Kishore Hariram

**Name of the Vulnerable Software and Affected Versions** Slickr Flickr WordPress plugin versions through 2.8.1 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the lack of sanitization and escaping of its settings. This can occur even when the unfiltered html capability is disallowed. **Recommendations** For Slickr Flickr WordPress plugin versions through 2.8.1, update to a version that properly sanitizes and escapes its settings to prevent cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Admin Style WordPress plugin versions through 0.1.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For WP Admin Style WordPress plugin versions through 0.1.2, update to a version that properly sanitizes and escapes its settings to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting the `unfiltered html` capability to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Orbital (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an unauthenticated, remote attacker to redirect users to a malicious webpage due to improper validation of URL paths. An attacker could exploit this by persuading a user to click a crafted URL, potentially redirecting the user to a malicious website. This issue is known as an open redirect attack and is used in phishing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Steam Group Viewer WordPress plugin versions 2.1 and earlier **Description** The issue is related to an authenticated Stored Cross-Site Scripting problem. It occurs because the `Steam Group Address` settings are not properly sanitised or escaped before being outputted on the page. **Recommendations** For Steam Group Viewer WordPress plugin versions 2.1 and earlier, update to a version that properly sanitises the `Steam Group Address` settings to prevent Cross-Site Scripting. As a temporary workaround, consider restricting access to the settings page to minimise the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easy Preloader WordPress plugin versions 1.0.0 and earlier **Description** The issue is related to the lack of sanitization in the setting fields of the plugin, leading to authenticated Stored Cross-Site scripting issues. This can be exploited by administrators or higher-privileged users. **Recommendations** For Easy Preloader WordPress plugin versions 1.0.0 and earlier, consider disabling the plugin until a patch is available to prevent potential exploitation. Restrict access to the plugin's setting fields to minimize the risk of stored cross-site scripting issues. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iFlyChat WordPress plugin versions prior to 4.7.0 **Description** The issue is related to an authenticated Stored Cross-Site Scripting problem. It occurs because the APP ID setting is not properly sanitized before being outputted back in the page. This allows for malicious scripts to be stored and executed. **Recommendations** For versions prior to 4.7.0, update to version 4.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the APP ID setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hotjar Connecticator WordPress plugin versions through 1.1.1 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the `hotjar script` textarea. This could be exploited by administrator users, as the request includes a CSRF nonce that is properly verified by the server. **Recommendations** For Hotjar Connecticator WordPress plugin versions through 1.1.1, consider disabling the `hotjar script` textarea until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Hana Flv Player WordPress plugin versions prior to 3.1.4 **Description** The issue concerns an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability is located within the 'Default Skin' field. **Recommendations** For Hana Flv Player WordPress plugin versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue.