Michał Lipiński

**Name of the Vulnerable Software and Affected Versions** Lodash versions 4.0.0 through 4.17.22 **Description** Lodash versions 4.0.0 through 4.17.22 are susceptible to prototype pollution within the ` .unset` and ` .omit` functions. An attacker can leverage crafted paths to trigger the deletion of methods from global prototypes. The issue allows for property deletion but does not permit modification of the original behavior of those properties. **Recommendations** Update to Lodash version 4.17.23 or later.

**Name of the Vulnerable Software and Affected Versions** The Video Player for YouTube WordPress plugin versions prior to 1.4 **Description** The issue allows users with a role as low as contributor to set Cross-Site Scripting payload in the parameters from the shortcode, which will be triggered in the pages with the embed malicious shortcode. **Recommendations** For versions prior to 1.4, update to version 1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Html5 Audio Player – Audio Player for WordPress plugin versions prior to 2.1.3 **Description** The issue allows users with a role as low as contributor to set a Cross-Site Scripting payload in the parameters from the shortcode, which will be triggered in the pages with the embed malicious shortcode. **Recommendations** For versions prior to 2.1.3, update to version 2.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Twitter Feed WordPress plugin versions prior to 1.2 **Description** The issue allows users with a role as low as contributor to set Cross-Site Scripting payload in the parameters from the shortcode, which will be triggered in the pages with the embed malicious shortcode. **Recommendations** For versions prior to 1.2, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Polo Video Gallery – Best wordpress video gallery plugin versions through 1.2 **Description** The issue allows users with a role as low as contributor to set Cross-Site Scripting payload in the parameters from its shortcode, which will be triggered in the pages with the embed malicious shortcode. This is due to the plugin not sanitising or validating the parameters from its shortcode. **Recommendations** For versions through 1.2, consider disabling the shortcode functionality until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of malicious shortcode embedding. Avoid using the plugin's shortcode in sensitive pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The StreamCast – Radio Player for WordPress plugin versions prior to 2.1.1 **Description** The issue allows users with a role as low as contributor to set a Cross-Site Scripting payload in the parameters from its shortcode, which will be triggered in the page/s with the embed malicious shortcode. **Recommendations** For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue.