Mariusz Maik

**Name of the Vulnerable Software and Affected Versions** Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 **Description** Insufficient input validation in the GitHub plugin API request handlers allows an authenticated attacker to cause a denial of service by crashing the plugin process. This is achieved by sending a crafted HTTP request to the 'PR details' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SzafirHost versions prior to 1.2.1 **Description** SzafirHost verifies the signature of downloaded JAR files using the `JarInputStream` class, which reads from the beginning of the file, but loads classes using the `JarFile`/`URLClassLoader` classes, which read the Central Directory from the end. This discrepancy allows an attacker to combine a genuine, signed JAR file with a malicious ZIP file, bypassing verification to achieve remote code execution. **Recommendations** Update to version 1.2.1.

Name of the Vulnerable Software and Affected Versions UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions through 1.2.58 Description The UsersWP plugin for WordPress is susceptible to a blind Server-Side Request Forgery (SSRF). This is caused by inadequate URL origin validation within the `process image crop()` method during avatar/banner image crop operations. The function accepts a user-controlled URL via the `uwp crop` POST parameter and relies on `esc url()` for sanitization and `wp check filetype()` for extension verification, without ensuring the URL points to a local uploads file. The URL is then used in PHP image processing functions that support URL wrappers, allowing the WordPress server to make arbitrary HTTP requests to attacker-controlled or internal network destinations. This could enable internal network scanning and access to sensitive services for authenticated attackers with subscriber-level access or higher. Recommendations Update the UsersWP plugin to a version later than 1.2.58.

Name of the Vulnerable Software and Affected Versions Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to and including 8.8.3 Description The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is susceptible to authorization bypass. This occurs because the plugin’s AJAX handlers do not verify that the `b2s id` parameter, provided by the user, corresponds to the current user before executing UPDATE and DELETE operations. Authenticated attackers with Subscriber-level access or higher can exploit this to modify, reschedule, or delete scheduled social media posts belonging to other users. Recommendations Update Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress to a version later than 8.8.3.

**Name of the Vulnerable Software and Affected Versions** Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to and including 8.8.2 **Description** The Blog2Social plugin for WordPress is susceptible to unauthorized data loss. The `resetSocialMetaTags()` function inadequately verifies user permissions, only checking for 'read' capability and a valid b2s security nonce. Because the plugin grants the 'blog2social access' capability to all roles upon activation, attackers with Subscriber-level access or higher can access the admin pages where the nonce is available. This allows them to delete all ` b2s post meta` records from the `wp postmeta` table, resulting in the permanent removal of custom social media meta tags for all posts on the site. **Recommendations** Versions prior to 8.8.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** The Gallery by FooGallery plugin for WordPress versions through 3.1.9 **Description** The Gallery by FooGallery plugin for WordPress has a flaw that allows unauthorized access to data. A missing capability check in the `ajax get gallery info()` function permits authenticated attackers with Subscriber-level access or higher to retrieve metadata—including the name, image count, and thumbnail URL—of private, draft, and password-protected galleries by enumerating gallery IDs. **Recommendations** Update to a version of The Gallery by FooGallery plugin later than 3.1.9.