Kenneth Dunn

**Name of the Vulnerable Software and Affected Versions** MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar versions 4.0 through 5.10 **Description** The MP3 Audio Player plugin for WordPress has an issue related to Insecure Direct Object Reference. This occurs due to a lack of validation on a user-controlled key within the `load track note ajax` function. This allows unauthenticated attackers to view the contents of private posts. **Recommendations** Update the MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin to a version newer than 5.10.

**Name of the Vulnerable Software and Affected Versions** IDonate – Blood Donation, Request And Donor Management System plugin for WordPress versions 2.1.5 through 2.1.9 **Description** The IDonate plugin for WordPress has a flaw that allows unauthorized privilege escalation. Attackers with Subscriber-level access or higher can exploit a missing capability check in the `idonate donor profile()` function. This allows them to hijack accounts by changing the associated email address and initiating a password reset, potentially gaining full administrator privileges. **Recommendations** Update to a version of the IDonate plugin that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** Tablesome Table – Contact Form DB plugin for WordPress versions 0.5.4 through 1.2.1 **Description** The Tablesome Table – Contact Form DB plugin for WordPress has a flaw where a missing capability check in the `get table data()` function allows authenticated users with Subscriber-level access or higher to retrieve plugin data, including email logs. This unauthorized access can be used to escalate privileges and potentially trigger a password reset to obtain the reset key. **Recommendations** Versions 0.5.4 through 1.2.1 should be updated to a version with a capability check implemented in the `get table data()` function.

**Name of the Vulnerable Software and Affected Versions** Frontend Post Submission Manager Lite plugin for WordPress versions through 1.2.7 **Description** The software contains a flaw that allows redirection to potentially malicious sites. This occurs because of inadequate validation of the `requested page` POST parameter within the `verify username password` function. An unauthenticated attacker can exploit this by tricking users into performing an action, such as clicking a link, which triggers the redirection. **Recommendations** Update the Frontend Post Submission Manager Lite plugin to a version later than 1.2.7.

**Name of the Vulnerable Software and Affected Versions** MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar versions 5.3 through 5.10 **Description** The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress has a Server-Side Request Forgery issue. Attackers with author-level access or higher can make web requests to arbitrary locations from the web application. This can be used to query and modify information from internal services via the `load lyrics ajax callback` function. **Recommendations** Update MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar to a version later than 5.10.

**Name of the Vulnerable Software and Affected Versions** Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization versions 2.4.4 through 2.5.12 **Description** The Search Atlas SEO plugin for WordPress has a flaw that allows authentication bypass. This occurs because of a missing capability check within the `generate sso url` and `validate sso token` functions. Attackers with Subscriber-level access or higher can extract the `nonce token` authentication value and use it to log in as the first Administrator account. **Recommendations** Versions 2.4.4 through 2.5.12 should be updated to a fixed version, if available. As a temporary workaround, restrict access to the `generate sso url` and `validate sso token` functions.

**Name of the Vulnerable Software and Affected Versions** All-in-One Video Gallery plugin for WordPress versions 4.1.0 through 4.6.4 **Description** The All-in-One Video Gallery plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check within the `ajax callback store user meta()` function. Authenticated attackers with Subscriber-level access or higher can update arbitrary string-based user meta keys for their own account. The vulnerable function is `ajax callback store user meta()`. **Recommendations** Update to a version beyond 4.6.4.

**Name of the Vulnerable Software and Affected Versions** AffiliateX – Amazon Affiliate Plugin versions 1.0.0 through 1.3.9.3 **Description** The AffiliateX – Amazon Affiliate Plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check on the `save customization settings` AJAX action. This allows authenticated attackers with Subscriber-level access or higher to inject arbitrary JavaScript code that will execute when an AffiliateX block is rendered on a website. **Recommendations** Update AffiliateX – Amazon Affiliate Plugin to a version later than 1.3.9.3.

**Name of the Vulnerable Software and Affected Versions** GamiPress – Gamification plugin for WordPress versions prior to 7.6.2 **Description** The GamiPress – Gamification plugin for WordPress is susceptible to unauthorized data access. A missing capability check in the `gamipress ajax get posts` and `gamipress ajax get users` functions allows authenticated attackers with Subscriber-level access or higher to enumerate users, including their email addresses, and retrieve titles of private posts. **Recommendations** Update to version 7.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** HTML5 Audio Player WordPress Plugin versions 2.4.0 through 2.5.1 **Description** The HTML5 Audio Player WordPress Plugin is susceptible to a Server-Side Request Forgery (SSRF) condition. This allows unauthenticated attackers to initiate web requests to arbitrary locations from the web application. The issue resides within the `getIcyMetadata()` function and can be leveraged to query and modify information from internal services. **Recommendations** Update to version 2.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Fox LMS – WordPress LMS Plugin versions prior to 1.0.5.1 **Description** The Fox LMS – WordPress LMS Plugin does not properly validate the `role` parameter when creating new users via the `/fox-lms/v1/payments/create-order` API endpoint. This allows unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, potentially leading to complete site compromise. **Recommendations** Versions prior to 1.0.5.1 should be updated to version 1.0.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** rtMedia for WordPress, BuddyPress and bbPress versions 4.7.0 through 4.7.3 **Description** The rtMedia plugin for WordPress, BuddyPress, and bbPress has an information disclosure issue. Missing authorization within the `handle rest pre dispatch()` function, specifically when the Godam plugin is active, allows unauthenticated attackers to access media items linked to draft or private posts. **Recommendations** Update to version 4.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** WP3D Model Import Viewer plugin for WordPress versions through 1.0.7 **Description** The WP3D Model Import Viewer plugin for WordPress is susceptible to arbitrary file uploads. This is due to a lack of file type validation within the `handle import file()` function. Authenticated attackers with Author-level access or higher can upload arbitrary files to the server, potentially leading to remote code execution. **Recommendations** Update to version 1.0.8.

**Name of the Vulnerable Software and Affected Versions** Postem Ipsum versions up to and including 3.0.1 **Description** The Postem Ipsum plugin for WordPress has a flaw that allows unauthorized modification of data, leading to privilege escalation. Attackers with Subscriber-level access or higher can create arbitrary user accounts with administrator privileges due to a missing capability check on the `postem ipsum generate users()` function. **Recommendations** Update Postem Ipsum to a version later than 3.0.1.

**Name of the Vulnerable Software and Affected Versions** JAY Login & Register plugin for WordPress versions prior to 2.4.01 **Description** The JAY Login & Register plugin for WordPress has a flaw in authentication. Incorrect authentication checking within the `jay login register process switch back` function, utilizing the `jay login register process switch back` cookie, allows attackers to bypass authentication. This enables unauthenticated attackers to log in as any existing user, including administrators, if they have access to the user id. **Recommendations** Update the JAY Login & Register plugin to a version later than 2.4.01.

**Name of the Vulnerable Software and Affected Versions** Infility Global versions prior to 2.14.24 **Description** The Infility Global plugin for WordPress is susceptible to arbitrary file uploads because of inadequate file type validation and missing capability checks. The `upload file` function within the `infility import file` class validates only the MIME type, which can be easily manipulated. Additionally, the `import data` function lacks proper capability checks. This allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. **Recommendations** Update Infility Global to version 2.14.24 or later.

The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow flow social auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings and store arbitrary JavaScript that executes whenever the plugin settings page is viewed.

**Name of the Vulnerable Software and Affected Versions** Blaze Demo Importer plugin for WordPress versions through 1.0.13 **Description** The Blaze Demo Importer plugin for WordPress is susceptible to unauthorized database resets and file deletion. This is due to a missing capability check within the `blaze demo importer install demo()` function. Authenticated attackers with subscriber-level access or higher can truncate all database tables (excluding options, usermeta, and users), delete sidebar widgets, theme modifications, and content within the uploads folder. **Recommendations** Update the Blaze Demo Importer plugin to a version beyond 1.0.13.

**Name of the Vulnerable Software and Affected Versions** Player Leaderboard plugin for WordPress versions up to and including 1.0.2 **Description** The Player Leaderboard plugin for WordPress is susceptible to Local File Inclusion through the 'player leaderboard' shortcode. The issue stems from the plugin utilizing an unsanitized value from the 'mode' attribute within the shortcode in conjunction with the `include()` function, lacking adequate path validation. This allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. Successful exploitation could lead to bypassing access controls, obtaining sensitive data, or achieving full remote code execution, particularly if file upload functionality is also available. The vulnerable parameter is `mode`. **Recommendations** Versions prior to 1.0.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** All-in-One Video Gallery versions 4.5.4 through 4.5.7 **Description** The All-in-One Video Gallery plugin for WordPress has a flaw that allows unauthorized file uploads. This is due to a lack of proper file type checking within the `resolve import directory()` function. Attackers with Author-level access or higher can upload any file type to the server, potentially leading to remote code execution. The vulnerable parameter is the file being uploaded through the import directory functionality. **Recommendations** Update to a version of All-in-One Video Gallery that addresses this issue.