Lauritz Holme

**Name of the Vulnerable Software and Affected Versions** The Events Calendar plugin for WordPress versions 6.15.1.1 through 6.15.9 **Description** The Events Calendar plugin for WordPress is susceptible to a blind SQL injection issue. This is due to inadequate escaping of user-provided input and insufficient preparation of existing SQL queries. An unauthenticated attacker can exploit this by appending additional SQL queries, potentially extracting sensitive information from the database via the `s` parameter. **Recommendations** Update The Events Calendar plugin to a version later than 6.15.9.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.20 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.17 Liferay DXP versions 2025.Q2.0 through 2025.Q2.12 Liferay DXP version 2025.Q3.0 Description: A stored cross-site scripting issue exists that allows a remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping. Recommendations: Liferay Portal versions prior to 7.4.3.132 Liferay DXP versions prior to 2024.Q1.1 Liferay DXP versions prior to 2024.Q2.0 Liferay DXP versions prior to 2024.Q3.0 Liferay DXP versions prior to 2024.Q4.0 Liferay DXP versions prior to 2025.Q1.0 Liferay DXP versions prior to 2025.Q2.0 Liferay DXP versions prior to 2025.Q3.0

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.20 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 Liferay DXP versions 2025.Q2.0 through 2025.Q2.11 Description: A stored cross-site scripting issue exists in Liferay Portal and DXP through the name of a fieldset in Kaleo Forms Admin. The malicious payload is stored and executed without proper sanitization or escaping, allowing a remote authenticated attacker to inject JavaScript. Recommendations: Liferay Portal versions prior to 7.4.3.132 Liferay DXP versions prior to 2024.Q1.1 Liferay DXP versions prior to 2024.Q2.0 Liferay DXP versions prior to 2024.Q3.0 Liferay DXP versions prior to 2024.Q4.0 Liferay DXP versions prior to 2025.Q1.0 Liferay DXP versions prior to 2025.Q2.0

Name of the Vulnerable Software and Affected Versions: LikeBtn WordPress plugin versions prior to 2.6.32 Description: The issue concerns Unauthenticated Full-Read Server-Side Request Forgery (SSRF) in the LikeBtn WordPress plugin. Recommendations: For versions prior to 2.6.32, update to version 2.6.32 or later to resolve the issue.