Matthew Rollings

**Name of the Vulnerable Software and Affected Versions** Anti-Spam by CleanTalk. Spam protection WordPress plugin versions prior to 6.79 **Description** Insufficient sanitization of content within a custom shortcode used in the email-encoding feature allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS). This enables the injection of arbitrary web scripts into approved comments, which are then executed when any user, including administrators, views the post. **Recommendations** Update to version 6.79 or later.

**Name of the Vulnerable Software and Affected Versions** FV Flowplayer Video Player versions prior to 7.5.49.7213 **Description** The FV Flowplayer Video Player plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping of comment text. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user visits the affected page. Successful exploitation depends on the administrator enabling the non-default `parse comments` setting (Parse Vimeo and YouTube links) and requires a submitted comment to be approved by an administrator before the payload is delivered. **Recommendations** Update the plugin to a version later than 7.5.49.7212. As a temporary mitigation, disable the `parse comments` (Parse Vimeo and YouTube links) plugin setting.

**Name of the Vulnerable Software and Affected Versions** Xpro Elementor Addons - Pro versions prior to 1.4.8 **Description** The plugin is subject to arbitrary file reading through the Draw SVG widget. This allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. **Recommendations** Update the plugin to a version later than 1.4.7. As a temporary mitigation, restrict access to the Draw SVG widget for users with Contributor-level permissions.

**Name of the Vulnerable Software and Affected Versions** Email Encoder versions prior to 2.4.7 **Description** The Email Encoder WordPress plugin fails to escape email addresses retrieved via user input. This allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS), a technique where malicious scripts are permanently stored on the target server and executed in the browser of users who view the affected page. **Recommendations** Update to version 2.4.7 or later.

**Name of the Vulnerable Software and Affected Versions** Autoptimize versions prior to 3.1.15 Clearfy Cache versions prior to 2.4.2 Speed Optimizer versions prior to 7.7.9 **Description** Unauthenticated Stored Cross-Site Scripting (XSS) is possible due to a predictable replacement hash used during the HTML minification process and the abuse of a regular expression. This allows an attacker to anticipate the placeholder format and inject arbitrary HTML attributes into the final HTML output. **Recommendations** Update Autoptimize to version 3.1.15 or later. Update Clearfy Cache to version 2.4.2 or later. Update Speed Optimizer to version 7.7.9 or later.

**Name of the Vulnerable Software and Affected Versions** Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets versions prior to 4.2.3 **Description** Remote Code Execution is possible via the Display Logic feature. The issue arises because the plugin uses the `eval()` function on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using `array map` with string concatenation. Additionally, there is a lack of authorization enforcement on the `extended widget opts block` attribute. This allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. **Recommendations** Update to a version later than 4.2.2.

**Name of the Vulnerable Software and Affected Versions** Check & Log Email WordPress plugin versions prior to 2.0.13 **Description** Improper handling of email replacement allows unauthenticated users to perform Stored Cross-Site Scripting (XSS) attacks when the email encoder setting is enabled. Stored XSS occurs when a malicious script is permanently stored on the target server, which is then served to other users. **Recommendations** Update the plugin to version 2.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** Autoptimize versions up to and including 3.1.14 **Description** The Autoptimize plugin for WordPress is susceptible to Stored Cross-Site Scripting through the lazy-loading image processing. This is caused by an overly permissive regular expression in the `add lazyload` function. The regular expression replaces all instances of `ssrc=` in image tags without restriction to the actual attribute. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. Attackers can achieve this by creating an image tag where the `src` URL contains a space followed by `src=`, which breaks the HTML structure and promotes text inside attribute values into executable HTML attributes. **Recommendations** Update Autoptimize to a version later than 3.1.14.

**Name of the Vulnerable Software and Affected Versions** Responsive Lightbox & Gallery WordPress plugin versions prior to 2.6.1 **Description** The software contains a flaw in its regex replacement rules that allows for an Unauthenticated Stored-XSS attack. This occurs when a malicious link is posted as a comment, and then approved with lightbox for comments enabled. The issue allows an attacker to inject malicious code that will be executed when other users view the comment. **Recommendations** Update to version 2.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** CubeWP – All-in-One Dynamic Content Framework versions prior to 1.1.27 **Description** The CubeWP plugin for WordPress has an information exposure issue. Insufficient restrictions on the search feature in the `class-cubewp-search-ajax-hooks.php` file allows unauthenticated attackers to access data from password-protected, private, or draft posts that they should not be able to view. The vulnerable search feature allows extraction of sensitive information. **Recommendations** Update CubeWP – All-in-One Dynamic Content Framework to a version later than 1.1.27.

**Name of the Vulnerable Software and Affected Versions** Brizy – Page Builder plugin for WordPress versions prior to 2.7.17 **Description** The Brizy – Page Builder plugin for WordPress is susceptible to sensitive information disclosure. Authenticated attackers with Contributor-level access or higher can extract sensitive data, including email addresses and hashed passwords of administrators, through the `get users()` function. **Recommendations** Update to version 2.7.17 or later.

**Name of the Vulnerable Software and Affected Versions** a3 Lazy Load versions prior to 2.7.6 **Description** The a3 Lazy Load plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied attributes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update a3 Lazy Load to version 2.7.6 or later.

**Name of the Vulnerable Software and Affected Versions** Royal Elementor Addons and Templates versions prior to 1.7.1037 **Description** The Royal Elementor Addons and Templates plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue is due to insufficient input sanitization and output escaping related to the `item['field id']` variable. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update Royal Elementor Addons and Templates to version 1.7.1037 or later.

**Name of the Vulnerable Software and Affected Versions** Include Fussball.de Widgets plugin for WordPress versions up to and including 4.0.0 **Description** The software contains a Stored Cross-Site Scripting issue due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The issue is present through the 'api' and 'type' parameters. **Recommendations** Update the Include Fussball.de Widgets plugin to a version later than 4.0.0.

**Name of the Vulnerable Software and Affected Versions** kallyas versions prior to 4.23.1 **Description** The kallyas theme for WordPress is susceptible to Stored Cross-Site Scripting through multiple shortcodes. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update kallyas to version 4.23.1 or later.

**Name of the Vulnerable Software and Affected Versions** WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) versions prior to 1.9.1 **Description** The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress allows an attacker with Contributor-level permissions to upload malicious files. This occurs when importing recipes via CSV, specifically by providing a remote URL during the import process. Successful exploitation can lead to Remote Code Execution (RCE). The vulnerability involves arbitrary file uploads, enabling the attacker to upload a PHP file. The vulnerable component is the CSV import functionality. **Recommendations** Versions prior to 1.9.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** kallyas versions prior to 4.24.0 **Description** The kallyas theme for WordPress is susceptible to Remote Code Execution through the `TH PhpCode` pagebuilder widget. The issue arises because the theme does not restrict access to the code editor widget for users who are not administrators. This allows authenticated attackers with Contributor-level access or higher to execute code on the server. The `TH PhpCode` widget is the specific component involved in this issue. **Recommendations** Update kallyas to version 4.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** WPBakery Page Builder plugin for WordPress versions prior to 8.6 **Description** The software is susceptible to Stored Cross-Site Scripting through the 'rev slider vc' shortcode due to inadequate input sanitization and output escaping of user-provided attributes. This allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page. This issue requires RevSlider to also be installed for exploitation. **Recommendations** Update to a version later than 8.6.

**Name of the Vulnerable Software and Affected Versions** Ultimate Addons for WPBakery plugin for WordPress versions prior to 3.21.1 **Description** The Ultimate Addons for WPBakery plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the compromised page. **Recommendations** Update the Ultimate Addons for WPBakery plugin to version 3.21.1 or later.

**Name of the Vulnerable Software and Affected Versions** Slider Revolution plugin for WordPress versions prior to 6.7.38 **Description** The Slider Revolution plugin for WordPress is susceptible to unauthorized access and modification of data because of a missing capability check on several functions. This allows authenticated attackers with Contributor-level access or higher to perform actions such as installing and activating plugin add-ons, creating sliders, and downloading arbitrary files. **Recommendations** Update to version 6.7.38 or later.