Mgthuramoemyint

**Name of the Vulnerable Software and Affected Versions** ARForms - Premium WordPress Form Builder Plugin version 6.4.0 and earlier **Description** The issue arises from the improper escaping of user-controlled input when it is reflected in some of the plugin's AJAX actions. This can lead to potential security risks. **Recommendations** For versions prior to 6.4.1, update to version 6.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ARForms - Premium WordPress Form Builder Plugin versions prior to 6.6 **Description** The issue allows unauthenticated users to modify uploaded files, enabling the upload of PHP code when an upload file input is included on a form. **Recommendations** For versions prior to 6.6, update to version 6.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Premium Addons for Elementor plugin for WordPress versions up to, and including, 4.10.31 **Description** The issue allows authenticated attackers with subscriber-level access and above to retrieve Elementor template data due to a missing capability check on the `get template content()` function. This enables unauthorized access of data. **Recommendations** For versions up to, and including, 4.10.31, update to a version higher than 4.10.31 to resolve the issue. As a temporary workaround, consider restricting access to the `get template content()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin versions up to, and including, 5.7.17 **Description** The issue allows authenticated attackers with subscriber access and above to obtain the contents of private and password-protected posts due to a missing capability check on the `get template content` function. This enables unauthorized access to sensitive data. **Recommendations** For versions up to, and including, 5.7.17, update to a version that includes a fix for the missing capability check on the `get template content` function to prevent unauthorized access to private and password-protected posts.

**Name of the Vulnerable Software and Affected Versions** The Ivory Search – WordPress Search Plugin versions up to, and including, 5.5.5 **Description** The issue allows authenticated attackers with subscriber-level access and above to modify data without authorization due to a missing capability check on the `ajax create index()` function. This makes it possible for them to trigger index creation. **Recommendations** For versions up to, and including, 5.5.5, consider disabling the `ajax create index()` function until a patch is available to prevent unauthorized modification of data. Restrict access to the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Reviews for WooCommerce plugin for WordPress versions up to, and including, 5.46.0 **Description** The issue is related to unauthorized email sending due to a missing capability check on the `send test email()` function. This allows authenticated attackers with subscriber-level access and above to send arbitrary test emails. **Recommendations** For versions up to, and including, 5.46.0, update to a version that includes a fix for the missing capability check on the `send test email()` function. As a temporary workaround, consider restricting access to the `send test email()` function to prevent unauthorized email sending.

**Name of the Vulnerable Software and Affected Versions** Customer Reviews for WooCommerce plugin for WordPress (affected versions not specified) **Description** The issue allows unauthorized access to data due to a missing capability check on the `woocommerce json search coupons` function. This enables attackers with subscriber-level access to view coupon codes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPZOOM Social Feed Widget & Block plugin for WordPress versions up to, and including, 2.1.13 **Description** The issue is related to unauthorized access due to a missing capability check on the `wpzoom instagram clear data()` function. This allows authenticated attackers with subscriber-level access and above to delete all Instagram images installed on the site. **Recommendations** For versions up to, and including, 2.1.13, update to a version higher than 2.1.13 to resolve the issue. As a temporary workaround, consider disabling the `wpzoom instagram clear data()` function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Relevanssi – A Better Search plugin for WordPress versions up to, and including, 4.22.1 **Description** The issue allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. This is due to a CSV Injection vulnerability. **Recommendations** For versions up to, and including, 4.22.1, update to a version later than 4.22.1 to resolve the issue. As a temporary workaround, consider avoiding the export of CSV files until a patch is available. Restrict access to the CSV export feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Relevanssi – A Better Search plugin for WordPress versions up to, and including, 4.22.1 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `relevanssi update counts()` function. This makes it possible for unauthenticated attackers to execute expensive queries on the application, potentially leading to a denial-of-service (DOS) attack. **Recommendations** For versions up to, and including, 4.22.1, update to a version that includes a fix for the missing capability check in the `relevanssi update counts()` function. As a temporary workaround, consider disabling the `relevanssi update counts()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress versions n/a through 4.3.2 **Description** The issue is related to Deserialization of Untrusted Data, which affects the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress. **Recommendations** For versions n/a through 4.3.2, update to a version later than 4.3.2 to resolve the issue. As a temporary workaround, consider restricting access to untrusted data deserialization functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master plugin versions prior to 7.3.10 **Description** A Sensitive Information Disclosure issue has been discovered in the Quiz And Survey Master plugin for WordPress. **Recommendations** For versions prior to 7.3.10, update to version 7.3.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master plugin versions 7.3.10 and earlier **Description** A bypass vulnerability exists in the Quiz And Survey Master plugin for WordPress. **Recommendations** For versions 7.3.10 and earlier, update to a version later than 7.3.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master plugin versions <= 7.3.10 **Description** The issue is related to an Authenticated Cross-Site Scripting (XSS) vulnerability. This means that an attacker who has subscriber-level access or higher can inject malicious scripts into the website, potentially leading to unauthorized actions. **Recommendations** For Quiz And Survey Master plugin versions <= 7.3.10, update to a version higher than 7.3.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Yasr – Yet Another Stars Rating WordPress plugin versions <= 2.9.9 **Description** A Cross-Site Scripting (XSS) issue was found, related to the `source` parameter. **Recommendations** For Yasr – Yet Another Stars Rating WordPress plugin versions <= 2.9.9, update to a version higher than 2.9.9 to resolve the issue. As a temporary workaround, consider restricting access to the `source` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery Pro WordPress plugin versions prior to 3.1.11 **Description** The issue concerns the eCommerce module of the NextGEN Gallery Pro WordPress plugin. It involves an action that calls `get cart items` via `photocrati ajax`, allowing the injection of malicious JavaScript through the `settings[shipping address][name]`. **Recommendations** For versions prior to 3.1.11, update to version 3.1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the `photocrati ajax` endpoint to minimize the risk of exploitation. Avoid using the `settings[shipping address][name]` variable in the affected API endpoint until the issue is resolved.