Kevin Lee

**Name of the Vulnerable Software and Affected Versions** Klamra Paycal for Aspaclaria versions prior to 1.1.5 **Description** The plugin is subject to Insecure Direct Object Reference, a condition where an application provides direct access to objects based on user-supplied input. Authenticated attackers with subscriber-level access or higher can download arbitrary customer invoices by enumerating sequential post IDs through the `invoice id` parameter. This occurs due to missing validation on a user-controlled key, leading to the exposure of sensitive billing personally identifiable information (PII), such as full names, email addresses, phone numbers, order totals, line items, and customer notes. **Recommendations** Update the plugin to a version later than 1.1.4. As a temporary workaround, restrict access to the `invoice id` parameter to prevent unauthorized invoice downloads.

**Name of the Vulnerable Software and Affected Versions** Passeum Ticketing versions prior to 1.1 **Description** The plugin is subject to Stored Cross-Site Scripting. This occurs because the `get shop url()` method returns the `shop name` setting value without sanitization when it starts with "http", and the `validate shop name()` function only verifies if the value is a non-empty string. Authenticated attackers with Administrator-level access or higher can inject arbitrary external scripts by setting `shop name` to a URL they control. This leads the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain using `wp register script()` and `wp register style()`. The scripts execute on every frontend page containing a Passeum Ticketing shortcode, impacting all visitors. This issue does not affect single-site installations as administrators in those environments already possess the `unfiltered html` capability. **Recommendations** Update the plugin to a version later than 1.0.

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb handle slek payment redirect() function placing the merchant's slek key and slek secret API credentials directly into a client-side HTML form, and additionally embedding the slek secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.