Khanh

**Name of the Vulnerable Software and Affected Versions** WP Editor WordPress plugin version 1.2.6 and earlier **Description** The issue is related to an authenticated blind SQL injection problem. It occurs because the plugin does not properly sanitise or validate its setting fields, allowing an arbitrary parameter to be used when saving settings. This can be exploited by an admin or higher-privileged user. **Recommendations** For WP Editor WordPress plugin version 1.2.6 and earlier, update to version 1.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings save functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Ajax Load More WordPress plugin versions prior to 5.3.2 Description: The issue concerns unvalidated input in the Ajax Load More WordPress plugin, leading to SQL Injection. This occurs in the POST /wp-admin/admin-ajax.php endpoint with the `repeater` parameter, specifically when set to `' or sleep(5)#` and `type` set to `test`. Recommendations: For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/admin-ajax.php endpoint until the update is applied. Avoid using the `repeater` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Advanced Database Cleaner plugin versions prior to 3.0.2 Description: The issue arises from unvalidated input in the Advanced Database Cleaner plugin, leading to SQL injection. This allows high privilege users, such as administrators, to perform SQL attacks. Recommendations: For versions prior to 3.0.2, update to version 3.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar Lite WordPress plugin versions prior to 5.16.5 Description: The issue is related to a lack of authorization checks in the plugin, which did not properly restrict access to export files. This allowed unauthenticated users to export all events data in formats such as CSV or XML. Recommendations: For versions prior to 5.16.5, update to version 5.16.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the export functionality until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar Lite WordPress plugin versions prior to 5.16.5 Description: The issue is related to unvalidated input and lack of output encoding in the plugin. Specifically, the `mic comment` field, also known as 'Notes on time', is not properly sanitised when adding or editing an event. This allows users with privileges as low as author to add events containing a Cross-Site Scripting payload, which is triggered when viewing the event in the frontend. Recommendations: For versions prior to 5.16.5, update to version 5.16.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the event editing feature to higher-privileged users until the update is applied. Additionally, avoid using the `mic comment` field in events until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar Lite WordPress plugin versions prior to 5.16.6 Description: The issue concerns unvalidated input in the Modern Events Calendar Lite WordPress plugin, which did not sanitize the `mec[post id]` POST parameter in the "mec fes form" AJAX action. This leads to an authenticated SQL Injection issue when logged in as an author or higher. Recommendations: For versions prior to 5.16.6, update to version 5.16.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "mec fes form" AJAX action for users with author or higher privileges until the update is applied. Avoid using the `mec[post id]` parameter in the affected AJAX endpoint until the issue is resolved.