Kr0D

**Name of the Vulnerable Software and Affected Versions** Internal Linking for SEO traffic & Ranking – Auto internal links plugin for WordPress versions up to 1.2.1 **Description** The issue is related to a time-based SQL Injection vulnerability via the `post id` parameter. This vulnerability is caused by insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. As a result, authenticated attackers with Administrator-level access and above can append additional SQL queries to existing queries, potentially extracting sensitive information from the database. **Recommendations** For versions up to 1.2.1, update to a version higher than 1.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the `post id` parameter to minimize the risk of exploitation. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** The Wishlist for WooCommerce: Multi Wishlists Per Customer PRO plugin for WordPress versions 3.0.8 through 3.1.2 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping via the `wtab` parameter. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability affects WordPress installations with versions of PHP <=7.4. **Recommendations** For versions 3.0.8 through 3.1.2, consider disabling the `wtab` parameter until a patch is available to prevent exploitation. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the `wtab` parameter in affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blogger 301 Redirect plugin for WordPress versions up to, and including, 2.5.3 **Description** The issue is a blind time-based SQL Injection vulnerability via the `br` parameter. This vulnerability is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible for unauthenticated attackers to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 2.5.3, update to a version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `br` parameter to minimize the risk of exploitation.