Mohamed Awad

**Name of the Vulnerable Software and Affected Versions** NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress versions up to 8.7.13 **Description** The issue arises from insufficient escaping on the user-supplied `search params` parameter and a lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries to existing ones, potentially extracting sensitive information from the database. The vulnerability can be exploited via CSRF due to a lack of nonce validation on the `get table records` AJAX action. **Recommendations** For versions up to 8.7.13, update to a version later than 8.7.13 to resolve the issue. As a temporary workaround, consider disabling the `get table records` AJAX action until a patch is available. Restrict access to the `search params` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress versions up to and including 5.0.29 **Description** The issue is related to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the `ajax handle delete icons()` function. This allows unauthenticated attackers to delete arbitrary files by tricking a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to and including 5.0.29, update to version 5.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ajax handle delete icons()` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** UberMenu plugin for WordPress versions up to, and including, 3.8.3 **Description** The issue is due to missing or incorrect nonce validation on the `ubermenu delete all item settings` and `ubermenu reset settings` functions. This allows unauthenticated attackers to delete and reset the plugin's settings via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For UberMenu plugin for WordPress versions up to, and including, 3.8.3, update to a version later than 3.8.3 to resolve the issue. As a temporary workaround, consider disabling the `ubermenu delete all item settings` and `ubermenu reset settings` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GP Premium plugin for WordPress versions up to, and including, 2.4.0 **Description** The issue is related to Reflected Cross-Site Scripting via the `message` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For GP Premium plugin for WordPress versions up to, and including, 2.4.0, update to a version later than 2.4.0 to resolve the issue. As a temporary workaround, consider restricting the use of the `message` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Unlimited Elements For Elementor plugin for WordPress versions up to, and including, 1.5.107 **Description** The issue allows authenticated attackers with contributor-level access and above to perform SQL Injection via the `data[post ids][0]` parameter due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For versions up to, and including, 1.5.107, consider restricting access to the `data[post ids][0]` parameter until a patch is available. As a temporary workaround, limiting contributor-level access and above may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Penci Soledad Data Migrator plugin for WordPress versions up to, and including, 1.3.0 **Description** The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion via the `data` parameter. This allows unauthenticated attackers to include and execute arbitrary PHP files on the server, enabling them to bypass access controls, obtain sensitive data, or achieve code execution. This vulnerability is limited to PHP files and can be exploited in cases where images and other “safe” file types can be uploaded and included. **Recommendations** For Penci Soledad Data Migrator plugin for WordPress versions up to, and including, 1.3.0: Update to a version higher than 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `data` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ConvertPlug plugin for WordPress versions up to, and including, 3.5.25 **Description** The issue is related to a missing capability check on the `cp dismiss notice()` function, allowing authenticated attackers with subscriber-level access and above to update arbitrary option values to true. This enables them to modify data without proper authorization. **Recommendations** For ConvertPlug plugin for WordPress versions up to, and including, 3.5.25: Update to a version higher than 3.5.25 to resolve the issue. As a temporary workaround, consider restricting access to the `cp dismiss notice()` function to prevent unauthorized data modification.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS versions up to, and including, 2.6.2 **Description** The issue is related to a missing capability check on the `hide notices` function, which allows unauthorized modification of data. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled. The vulnerability can be exploited by a remote attacker to gain read and modify access to data. **Recommendations** For versions up to, and including, 2.6.2, update to a version higher than 2.6.2 to resolve the issue. As a temporary workaround, consider disabling the `hide notices` function until a patch is available.