Krzysztof Zając

**Name of the Vulnerable Software and Affected Versions** ARForms versions up to and including 1.7.2 **Description** The ARForms plugin for WordPress is susceptible to arbitrary shortcode execution. The software does not properly validate input before running the `do shortcode` function, allowing unauthenticated attackers to execute arbitrary shortcodes. **Recommendations** Update ARForms to a version later than 1.7.2.

Name of the Vulnerable Software and Affected Versions: The Travelpayouts: All Travel Brands in One Place WordPress plugin versions prior to 1.1.14 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. Recommendations: For versions prior to 1.1.14, update to version 1.1.14 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Advanced Schedule Posts WordPress plugin versions 2.1.8 and earlier Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. Recommendations: For Advanced Schedule Posts WordPress plugin versions 2.1.8 and earlier, update to a version that properly sanitises and escapes parameters to prevent Reflected Cross-Site Scripting. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Demo Awesome plugin for WordPress versions prior to 1.0.4 **Description** The issue is related to a missing capability check on the `install plugin` function, allowing authenticated attackers with Subscriber-level access and above to install and activate arbitrary plugins. **Recommendations** For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `install plugin` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Smart Maintenance Mode plugin for WordPress versions up to, and including, 1.5.2 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages. This can be achieved by tricking a user into performing an action, such as clicking on a link, via the `setstatus` parameter. **Recommendations** For versions up to, and including, 1.5.2, consider disabling the `setstatus` parameter until a patch is available to prevent exploitation. Restrict access to the Smart Maintenance Mode plugin to minimize the risk of exploitation. Avoid using the `setstatus` parameter in affected pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** teachPress plugin for WordPress versions up to, and including, 9.0.9 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the "import.php" page. This allows unauthenticated attackers to delete imports via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 9.0.9, update to a version that includes the fix for the missing or incorrect nonce validation on the import.php page. As a temporary workaround, consider restricting access to the import.php page to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WP Crowdfunding plugin for WordPress versions up to, and including, 2.1.13 Description: The issue is related to a missing capability check on the `download data` action. This allows authenticated attackers with subscriber-level access and above to download all of a site's post content when WooCommerce is installed. Recommendations: For WP Crowdfunding plugin for WordPress versions up to, and including, 2.1.13, update to a version higher than 2.1.13 to resolve the issue. As a temporary workaround, consider restricting access to the `download data` action to prevent unauthorized data access.

**Name of the Vulnerable Software and Affected Versions** Post Lockdown plugin for WordPress versions prior to 4.1 **Description** The issue allows authenticated attackers with Subscriber-level access and above to extract data from password-protected, private, or draft posts they should not have access to, due to insufficient restrictions on which posts can be included via the 'pl autocomplete' AJAX action. **Recommendations** For Post Lockdown plugin for WordPress versions prior to 4.1, update to version 4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'pl autocomplete' AJAX action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'public-form' shortcode, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10, consider disabling the 'public-form' shortcode until a patch is available to prevent exploitation. Restrict access to pages that utilize this shortcode to minimize the risk of arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10 **Description** The issue allows unauthenticated attackers to view data from password-protected, private, or draft posts due to insufficient restrictions on which posts can be included via the 'feed' shortcode. **Recommendations** For WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10, consider disabling the `feed` shortcode until a patch is available to prevent information exposure.

**Name of the Vulnerable Software and Affected Versions** WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10 **Description** The issue is related to SQL Injection via the `databeat` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10: As a temporary workaround, consider restricting access to the `databeat` parameter to minimize the risk of exploitation. Avoid using the `databeat` parameter in affected queries until the issue is resolved. Update to a version later than 16.26.10 once available.

**Name of the Vulnerable Software and Affected Versions** WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10 **Description** The issue is related to arbitrary shortcode execution due to a missing capability check on the "rcl preview post" AJAX endpoint. This allows authenticated attackers with Subscriber-level access and above to execute arbitrary shortcodes. **Recommendations** For WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.10, consider disabling access to the "rcl preview post" AJAX endpoint until a patch is available. Restricting the execution of arbitrary shortcodes can also help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Shortcode Cleaner Lite plugin for WordPress versions prior to 1.0.10 **Description** The issue allows unauthorized access to data due to a missing capability check on the `download backup()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options. **Recommendations** For versions up to and including 1.0.9, update to a version later than 1.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the `download backup()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Spreadsheet Integration plugin for WordPress versions up to and including 3.8.2 **Description** The issue is related to Cross-Site Request Forgery due to improper nonce validation within the class-wpgsi-show.php script. This allows unauthenticated attackers to publish arbitrary posts, including private ones, by tricking a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions up to and including 3.8.2, update to a version that includes proper nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the class-wpgsi-show.php script to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Master Slider – Responsive Touch Slider plugin for WordPress versions up to, and including, 3.10.6 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's `ms layer` shortcode, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.10.6, update to a version that addresses the insufficient input sanitization and output escaping issue in the `ms layer` shortcode.

**Name of the Vulnerable Software and Affected Versions** teachPress plugin for WordPress versions up to, and including, 9.0.7 **Description** The issue allows authenticated attackers with Contributor-level access and above to perform SQL Injection via the `order` parameter of the "tpsearch" shortcode. This is due to insufficient escaping on the user-supplied `order` parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database. **Recommendations** For versions up to, and including, 9.0.7, update to a version that includes a fix for this issue to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the "tpsearch" shortcode for users with Contributor-level access and above until a patch is available. Avoid using the `order` parameter in the "tpsearch" shortcode until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** IP2Location Redirection plugin for WordPress versions up to, and including, 1.33.3 **Description** The issue allows unauthorized access to data due to a missing capability check on the 'download ip2location redirection backup' AJAX action. This makes it possible for unauthenticated attackers to download the plugin's settings. **Recommendations** For IP2Location Redirection plugin for WordPress versions up to, and including, 1.33.3, update to a version higher than 1.33.3 to resolve the issue. As a temporary workaround, consider restricting access to the 'download ip2location redirection backup' AJAX action to prevent unauthorized data access.

**Name of the Vulnerable Software and Affected Versions** TemplatesNext ToolKit plugin for WordPress versions up to, and including, 3.2.9 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the `tx woo wishlist table` shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.2.9, update to a version that addresses the insufficient input sanitization and output escaping issue in the `tx woo wishlist table` shortcode. As a temporary workaround, consider restricting access to the `tx woo wishlist table` shortcode to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Secure Copy Content Protection and Content Locking plugin for WordPress versions prior to 4.4.8 **Description** The issue allows unauthorized access to data due to a missing capability check on the `ays sccp reports user search()` function. This makes it possible for unauthenticated attackers to retrieve a list of registered user emails. **Recommendations** For Secure Copy Content Protection and Content Locking plugin for WordPress versions prior to 4.4.8, update to version 4.4.8 or later to resolve the issue. As a temporary workaround, consider disabling the `ays sccp reports user search()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP Posts Carousel plugin for WordPress versions up to and including 1.3.7 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages via the `auto play timeout` parameter. The injected scripts will execute whenever a user accesses an injected page. **Recommendations** For WP Posts Carousel plugin for WordPress versions up to and including 1.3.7, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `auto play timeout` parameter to prevent exploitation.