Marco Wotschka

**Name of the Vulnerable Software and Affected Versions** OVRI Payment plugin for WordPress version 1.7.0 **Description** The software includes malicious .htaccess files in version 1.7.0. These files contain directives designed to prevent the execution of specific scripts while permitting the execution of known malicious PHP files. If these files are moved from the plugin’s directory, they could disrupt the normal operation of a website. The .htaccess files are used to control access to specific files and directories on the web server. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ova Advent plugin for WordPress versions up to and including 1.1.7 **Description** The software contains a flaw due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin’s shortcodes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the Ova Advent plugin to a version newer than 1.1.7.

Name of the Vulnerable Software and Affected Versions: BeeTeam368 Extensions plugin for WordPress versions up to and including 2.3.5 Description: The BeeTeam368 Extensions plugin for WordPress is susceptible to arbitrary file uploads due to the absence of file type validation within the `handle submit upload file()` function. This allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. Recommendations: BeeTeam368 Extensions plugin for WordPress versions prior to and including 2.3.5: Update to a version newer than 2.3.5.

**Name of the Vulnerable Software and Affected Versions** If Menu plugin for WordPress versions up to, and including, 0.19.1 **Description** The issue allows unauthorized modification of the plugin's license key due to a missing capability check on the `actions` function. This makes it possible for unauthenticated attackers to modify or delete the license key. **Recommendations** For versions up to, and including, 0.19.1, update to a version that includes a capability check for the `actions` function to prevent unauthorized license key modification.

**Name of the Vulnerable Software and Affected Versions** Video Grid plugin for WordPress versions up to, and including, 1.21 **Description** The issue is related to Reflected Cross-Site Scripting via the `search term` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For Video Grid plugin for WordPress versions up to, and including, 1.21, update to a version higher than 1.21 to resolve the issue. As a temporary workaround, consider restricting the use of the `search term` parameter in the affected plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton plugin for WordPress versions up to, and including, 3.0.0-beta.4 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the moderator code and viewer code fields. This allows authenticated attackers with author privileges or higher to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability can be exploited by attackers with author privileges to inject arbitrary scripts, which are executed during user interactions. **Recommendations** For versions up to, and including, 3.0.0-beta.4, consider disabling the moderator code and viewer code fields as a temporary workaround until a patch is available. Restrict access to these fields to minimize the risk of exploitation. Avoid using these fields in pages that can be accessed by users until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue is related to Reflected Cross-Site Scripting via the `selected option` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Recommendations: For versions up to, and including, 3.0.8, update to a version later than 3.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the `selected option` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue is related to Reflected Cross-Site Scripting via the `page` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Recommendations: For versions up to, and including, 3.0.8, update to a version later than 3.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the `page` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue is related to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `module all toggle ajax()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site, potentially allowing them to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Recommendations: For versions up to, and including, 3.0.8, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `module all toggle ajax()` function until a patch is available. Restrict access to the WordPress site to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue allows authenticated attackers with Contributor-level access and above to duplicate posts written by other authors, including admins, due to missing validation on a user-controlled key in the `duplicate post` function. This includes the ability to duplicate password-protected posts, revealing their contents. Recommendations: For versions up to, and including, 3.0.8, update to a version that fixes the Insecure Direct Object Reference vulnerability. As a temporary workaround, consider restricting access to the `duplicate post` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue allows authenticated attackers, with subscriber access and above, to read the contents of arbitrary files on the server, which can contain sensitive information, via the `download file ajax` function. This enables potential exposure of sensitive data on the server. Recommendations: For WP Extended plugin for WordPress versions up to, and including, 3.0.8, update to version 3.0.9 to secure your site. As a temporary workaround, consider disabling the `download file ajax` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8 Description: The issue allows authenticated attackers with Subscriber-level access and above to extract sensitive data, including usernames, hashed passwords, and emails, via the `download user ajax` function. This makes it possible for attackers to obtain sensitive information. Recommendations: For versions up to, and including, 3.0.8, consider disabling the `download user ajax` function as a temporary workaround until a patch is available. Restrict access to sensitive data and limit Subscriber-level access to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress version 3.0.8 and earlier Description: The issue allows authenticated attackers with Subscriber-level access and above to change an admin's username to a username of their liking, as long as the default 'admin' was used, due to a missing capability check on the `wpext change admin name()` function. Recommendations: For versions up to and including 3.0.8, update the plugin to the latest patched version immediately to resolve the issue. As a temporary workaround, consider restricting access to the `wpext change admin name()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Favicon Generator plugin for WordPress versions up to, and including, 1.5 **Description** The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `output sub admin page 0` function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For Favicon Generator plugin for WordPress versions up to, and including, 1.5, the plugin author deleted the functionality of the plugin to patch this issue and close the plugin. We recommend seeking an alternative to this plugin. As a temporary workaround, consider disabling the `output sub admin page 0` function until a suitable replacement is found. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin until a secure alternative is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BackWPup plugin for WordPress versions up to, and including, 4.0.1 **Description** The issue allows authenticated attackers to store backups in arbitrary folders on the server, provided they can be written to by the server. This is achieved via the job-specific backup folder. Default settings will place an index.php and a .htaccess file into the chosen directory when the first backup job is run, intended to prevent directory listing and file access. An attacker could set the backup directory to the root of another site in a shared environment, thus disabling that site. **Recommendations** For versions up to, and including, 4.0.1, update to a version later than 4.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the job-specific backup folder to minimize the risk of exploitation. Additionally, monitor server configurations to prevent unauthorized write access to sensitive directories.

**Name of the Vulnerable Software and Affected Versions** IgnitionDeck Crowdfunding Platform plugin for WordPress versions up to, and including, 1.9.8 **Description** The issue is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This allows authenticated attackers, with subscriber access or higher, to execute various AJAX actions, including changing the permalink structure and plugin settings. **Recommendations** For versions up to, and including, 1.9.8, update to a version that includes the necessary capability checks to prevent unauthorized access to AJAX actions. As a temporary workaround, consider restricting access to the ~/classes/class-idf-wizard.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Conditional Fields for Contact Form 7 plugin for WordPress versions up to, and including, 2.4.13 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `wpcf7cf admin init` function. This allows unauthenticated attackers to reset the plugin's settings via a forged request if they can trick a site administrator into performing an action such as clicking on a link. Recommendations: For versions up to, and including, 2.4.13, update to a version that includes the fix for the missing or incorrect nonce validation on the `wpcf7cf admin init` function. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Go Maps for WordPress versions up to, and including, 9.0.32 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 9.0.32, update to a version higher than 9.0.32 to resolve the issue. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation. Additionally, enabling unfiltered html or taking measures to ensure proper input sanitization and output escaping can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress versions up to and including 1.4.4 **Description** The issue is due to missing or incorrect nonce validation on the `ajax theme activation` function, making it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to and including 1.4.4, update to a version that includes the fix for the missing or incorrect nonce validation on the `ajax theme activation` function. As a temporary workaround, consider disabling the `ajax theme activation` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress versions up to, and including, 1.4.4 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `ajax plugin activation` function. This allows unauthenticated attackers to activate arbitrary installed plugins via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.4.4, update to a version that includes the fix for the nonce validation issue in the `ajax plugin activation` function. As a temporary workaround, consider restricting access to the `ajax plugin activation` function to minimize the risk of exploitation.