Kinorth

**Name of the Vulnerable Software and Affected Versions** Code Supply Co. Blueprint versions prior to 1.1.5 **Description** An improper control of filename for include/require statement in PHP program allows for Local File Inclusion. This occurs when the application fails to properly validate the file path used in PHP include or require functions, potentially allowing an attacker to include files from the local file system. **Recommendations** Update to version 1.1.5.

**Name of the Vulnerable Software and Affected Versions** WaveRide versions prior to 1.5 **Description** Improper Control of Filename for Include/Require Statement in PHP Program allows Local File Inclusion. This occurs when the application fails to properly validate the filename used in PHP include or require statements, potentially allowing an attacker to include files from the local file system. **Recommendations** Update to a version later than 1.4.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor versions prior to 6.4.16 **Description** The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. The issue exists in the Carousel Anything widget due to insufficient output escaping within the `render()` function. Specifically, the `carousel direction` parameter is placed into an unquoted HTML attribute (`dir=`), which allows attribute injection even when `esc attr()` is used. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages that execute when accessed by other users. **Recommendations** Update to a version later than 6.4.15. As a temporary workaround, restrict access to the Carousel Anything widget or avoid using the `carousel direction` parameter until the update is applied.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5.

**Name of the Vulnerable Software and Affected Versions** Nyla versions n/a through 1.7 **Description** Improper neutralization of script-related HTML tags in a web page leads to a basic Cross-Site Scripting (XSS) issue, which allows code injection. Cross-Site Scripting is a flaw where an application includes untrusted data in a web page without proper validation or escaping, enabling attackers to execute malicious scripts in the victim's browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Magentech SW Core versions prior to 1.7.18 **Description** Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) allows for PHP Local File Inclusion. This occurs when the application fails to properly validate the filename used in include or require statements, potentially allowing an attacker to include files from the local system. **Recommendations** Update to version 1.7.18 or later.

**Name of the Vulnerable Software and Affected Versions** Mayosis Core versions prior to 5.4.7 **Description** Missing Authorization in TeconceTheme Mayosis Core allows for the exploitation of incorrectly configured access control security levels. **Recommendations** Update to a version later than 5.4.7.

**Name of the Vulnerable Software and Affected Versions** CodexThemes TheGem Theme Elements (for Elementor) versions prior to 5.12.1.1 **Description** Improper neutralization of input during web page generation allows for DOM-Based Cross-Site Scripting (XSS), a flaw where an application contains client-side JavaScript that processes data from an untrusted source in an unsafe way, typically updating the Document Object Model (DOM). **Recommendations** Update to version 5.12.1.1.

**Name of the Vulnerable Software and Affected Versions** QantumThemes Kentha versions through 4.7.2 **Description** A Reflected Cross-site Scripting (XSS) issue exists in QantumThemes Kentha due to improper neutralization of input during web page generation. This allows an attacker to inject malicious scripts into web pages viewed by other users. The vulnerability occurs when processing user-supplied input without sufficient validation or encoding. The vulnerable component is susceptible to attacks where an attacker can craft a malicious URL containing a script that will be executed in the context of the victim's browser. The affected parameter is not specified. **Recommendations** Update QantumThemes Kentha to a version later than 4.7.2.

**Name of the Vulnerable Software and Affected Versions** ThemetechMount Boldman versions through 7.7 **Description** The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Local File Inclusion. The vulnerability exists due to insufficient sanitization of filenames used in include/require operations, potentially allowing an attacker to include arbitrary files. **Recommendations** Update ThemetechMount Boldman to a version newer than 7.7.

**Name of the Vulnerable Software and Affected Versions** Creatives Planet Greenly Theme Addons versions prior to 8.2 **Description** A flaw exists in Creatives Planet Greenly Theme Addons that allows for PHP Local File Inclusion due to improper control of filename handling for include/require statements. This issue is related to a 'PHP Remote File Inclusion' type of vulnerability. **Recommendations** Update Creatives Planet Greenly Theme Addons to version 8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Medilazar Core versions prior to 1.4.7 **Description** The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Local File Inclusion issue. This allows for the inclusion of local files. The affected component is `medilazar-core`. **Recommendations** Update Medilazar Core to version 1.4.7 or later.

**Name of the Vulnerable Software and Affected Versions** RadiusTheme Medilink-Core versions prior to 2.0.7 **Description** The software contains a flaw related to improper control of filename for include/require statements, specifically a PHP Local File Inclusion issue. This impacts the Medilink-Core component. **Recommendations** Update to a version newer than 2.0.7.

**Name of the Vulnerable Software and Affected Versions** redqteam Turbo Manager versions prior to 4.0.8 **Description** The software contains a flaw related to improper control of filename handling for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Local File Inclusion. **Recommendations** Update redqteam Turbo Manager to version 4.0.8 or later.

**Name of the Vulnerable Software and Affected Versions** Creatives Planet Greenly versions n/a through 8.1 **Description** A flaw exists in Creatives Planet Greenly due to improper control of filename handling for include/require statements in a PHP program, leading to a PHP Local File Inclusion issue. The vulnerability allows for the inclusion of local PHP files. The issue is referred to as a 'PHP Remote File Inclusion' in some reports. **Recommendations** Versions prior to 8.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** ThemeGoods Musico versions through 3.2.4 **Description** The software contains a flaw related to improper input handling during web page generation, specifically a Reflected Cross-site Scripting issue. This allows for the execution of malicious scripts through crafted input. **Recommendations** Update ThemeGoods Musico to a version later than 3.2.4.

**Name of the Vulnerable Software and Affected Versions** fox-themes Awa Plugins versions through 1.4.4 **Description** The software contains a flaw related to improper input handling during web page generation, leading to a Reflected Cross-site Scripting (XSS) condition. This allows for the injection of malicious scripts into web pages. The vulnerability exists in the `awa-plugins` component. The issue allows attackers to execute arbitrary JavaScript code in the context of a user's browser. The vulnerable component does not properly sanitize user-supplied input before including it in the generated web page, which enables the injection of malicious scripts. **Recommendations** Update fox-themes Awa Plugins to a version later than 1.4.4.

**Name of the Vulnerable Software and Affected Versions** BoldThemes Celeste versions through 1.3.6 **Description** A flaw exists in BoldThemes Celeste that allows for object injection due to deserialization of untrusted data. This issue could potentially allow an attacker to compromise the system. **Recommendations** Update BoldThemes Celeste to a version later than 1.3.6.

**Name of the Vulnerable Software and Affected Versions** ThemeGoods Grand News versions through 3.4.3 **Description** The software contains a flaw related to improper input handling during web page creation, specifically a Reflected Cross-site Scripting issue. This allows for the injection of malicious scripts into web pages. The vulnerability affects the `grandnews` component. **Recommendations** Update ThemeGoods Grand News to a version later than 3.4.3.

**Name of the Vulnerable Software and Affected Versions** Starto versions through 2.1.9 **Description** The software contains a flaw related to improper input handling during web page generation, specifically a Reflected Cross-site Scripting (XSS) issue. This allows for the injection of malicious scripts into web pages. The affected component is not specified. **Recommendations** Update Starto to a version later than 2.1.9.