Lukasz Sobanski

**Name of the Vulnerable Software and Affected Versions** JetBackup – Backup, Restore & Migrate versions prior to 3.1.19.9 **Description** Insufficient input validation on the `fileName` parameter in the file upload handler allows for path traversal. The plugin uses `sanitize text field()`, which removes HTML tags but fails to block path traversal sequences such as '../'. The `Upload::getFileLocation()` function concatenates this unsanitized filename without using `basename()` or verifying that the resolved path remains within the intended directory. Consequently, when an invalid file is uploaded, the cleanup logic applies `dirname()` to the traversed path and passes it to `Util::rm()`, which recursively deletes the resolved directory. Authenticated attackers with administrator-level access can use this to delete critical WordPress directories, such as 'wp-content/plugins', leading to severe site disruption. **Recommendations** Update the plugin to a version newer than 3.1.19.8.

Name of the Vulnerable Software and Affected Versions Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress versions up to and including 3.6.3 Description The Kadence Blocks plugin for WordPress does not properly verify the `upload files` capability for users accessing the `process pattern` API endpoint. This allows authenticated attackers with contributor-level access or higher to upload images to the WordPress Media Library by providing remote image URLs, which the server then downloads and creates as media attachments. Recommendations Update Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress to a version later than 3.6.3.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions through 5.2.7 **Description** The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by insufficient or incorrect nonce validation within the `reload preview()` function. An unauthenticated attacker could potentially update settings and inject malicious web scripts by forging a request, provided they can mislead a site administrator into performing an action. **Recommendations** Update LatePoint – Calendar Booking Plugin for Appointments and Events to a version later than 5.2.7.

**Name of the Vulnerable Software and Affected Versions** Seraphinite Accelerator plugin for WordPress versions up to and including 2.28.14 **Description** The Seraphinite Accelerator plugin for WordPress is susceptible to sensitive information disclosure. This is due to the `OnAdminApi GetData()` function lacking proper capability checks. Authenticated attackers with Subscriber-level access or higher can retrieve sensitive operational data through the `seraph accel api` AJAX action with the `fn=GetData` parameter. This data includes cache status, scheduled task information, and external database state. The `GetData` parameter is used in the `seraph accel api` API endpoint. **Recommendations** Update the Seraphinite Accelerator plugin to a version later than 2.28.14.

**Name of the Vulnerable Software and Affected Versions** The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin versions prior to 7.0.0.4 **Description** The plugin is susceptible to Server-Side Request Forgery (SSRF). This allows authenticated attackers with Administrator-level access or higher to make web requests to arbitrary locations from the web application. This can be used to query and modify information from internal services. The plugin also stores the contents of remote files on the server, potentially enabling the upload of arbitrary files and remote code execution. The vulnerable function is `download url()`. **Recommendations** Update The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin to version 7.0.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Responsive Lightbox & Gallery plugin for WordPress versions prior to 2.7.2 **Description** The software is susceptible to Server-Side Request Forgery. This is caused by using `strpos()` for hostname validation instead of strict host comparison within the `ajax upload image()` function. Authenticated attackers with Author-level access or higher can make web requests to arbitrary locations from the web application, potentially allowing them to query and modify information from internal services. **Recommendations** Update the Responsive Lightbox & Gallery plugin to version 2.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress versions up to and including 1.4.2 **Description** The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is because of a lack of nonce validation in the `showPageContent()` function. An unauthenticated attacker could potentially add arbitrary URLs to the blocked redirects list by forging a request, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Disable Admin Notices – Hide Dashboard Notifications plugin to a version newer than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** Smart Forms plugin for WordPress versions prior to 2.7.0 **Description** The Smart Forms plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the 'rednao smart forms get campaigns' AJAX action. Attackers with Subscriber-level access or higher can retrieve donation campaign data, including campaign IDs and names. The affected API endpoint is `rednao smart forms get campaigns`. **Recommendations** Update the Smart Forms plugin to version 2.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** The Menu Icons by ThemeIsle plugin for WordPress versions up to and including 0.13.20 **Description** The software is susceptible to a Stored Cross-Site Scripting issue due to inadequate input sanitization and output escaping. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The vulnerable parameter is ` wp attachment image alt` post meta. **Recommendations** Update The Menu Icons by ThemeIsle plugin to a version later than 0.13.20.