Martin Vierula

**Name of the Vulnerable Software and Affected Versions** The Timetable and Event Schedule by MotoPress WordPress plugin versions prior to 2.3.19 **Description** The issue allows low privilege users, such as authors, to perform XSS attacks against frontend and backend users when viewing related events. This is due to the plugin not sanitizing some of its parameters. **Recommendations** For versions prior to 2.3.19, update to version 2.3.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for low-privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Comment Link Remove and Other Comment Tools WordPress plugin versions prior to 2.1.6 **Description** The issue concerns the lack of a CSRF check in the 'Delete comments easily' feature, which could allow attackers to trick logged-in admins into deleting arbitrary comments. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Simple Booking Calendar versions prior to 2.0.6 **Description** The issue is related to an authenticated SQL injection problem. It occurs because the `orderby` parameter in the Search Calendars action is not properly escaped, validated, or sanitized before being used in a SQL statement. This allows for malicious SQL code to be injected. **Recommendations** For versions prior to 2.0.6, update to version 2.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Search Calendars action to minimize the risk of exploitation. Avoid using the `orderby` parameter in the affected action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** StopBadBots WordPress plugin versions prior to 6.60 **Description** The issue is related to the failure of the StopBadBots WordPress plugin to validate or escape the `order` and `orderby` GET parameters in some of its admin dashboard pages. This leads to authenticated SQL injections. **Recommendations** For versions prior to 6.60, update to version 6.60 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard pages that use the `order` and `orderby` GET parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Membership & Content Restriction – Paid Member Subscriptions WordPress plugin versions prior to 2.4.2 **Description** The issue concerns the Membership & Content Restriction – Paid Member Subscriptions WordPress plugin, where the `order` and `orderby` parameters are not properly sanitised, validated, or escaped before being used in SQL statements. This leads to authenticated SQL injections, specifically affecting the Members and Payments pages. **Recommendations** For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Members and Payments pages until the update is applied.