Lucio Sá

Name of the Vulnerable Software and Affected Versions: LiquidThemes WordPress plugins and themes (affected versions not specified) Description: Multiple plugins and/or themes developed by LiquidThemes for WordPress are susceptible to unauthorized access due to the absence of a capability check within the `liquid reset wordpress before` AJAX function. This allows authenticated attackers with Subscriber-level access or higher to deactivate all plugins on a WordPress site. The developer implemented a nonce check as a mitigation, but this measure is insufficient as the nonce is exposed to users with dashboard access. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: School Management System for Wordpress plugin for WordPress versions prior to 93.2.1 Description: The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX actions due to insufficient escaping of user-supplied parameters and a lack of sufficient preparation of existing SQL queries. This allows unauthenticated attackers to append additional SQL queries, potentially extracting sensitive information from the database. Recommendations: Update to version 93.2.1 or later.

Name of the Vulnerable Software and Affected Versions: Education theme for WordPress versions up to, and including, 3.6.10 Description: The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input in the `themerex callback view more posts` function. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Recommendations: For Education theme for WordPress versions up to, and including, 3.6.10, consider disabling the `themerex callback view more posts` function until a patch is available to prevent the deserialization of untrusted input. Restrict access to sensitive data and files to minimize the risk of exploitation. Avoid using untrusted input in the affected function to prevent PHP Object Injection.

Name of the Vulnerable Software and Affected Versions: The DWT - Directory & Listing WordPress Theme versions up to, and including, 3.3.6 Description: The issue allows for privilege escalation via account takeover due to improper checking of an empty token value prior to resetting a user's password through the `dwt listing reset password()` function. This enables unauthenticated attackers to change arbitrary users' passwords, including administrators, and gain access to their accounts. Recommendations: For versions up to, and including, 3.3.6, as a temporary workaround, consider disabling the `dwt listing reset password()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wolmart | Multi-Vendor Marketplace WooCommerce Theme versions 1.8.11 and earlier **Description** The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running `do shortcode()`. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. **Recommendations** For versions 1.8.11 and earlier, as a temporary workaround, consider disabling the execution of shortcodes until a patch is available. Restrict access to the `do shortcode()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Motors - Car Dealer, Rental & Listing WordPress theme versions up to, and including, 5.6.65 **Description** The issue is related to arbitrary shortcode execution due to improper validation of a value before running do shortcode, allowing unauthenticated attackers to execute arbitrary shortcodes. **Recommendations** For versions up to, and including, 5.6.65, as a temporary workaround, consider restricting the execution of shortcodes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress plugins and themes (affected versions not specified) **Description** The issue concerns multiple plugins and/or themes for WordPress that are vulnerable to unauthorized access due to a missing capability check on several AJAX actions, such as `gsf reset section options` and `gsf create preset options`. This allows authenticated attackers with Subscriber-level access and above to reset and modify some plugin/theme settings. The problem was reported to Envato over two months ago, and although partial patches have been released, the issues remain vulnerable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress (affected versions not specified) **Description** The issue is related to a missing capability check on the `ajaxUploadFonts()` function in various WordPress plugins and themes, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files. This can potentially lead to remote code execution. The issue was escalated to Envato over two months ago and, while partially patched, remains vulnerable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress plugins and/or themes using Smart Framework (affected versions not specified) **Description** The issue is related to Stored Cross-Site Scripting due to a missing capability check on the `saveOptions()` and `importThemeOptions()` functions. This allows authenticated attackers with Subscriber-level access and above to update the plugin's settings, including custom JavaScript that is enabled site-wide. **Recommendations** For WordPress plugins and/or themes using Smart Framework, consider disabling the `saveOptions()` and `importThemeOptions()` functions until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of attackers updating custom JavaScript. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Anps Theme plugin versions up to, and including, 1.1.1 **Description** The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running `do shortcode()`. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. **Recommendations** For versions up to, and including, 1.1.1, update to a version that fixes the arbitrary shortcode execution issue. As a temporary workaround, consider restricting access to the `do shortcode()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Automatic Order Printing plugin versions up to, and including, 4.1 **Description** The issue is related to Insecure Direct Object Reference, which allows authenticated attackers with Subscriber-level access and above to view other users' invoices and orders containing sensitive information. This is possible due to missing validation on a user-controlled key in the `xc woo printer preview` AJAX action. **Recommendations** For versions up to, and including, 4.1, consider disabling the `xc woo printer preview` AJAX action until a patch is available to prevent exploitation. Restrict access to sensitive information by limiting Subscriber-level access and above to only necessary personnel.

**Name of the Vulnerable Software and Affected Versions** The Reales WP - Real Estate WordPress Theme versions up to, and including, 2.1.2 **Description** The issue allows unauthorized modification and loss of data due to a missing capability check on the `reales delete file`, `reales delete file plans`, `reales add to favourites`, and `reales remove from favourites` functions. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user. **Recommendations** For versions up to, and including, 2.1.2, update to a version that includes a fix for the missing capability check issue. As a temporary workaround, consider disabling the `reales delete file`, `reales delete file plans`, `reales add to favourites`, and `reales remove from favourites` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZoomSounds - WordPress Wave Audio Player with Playlist plugin versions up to, and including, 6.91 **Description** The issue allows authenticated attackers with Subscriber-level access and above to modify data due to a missing capability check on the 'dzsap delete notice' AJAX action. This can lead to a denial of service by updating option values to cause an error on the site or setting certain values to true, such as registration. Several other functions are also vulnerable to missing authorization. **Recommendations** For versions up to, and including, 6.91, update to a version that includes a fix for the missing capability check on the 'dzsap delete notice' AJAX action to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the 'dzsap delete notice' AJAX action to prevent exploitation until a patch is available. Restrict access to the vulnerable functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to, and including, 3.7.9 **Description** The issue allows for privilege escalation via account takeover. This is due to the plugin using the Host header to determine if it is in a playground environment, making it possible for unauthenticated attackers to spoof the Host header, set the OTP code to "1234", and authenticate as any user, including administrators. **Recommendations** For versions up to, and including, 3.7.9, update to a version higher than 3.7.9 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BWL Advanced FAQ Manager plugin for WordPress versions up to and including 2.1.4 **Description** The issue allows for unauthorized modification of data, potentially leading to a denial of service. This is due to a missing capability check on the `baf set notice status` AJAX action. Authenticated attackers with Subscriber-level access or higher can update option values to `1` on the WordPress site. This can be exploited to create an error on the site, denying service to legitimate users, or to set certain values to true, such as registration. **Recommendations** For versions up to and including 2.1.4, update to a version higher than 2.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the `baf set notice status` AJAX action to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** CozyStay versions 1.7.0 and earlier TinySalt versions 3.9.0 and earlier **Description** The issue affects the CozyStay and TinySalt plugins for WordPress, allowing unauthenticated attackers to inject a PHP object through deserialization of untrusted input in the `ajax handler` function. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme, it may allow the attacker to perform actions like deleting arbitrary files, retrieving sensitive data, or executing code, depending on the POP chain present. **Recommendations** For CozyStay versions 1.7.0 and earlier, update to a version later than 1.7.0 to mitigate the risk. For TinySalt versions 3.9.0 and earlier, update to a version later than 3.9.0 to mitigate the risk. As a temporary workaround, consider disabling the `ajax handler` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions, including `foodbakery var backup file delete`, `foodbakery widget file delete`, `theme option save`, `export widget settings`, `ajax import widget data`, `foodbakery var settings backup generate`, `foodbakery var backup file restore`, and `theme option rest all`. This allows unauthenticated attackers to perform various actions, such as deleting arbitrary files, updating theme options, exporting and importing widget options, generating and restoring backups, and resetting theme options, by tricking a site administrator into performing an action. **Recommendations** For FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7, update to a version that includes the necessary nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the vulnerable functions, such as `foodbakery var backup file delete`, `foodbakery widget file delete`, `theme option save`, `export widget settings`, `ajax import widget data`, `foodbakery var settings backup generate`, `foodbakery var backup file restore`, and `theme option rest all`, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CozyStay theme for WordPress versions up to, and including, 1.7.0 **Description** The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax handler` function. This makes it possible for unauthenticated attackers to execute arbitrary actions. **Recommendations** For CozyStay theme for WordPress versions up to, and including, 1.7.0, update to a version later than 1.7.0 to resolve the issue. As a temporary workaround, consider disabling the `ajax handler` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MinimogWP – The High Converting eCommerce WordPress Theme versions up to 3.7.0 **Description** The issue allows unauthenticated attackers to include and execute arbitrary files on the server through the `template` parameter. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution when images and other "safe" file types can be uploaded and included. **Recommendations** For versions up to 3.7.0, consider disabling the `template` parameter to prevent arbitrary file inclusion until a patch is available. Restrict access to file upload functionality to minimize the risk of exploitation. Avoid using the `template` parameter in affected areas until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7 **Description** The issue allows unauthorized access and modification of data due to a missing capability check on several functions, including `foodbakery var backup file delete`, `foodbakery widget file delete`, `theme option save`, `export widget settings`, `ajax import widget data`, `foodbakery var settings backup generate`, `foodbakery var backup file restore`, and `theme option rest all`. This enables authenticated attackers with Subscriber-level access and above to perform various malicious actions, such as deleting arbitrary files, updating theme options, exporting and importing widget options, generating and restoring backups, and resetting theme options. **Recommendations** For FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.