Krugov Artyom

**Name of the Vulnerable Software and Affected Versions** Ajax Load More WordPress plugin versions prior to 7.8.4 **Description** The plugin fails to properly sanitize and escape a parameter before outputting it back to the page. This leads to Reflected Cross-Site Scripting (XSS), a flaw where malicious scripts are reflected off a web application to the user's browser, which could be leveraged against high-privilege users such as administrators. **Recommendations** Update to version 7.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** WP Lightbox 2 WordPress plugin versions prior to 3.0.7 **Description** The WP Lightbox 2 WordPress plugin does not properly sanitise and escape certain settings. This could allow users with high privileges, such as administrators, to carry out Stored Cross-Site Scripting (XSS) attacks. This is possible even when the `unfiltered html` capability is disabled, for example, in a multisite configuration. The issue involves insufficient input validation, potentially allowing malicious scripts to be injected and executed within the application. **Recommendations** Update WP Lightbox 2 WordPress plugin to version 3.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** Reading progressbar WordPress plugin versions prior to 1.3.1 **Description** The Reading progressbar WordPress plugin does not properly sanitise and escape certain settings. This could allow users with high privileges, such as administrators, to carry out Stored Cross-Site Scripting (XSS) attacks. This is possible even when the `unfiltered html` capability is disabled, for example, in a multisite setup. Stored XSS occurs when malicious scripts are persistently stored on the target server, allowing them to be delivered to other users who access the affected content. **Recommendations** Update the Reading progressbar WordPress plugin to version 1.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Simple SEO WordPress plugin versions prior to 2.0.32 **Description** The software does not properly sanitize and escape parameters when outputting them on the page. This could allow users with a contributor role or higher to perform Cross-Site Scripting attacks. **Recommendations** Update to version 2.0.32 or later.

Name of the Vulnerable Software and Affected Versions: AI ChatBot for WordPress plugin versions prior to 7.1.0 Description: The AI ChatBot for WordPress plugin does not sanitise and escape some of its settings. This could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks, even when the `unfiltered html` capability is disallowed, for example, in a multisite setup. Recommendations: Update to version 7.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) versions through 1.2.0 **Description** The plugin does not validate and escape certain block options before displaying them on a page or post, potentially allowing users with contributor roles and above to execute Stored Cross-Site Scripting attacks. **Recommendations** Update OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) to a version later than 1.2.0.

Name of the Vulnerable Software and Affected Versions: Contact Form Plugin WordPress plugin versions prior to 1.1.29 Description: The issue concerns the Contact Form Plugin WordPress plugin, where some settings are not properly sanitized and escaped, potentially allowing high-privilege users, such as contributors, to perform Stored Cross-Site Scripting attacks. Recommendations: For versions prior to 1.1.29, update to version 1.1.29 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WP Map Block versions prior to 2.0.3 Description: The issue concerns the WP Map Block WordPress plugin, which does not validate and escape some of its block options before outputting them back in a page or post where the block is embedded. This could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Recommendations: For WP Map Block versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the WP Map Block plugin until a patch is applied, especially for users with the contributor role and above.

**Name of the Vulnerable Software and Affected Versions** Post Slider and Post Carousel with Post Vertical Scrolling Widget versions prior to 3.2.10 **Description** The issue concerns the WordPress plugin Post Slider and Post Carousel with Post Vertical Scrolling Widget, where certain widget options are not properly validated and escaped before being displayed on a page or post. This could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. **Recommendations** For versions prior to 3.2.10, update to version 3.2.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin versions prior to 5.1.6 real-cookie-banner-pro WordPress plugin versions prior to 5.1.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, and this vulnerability can be exploited even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin versions prior to 5.1.6, update to version 5.1.6 or later. For real-cookie-banner-pro WordPress plugin versions prior to 5.1.6, update to version 5.1.6 or later.

**Name of the Vulnerable Software and Affected Versions** The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin versions prior to 8.4.0 **Description** The issue concerns the failure to escape post titles in the dashboard, potentially allowing users with the contributor role to perform Cross-Site Scripting attacks. **Recommendations** For versions prior to 8.4.0, update to version 8.4.0 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Stylemix Cost Calculator Builder versions 3.2.74 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. Recommendations: For Stylemix Cost Calculator Builder versions 3.2.74 and earlier, update to a version later than 3.2.74 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qi Blocks WordPress plugin versions prior to 1.4 Description: The issue concerns a Stored Cross-Site Scripting attack. It is caused by the Qi Blocks WordPress plugin not validating and escaping some of its Countdown block options before outputting them back in a page or post where the block is embedded. This could allow users with the contributor role and above to perform such attacks. Recommendations: For Qi Blocks WordPress plugin versions prior to 1.4, update to version 1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Countdown block options to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Qi Blocks WordPress plugin versions prior to 1.4 Description: The issue concerns a Stored Cross-Site Scripting attack. It is caused by the plugin not validating and escaping some of its Counter block options before outputting them back in a page or post where the block is embedded. This could allow users with the contributor role and above to perform such attacks. Recommendations: For versions prior to 1.4, update to version 1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Counter block options to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Qi Blocks WordPress plugin versions prior to 1.4 Description: The issue concerns the Qi Blocks WordPress plugin, which does not properly validate and escape some of its block options before outputting them in a page or post. This could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Recommendations: For Qi Blocks WordPress plugin versions prior to 1.4, update to version 1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable block options to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Mobile Contact Bar WordPress plugin versions prior to 3.0.5 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, and this vulnerability can be exploited even when the unfiltered html capability is disallowed, such as in a multisite setup. Recommendations: For versions prior to 3.0.5, update to version 3.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Advanced Cron Manager WordPress plugin versions prior to 2.5.7 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.5.7, update to version 2.5.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable settings to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Responsive Gallery Grid WordPress plugin versions prior to 2.3.15 Description: The issue concerns the lack of sanitization and escaping of some settings in the plugin, which could allow high-privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed. Recommendations: For versions prior to 2.3.15, update to version 2.3.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HD Quiz WordPress plugin version prior to 2.0.0 **Description** The issue concerns the HD Quiz WordPress plugin, where versions prior to 2.0.0 do not properly sanitise and escape some of its settings. This could allow high privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks. This is possible even when the `unfiltered html` capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation. Avoid using the plugin in multisite setups where the `unfiltered html` capability is disallowed until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: The Simple Basic Contact Form WordPress plugin versions prior to 20250114 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. Recommendations: For versions prior to 20250114, update to version 20250114 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.