Mike Gozdiskowski

**Name of the Vulnerable Software and Affected Versions** Guest posting / Frontend Posting / Front Editor WordPress plugin versions prior to 5.0.6 **Description** The plugin allows passing a URL parameter to regenerate a .json file based on demo data. If an administrator modifies the demo form and enables admin notifications, an unauthenticated attacker can export and download all form data and settings, including the administrator's email address. The vulnerable functionality involves the regeneration of a `.json` file based on demo data using a URL parameter. **Recommendations** Update the Guest posting / Frontend Posting / Front Editor WordPress plugin to version 5.0.6 or later.

Name of the Vulnerable Software and Affected Versions: Disable-right-click-powered-by-pixterme versions through 1.2 pixter-image-digital-license versions through 1.0 Description: The Disable-Right-Click and Pixter Image Digital License WordPress plugins load a compromised JavaScript file from an abandoned S3 bucket. This allows unauthorized access and potential control of the plugin by the entity controlling the compromised bucket. Currently, the compromised file displays an alert marketing security services, with users who pay being added to allowedDomains to suppress the popup. Recommendations: Disable-right-click-powered-by-pixterme versions prior to 1.2 should be updated. pixter-image-digital-license versions prior to 1.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Order Delivery Date WordPress plugin versions prior to 12.3.1 **Description** The issue concerns a lack of authorization and CSRF checks when importing settings in the Order Delivery Date WordPress plugin. This allows attackers to modify sensitive options, such as `default user role` to administrator and `users can register`, enabling them to register as an administrator of the site and gain complete control. **Recommendations** For versions prior to 12.3.1, update to version 12.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings import functionality until a patch is applied. Additionally, monitor user registrations and role assignments closely to detect any potential malicious activity.