Mdr

**Name of the Vulnerable Software and Affected Versions** N-Media Frontend File Manager versions through 23.5 **Description** An authorization bypass exists in N-Media Frontend File Manager’s nmedia-user-file-uploader due to incorrectly configured access control security levels. This allows for exploitation through user-controlled keys. **Recommendations** Update to a version later than 23.5.

**Name of the Vulnerable Software and Affected Versions** Genetech Products Pie Register versions through 3.8.4.7 **Description** An authorization issue exists in Pie Register that allows exploiting incorrectly configured access control security levels. **Recommendations** Update Pie Register to a version later than 3.8.4.7.

**Name of the Vulnerable Software and Affected Versions** Leap13 Premium Addons for Elementor versions through 4.11.53 **Description** A flaw exists in Leap13 Premium Addons for Elementor that could allow unauthorized retrieval of sensitive data. The issue involves the exposure of sensitive system information to an unauthorized control sphere. **Recommendations** Update Leap13 Premium Addons for Elementor to a version later than 4.11.53.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member Widgets for Elementor versions prior to 2.3 **Description** A flaw exists in UserElements Ultimate Member Widgets for Elementor that allows the retrieval of embedded sensitive data due to the insertion of sensitive information into sent data. **Recommendations** Update Ultimate Member Widgets for Elementor to a version later than 2.3.

**Name of the Vulnerable Software and Affected Versions** Revslider plugin for WordPress versions up to, and including, 6.6.20 **Description** The issue is related to Stored Cross-Site Scripting via svg upload due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure revslider can be extended to authors. **Recommendations** For versions up to, and including, 6.6.20, update to a version higher than 6.6.20 to resolve the issue. As a temporary workaround, consider restricting access to the svg upload feature to minimize the risk of exploitation. Additionally, limit the ability to use and configure revslider to only trusted administrators to reduce the potential attack surface.

**Name of the Vulnerable Software and Affected Versions** The Beaver Builder – WordPress Page Builder plugin for WordPress versions up to, and including, 2.7.4.2 **Description** The issue is related to Stored Cross-Site Scripting via the `button link` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.7.4.2, update to a version higher than 2.7.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the `button link` parameter to minimize the risk of exploitation.