Khayal Farzaliyev

**Name of the Vulnerable Software and Affected Versions** eForm - WordPress Form Builder plugin versions up to, and including, 4.18.0 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.18.0, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zapier for WordPress plugin for WordPress versions up to, and including, 1.5.1 **Description** The issue allows authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations, originating from the web application. This can be used to query and modify information from internal services via the `updated user()` function. **Recommendations** For versions up to, and including, 1.5.1, consider disabling the `updated user()` function as a temporary workaround until a patch is available. Restrict access to internal services to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress versions up to, and including, 5.2.12 **Description** The issue is related to insufficient IP address validation and the use of user-supplied HTTP headers as a primary method for IP retrieval. This allows unauthenticated attackers to spoof their IP address and submit forms that may have IP-based restrictions. **Recommendations** For versions up to, and including, 5.2.12, update to a version that addresses the IP address validation issue to prevent spoofing. As a temporary workaround, consider restricting access to forms with IP-based restrictions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** School Management System for Wordpress plugin versions up to, and including, 92.0.0 **Description** The issue allows authenticated attackers with Custom-level access and above to perform SQL Injection via the `id` parameter of the "mj smgt show event task" AJAX action. This is due to insufficient escaping on the user-supplied `id` parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database. **Recommendations** For School Management System for Wordpress plugin versions up to, and including, 92.0.0, consider restricting access to the "mj smgt show event task" AJAX action until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected AJAX action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** School Management System for Wordpress plugin versions up to, and including, 92.0.0 **Description** The issue arises from insufficient escaping on the `user supplied parameter` and lack of sufficient preparation on the existing SQL query in the `mj smgt view student attendance()` function, specifically on the 'view-attendance' page. This allows authenticated attackers with Student-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For School Management System for Wordpress plugin versions up to, and including, 92.0.0, consider restricting access to the 'view-attendance' page until a patch is available, and limit the use of the `mj smgt view student attendance()` function to prevent potential SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** The Structured Content (JSON-LD) #wpsc plugin for WordPress versions up to, and including, 6.4.5 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's `sc fs local business` shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. The injected scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 6.4.5, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress versions up to, and including, 1.1.7 **Description** The issue is related to unauthorized modification of data due to a missing capability check on the `add video` function. This allows unauthenticated attackers to add arbitrary videos to any portfolio gallery. **Recommendations** For versions up to, and including, 1.1.7, update to a version higher than 1.1.7 to resolve the issue. As a temporary workaround, consider disabling the `add video` function until a patch is available. Restrict access to portfolio galleries to minimize the risk of exploitation. Avoid using the `add video` function in affected portfolios until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FormCraft plugin for WordPress versions up to, and including, 3.9.11 **Description** The issue allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file due to insufficient input sanitization and output escaping. This is possible via Stored Cross-Site Scripting through SVG file uploads. **Recommendations** For versions up to, and including, 3.9.11, update to a version later than 3.9.11 to resolve the issue. As a temporary workaround, consider restricting SVG file uploads until a patch is available. Avoid using the FormCraft plugin for WordPress with unauthenticated access to SVG files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Welcart e-Commerce plugin for WordPress versions up to, and including, 2.11.9 **Description** The issue is related to Stored Cross-Site Scripting via the `name` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.11.9, update to a version later than 2.11.9 to resolve the issue. As a temporary workaround, consider restricting access to the `name` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DSGVO All in one for WP plugin for WordPress versions up to, and including, 4.6 **Description** The issue is due to missing or incorrect nonce validation in the user remove form.php file, making it possible for unauthenticated attackers to delete admin user accounts via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 4.6, consider disabling the user remove form.php file or restricting access to it until a patch is available. As a temporary workaround, restrict the ability to delete admin user accounts to minimize the risk of exploitation. Avoid using the DSGVO All in one for WP plugin for WordPress until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress versions up to, and including, 8.0.12 **Description** The issue allows unauthenticated attackers to extract sensitive data, including usernames, email addresses, names, and more information about users, via the "/wp-json/directorist/v1/users/" endpoint. **Recommendations** For versions up to, and including, 8.0.12, update to a version higher than 8.0.12 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/directorist/v1/users/" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AI Power: Complete AI Pack plugin for WordPress versions up to, and including, 1.8.96 **Description** The issue allows authenticated attackers with subscriber-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services through the `wpaicg troubleshoot add vector()` function. **Recommendations** For versions up to, and including, 1.8.96, consider disabling the `wpaicg troubleshoot add vector()` function as a temporary workaround until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. Update to a version higher than 1.8.96 when available.

**Name of the Vulnerable Software and Affected Versions** WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress versions prior to 10.0.1 **Description** The issue is related to SQL Injection via the `booking itinerary` parameter of the `wptravel get booking data` function. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. Authenticated attackers with Subscriber-level access and above can append additional SQL queries into already existing queries to extract sensitive information from the database. **Recommendations** For versions up to and including 10.0.0, update to a version later than 10.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the `wptravel get booking data` function until a patch is available. Avoid using the `booking itinerary` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** School Management System – WPSchoolPress versions up to 2.2.14 **Description** The issue is related to SQL Injection via the `cid` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Student/Parent-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to 2.2.14, update to a version higher than 2.2.14 to resolve the issue. As a temporary workaround, consider restricting access to the `cid` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress versions up to, and including, 1.0.15 **Description** The issue allows authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to retrieve limited information from internal services. The vulnerability is exploited via the `rjg get youtube info justified gallery callback` function. **Recommendations** For versions up to, and including, 1.0.15, consider disabling the `rjg get youtube info justified gallery callback` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BookingPress plugin for WordPress versions up to, and including, 1.1.21 **Description** The issue is related to SQL Injection via the `category` parameter of the 'bookingpress form' shortcode. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. Authenticated attackers with Contributor-level access and above can append additional SQL queries into already existing queries to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.1.21, consider disabling the `bookingpress form` shortcode until a patch is available. Restrict access to the `category` parameter to minimize the risk of exploitation. Avoid using the `category` parameter in the affected shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eCommerce Product Catalog Plugin for WordPress versions up to, and including, 3.3.43 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `customer panel password reset` function. This allows unauthenticated attackers to reset the password of any administrator or customer account via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 3.3.43, update to a version that includes the fix for the nonce validation issue in the `customer panel password reset` function to prevent unauthorized password resets. As a temporary workaround, consider restricting access to the `customer panel password reset` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.16.4 **Description** The issue is related to Stored Cross-Site Scripting via the profile picture upload functionality due to insufficient file type validation. This allows authenticated attackers with subscriber-level access and above to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file. **Recommendations** For versions up to, and including, 4.16.4, update to a version that includes sufficient file type validation to prevent the upload of malicious HTML files. As a temporary workaround, consider restricting access to the profile picture upload functionality to prevent exploitation. Additionally, restrict the execution of arbitrary web scripts in uploaded files to minimize the risk of Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Sign In With Google plugin for WordPress versions up to, and including, 1.8.0 **Description** The issue is due to the `authenticate user` function not implementing sufficient null value checks when setting the access token and user information. This allows unauthenticated attackers to log in as the first user who has signed in using Google OAuth, potentially the site administrator. **Recommendations** For versions up to, and including, 1.8.0, update to a version that fixes the authentication bypass issue. As a temporary workaround, consider disabling the `authenticate user` function until a patch is available. Restrict access to the Google OAuth sign-in feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to, and including, 3.6.4 **Description** The issue concerns a SQL Injection vulnerability via the `visit type[service id]` parameter of the "tax calculated data" AJAX action. This vulnerability is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. It allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 3.6.4, update to a version higher than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the `tax calculated data` AJAX action to minimize the risk of exploitation. Avoid using the `visit type[service id]` parameter in the affected AJAX endpoint until the issue is resolved.