbitrary code via a CSRF attack. **Recommendations** For WP Coder WordPress plugin versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's code deletion functionality to minimize the risk of exploitation.