Luciano Hanna

Name of the Vulnerable Software and Affected Versions: Melhor Envio plugin for WordPress versions up to and including 2.15.9 Description: The issue allows unauthenticated attackers to extract sensitive data, including environment information, plugin tokens, shipping configurations, and limited vendor information, through the `run` function, which utilizes a hardcoded hash. Recommendations: For Melhor Envio plugin for WordPress versions up to and including 2.15.9, update to a version higher than 2.15.9 to resolve the issue. As a temporary workaround, consider restricting access to the `run` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Advanced iFrame plugin for WordPress versions up to and including 2024.5 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the `advanced iframe` shortcode. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to and including 2024.5, consider disabling the `advanced iframe` shortcode until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the `advanced iframe` shortcode to minimize the risk of arbitrary web script injection.

Name of the Vulnerable Software and Affected Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress versions up to 1.6.8.5 Description: The issue arises from the software's failure to properly validate a value before executing `do shortcode`, allowing unauthenticated attackers to execute arbitrary shortcodes. This is due to the software permitting users to execute an action without correct validation. Recommendations: For versions up to 1.6.8.5, update to a version later than 1.6.8.5 to resolve the issue. As a temporary workaround, consider restricting access to the `do shortcode` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin versions up to, and including, 1.6.8.3 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping in the `accent color` and `background` parameters. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.6.8.3, update to a version that addresses the insufficient input sanitization and output escaping issue in the `accent color` and `background` parameters. As a temporary workaround, consider restricting user input for these parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Accept Donations with PayPal & Stripe plugin for WordPress versions up to, and including, 1.4.4 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages. This can be achieved by tricking a user into performing an action, such as clicking on a link, via the `rf` parameter. **Recommendations** For Accept Donations with PayPal & Stripe plugin for WordPress versions up to, and including, 1.4.4, update to a version higher than 1.4.4 to resolve the issue. As a temporary workaround, consider restricting access to the `rf` parameter to minimize the risk of exploitation.