Mcdruid

**Name of the Vulnerable Software and Affected Versions** OttoKit: All-in-One Automation Platform WordPress plugin versions prior to 1.1.23 **Description** Insufficient sanitization of user input used in a SQL statement allows unauthenticated attackers to perform SQL injection attacks. **Recommendations** Update the plugin to version 1.1.23 or later.

**Name of the Vulnerable Software and Affected Versions** elFinder versions prior to 2.1.67 **Description** An issue exists in the resize command where the `bg` (background color) parameter is accepted from user input and passed through image resize or rotate processing. In configurations utilizing the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping, allowing an attacker to achieve arbitrary command execution as the web server process user. **Recommendations** Update to version 2.1.67.

**Name of the Vulnerable Software and Affected Versions** Product Filter for WooCommerce by WBW WordPress plugin versions prior to 3.1.3 **Description** An issue exists where a parameter is not sanitized or escaped before being used in a SQL statement. This allows unauthenticated users to perform SQL injection attacks, which involve inserting malicious SQL code into a query to manipulate the database. **Recommendations** Update the plugin to version 3.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** wpdevelop Booking Calendar versions through 10.14.15 **Description** A flaw exists in wpdevelop Booking Calendar that allows for Blind SQL Injection due to improper neutralization of special elements used in an SQL command. This issue could potentially allow an attacker to extract sensitive information from the database. **Recommendations** Update wpdevelop Booking Calendar to a version later than 10.14.15.

**Name of the Vulnerable Software and Affected Versions** WP Royal Royal Elementor Addons versions through 1.7.1049 **Description** The software contains a flaw related to the inclusion of functionality from an untrusted control sphere, potentially allowing access to functionality not properly constrained by access control lists (ACLs). **Recommendations** Update WP Royal Royal Elementor Addons to a version later than 1.7.1049.

**Name of the Vulnerable Software and Affected Versions** Marketing Fire Widget Options versions through 4.1.3 **Description** A code injection issue exists in the Widget Options component. This allows for the injection of code. The issue is related to improper control of code generation. **Recommendations** Update to a version later than 4.1.3.

**Name of the Vulnerable Software and Affected Versions** YITH WooCommerce Compare versions through 3.6.0 **Description** The YITH WooCommerce Compare plugin contains a flaw related to the deserialization of untrusted data, which can lead to object injection. This issue allows for potential compromise of the system through malicious data. **Recommendations** Update YITH WooCommerce Compare to a version later than 3.6.0.

**Name of the Vulnerable Software and Affected Versions** Mohammad I. Okfie IF AS Shortcode versions through 1.2 **Description** A code injection issue exists in Mohammad I. Okfie IF AS Shortcode. The flaw allows for code injection, potentially enabling attackers to execute malicious code. The affected component is the IF AS Shortcode. **Recommendations** Versions prior to 1.3 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BoldGrid Client Invoicing by Sprout Invoices versions through 20.8.7 **Description** A flaw exists in BoldGrid Client Invoicing by Sprout Invoices that allows for Object Injection due to deserialization of untrusted data. This can lead to potential compromise of the system. **Recommendations** Update to a version later than 20.8.7.

**Name of the Vulnerable Software and Affected Versions** universam UNIVERSAM universam-demo versions n/a through 8.72.34 **Description** The software contains a flaw due to deserialization of untrusted data, which allows for object injection. This issue impacts the universam UNIVERSAM universam-demo application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.

**Name of the Vulnerable Software and Affected Versions** Boldermail versions through 2.4.0 **Description** A flaw exists in Boldermail that allows for Object Injection due to deserialization of untrusted data. This issue impacts Boldermail and could potentially allow an attacker to execute arbitrary code. **Recommendations** Update Boldermail to a version newer than 2.4.0.

**Name of the Vulnerable Software and Affected Versions** raoinfotech GSheets Connector versions through 1.1.1 **Description** A flaw exists in raoinfotech GSheets Connector that allows for Object Injection due to deserialization of untrusted data. This issue impacts the application's ability to securely handle incoming data, potentially leading to unauthorized access or control. The vulnerability is related to the deserialization process, where untrusted data is converted into an object, potentially allowing an attacker to manipulate the application's state. **Recommendations** Update raoinfotech GSheets Connector to a version later than 1.1.1.

**Name of the Vulnerable Software and Affected Versions** ConveyThis Language Translate Widget for WordPress versions through 264 **Description** The ConveyThis Language Translate Widget for WordPress is susceptible to deserialization of untrusted data, which allows for object injection. This issue could potentially allow an attacker to compromise the system by manipulating serialized data. **Recommendations** Update ConveyThis Language Translate Widget for WordPress to a version later than 264.

**Name of the Vulnerable Software and Affected Versions** Awesome Support versions through 6.3.4 **Description** The software contains a flaw due to deserialization of untrusted data, which allows for object injection. **Recommendations** Update Awesome Support to a version later than 6.3.4.

**Name of the Vulnerable Software and Affected Versions** eDS Responsive Menu versions through 1.2 **Description** A deserialization of untrusted data issue exists in eDS Responsive Menu, allowing object injection. This can occur due to the deserialization of untrusted data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aitasi Coming Soon versions n/a through 2.0.2 **Description** A deserialization issue exists in Rubel Miah Aitasi Coming Soon, potentially allowing for object injection. This occurs due to the deserialization of untrusted data. **Recommendations** Update Aitasi Coming Soon to a version later than 2.0.2.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes - TQL Edition versions n/a through 1.2.6 **Description** Deserialization of untrusted data in LTL Freight Quotes - TQL Edition allows for object injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – Day & Ross Edition versions through 2.1.11 **Description** Deserialization of untrusted data in LTL Freight Quotes – Day & Ross Edition allows object injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LTL Freight Quotes – Daylight Edition versions through 2.2.7 **Description** A deserialization of untrusted data issue exists in enituretechnology LTL Freight Quotes – Daylight Edition, allowing object injection. **Recommendations** Update LTL Freight Quotes – Daylight Edition to a version later than 2.2.7.