Ly Hoang

**Name of the Vulnerable Software and Affected Versions** Simple History versions prior to 5.26.1 **Description** The Simple History plugin for WordPress allows authenticated users with Subscriber-level permissions or higher to take over accounts. The issue exists in the event reaction endpoints "/wp-json/simple-history/v1/events/<id>/react" and "/wp-json/simple-history/v1/events/<id>/unreact", which use the `get items permissions check()` function as their permission callback. This function only verifies that the requester is logged in and fails to enforce the necessary per-logger capability checks. By sending a POST request to the reaction endpoint with the ` fields=context` query parameter, an attacker can read the full context of any event. This includes `SimpleUserLogger` entries that contain password-reset email bodies and reset keys. An attacker can trigger a password reset for an administrator, identify the event ID, extract the reset key from `context.message`, and reset the administrator password. This exploitation is only possible if the `simple history experimental features enabled` experimental features option is enabled. **Recommendations** Update the plugin to a version later than 5.26.0. Disable the `simple history experimental features enabled` option to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance versions prior to 4.5.3 **Description** Insufficient file path validation in the `unscheduled original file deletion()` function allows authenticated attackers with author-level access or higher to delete arbitrary files on the server. This occurs because `original-file` is a public meta key that can be modified by authors via the REST API or the standard Edit Media form. Deleting critical files, such as 'wp-config.php', can lead to remote code execution. **Recommendations** Update the plugin to a version later than 4.5.2.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.5.1 **Description** The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the `booking form page url` parameter. Unauthenticated attackers can inject arbitrary web scripts into pages, which then execute when a user accesses them. The issue persists even without a configured Stripe integration because the `latepoint order intent created` action hook triggers before the Stripe Connect account ID is validated, allowing the malicious activity log entry to be written to the database. **Recommendations** Update the plugin to a version later than 5.5.0.