Krugov Aryom

Name of the Vulnerable Software and Affected Versions: Structured Content (JSON-LD) #wpsc WordPress plugin versions prior to 1.7.0 Description: The Structured Content (JSON-LD) #wpsc WordPress plugin does not validate and escape certain block options before displaying them within a page or post, potentially allowing users with contributor-level access or higher to execute Stored Cross-Site Scripting attacks. Recommendations: Update to Structured Content (JSON-LD) #wpsc WordPress plugin version 1.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Sticky Social Icons WordPress plugin versions 1.2.1 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not properly sanitizing and escaping some of its settings. **Recommendations** For Sticky Social Icons WordPress plugin versions 1.2.1 and earlier, update to a version that properly sanitizes and escapes its settings to prevent Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsPress WordPress plugin versions prior to 2.7.22 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.7.22, update to version 2.7.22 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Responsive Tabs WordPress plugin versions 4.0.8 and earlier **Description** The issue allows high privilege users, such as Contributors and above, to perform Stored Cross-Site Scripting attacks due to the plugin not sanitizing and escaping some of its Tab settings. **Recommendations** For Responsive Tabs WordPress plugin versions 4.0.8 and earlier, update to a version that addresses the sanitization and escaping of Tab settings to prevent Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Giveaways and Contests by RafflePress WordPress plugin versions prior to 1.12.14 **Description** The issue concerns a lack of sanitization and escaping of certain parameters, potentially allowing users with a role as low as editor to perform Cross-Site Scripting attacks. **Recommendations** For versions prior to 1.12.14, update to version 1.12.14 or later to resolve the issue. As a temporary workaround, consider restricting the role of editors to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Secure Copy Content Protection and Content Locking WordPress plugin versions prior to 4.0.9 Description: The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. Recommendations: For versions prior to 4.0.9, update to version 4.0.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Ditty WordPress plugin versions prior to 3.1.36 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 3.1.36, update to version 3.1.36 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to access and modify the plugin's settings until the update is applied.