Mohammed Ansari S

**Name of the Vulnerable Software and Affected Versions** mndpsingh287 File Manager plugin version 3.0 for WordPress **Description** The issue is related to a CSRF vulnerability. It affects the `public path` parameter in the `page=wp file manager root` endpoint. **Recommendations** For version 3.0 of the mndpsingh287 File Manager plugin, consider disabling the `page=wp file manager root` endpoint or restricting access to the `public path` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP Fastest Cache plugin version 0.8.8.5 **Description** The issue concerns a problem where an attacker can exploit the `rules[0][content]` parameter in a `wpfc save exclude pages` action to perform a cross-site scripting (XSS) attack. **Recommendations** For WP Fastest Cache plugin version 0.8.8.5, avoid using the `rules[0][content]` parameter in the `wpfc save exclude pages` action until the issue is resolved. As a temporary workaround, consider restricting access to the `wpfc save exclude pages` action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tribulant Slideshow Gallery plugin version 1.6.8 **Description** A security issue exists in the Tribulant Slideshow Gallery plugin for WordPress, allowing for XSS attacks. This is possible through the "wp-admin/admin.php?page=slideshow-slides&method=save" endpoint, specifically via the `Slide[title]`, `Slide[media file]`, or `Slide[image url]` parameters. **Recommendations** For Tribulant Slideshow Gallery plugin version 1.6.8, consider updating to a newer version that addresses this issue, as using outdated versions poses a significant risk. As a temporary workaround, restrict access to the "wp-admin/admin.php?page=slideshow-slides&method=save" endpoint and avoid using the `Slide[title]`, `Slide[media file]`, or `Slide[image url]` parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** The issue concerns multiple XSS vulnerabilities. These can be accessed via the "action=template" endpoint. It's worth noting that the vendor disputes this being a vulnerability, citing that WP All Import can only be used by a logged-in administrator, and the described action can only be exploited by someone with administrative login credentials. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the `action=template` endpoint to minimize the risk of exploitation. As a temporary workaround, review and limit administrative access to the plugin until a resolution or further guidance is provided. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** The issue concerns an XSS vulnerability in the WP All Import plugin for WordPress, specifically via the `action=options`. It's noted that the vendor does not consider this a vulnerability, as the plugin can only be used by a logged-in administrator, and the described action can only be exploited by a logged-in administrator. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the `action=options` to minimize the risk of exploitation, as the vendor states that only a logged-in administrator can take advantage of this action. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** There is an issue with the WP All Import plugin for WordPress, specifically via the `large feed limit` in `pmxi-admin-settings`, which may allow for an XSS attack. However, the vendor notes that this is not considered a vulnerability since the plugin can only be used by a logged-in administrator, and any potential action can only be taken advantage of by a logged-in administrator. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the `pmxi-admin-settings` and limiting the use of the `large feed limit` setting to minimize potential risks until a resolution or further guidance is provided by the vendor. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** The issue concerns an XSS vulnerability via the `pmxi-admin-import` `custom type`. It is noted that the vendor disputes this being a vulnerability, citing that WP All Import can only be used by a logged-in administrator, and the described action can only be exploited by a logged-in administrator. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the `pmxi-admin-import` custom type to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** The issue concerns an XSS vulnerability via the `action=evaluate` endpoint. It is noted that the vendor does not consider this a vulnerability, as the plugin can only be used by a logged-in administrator, and the described action can only be exploited by a logged-in administrator. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the `action=evaluate` endpoint to minimize the risk of exploitation, as the vendor does not acknowledge this as a vulnerability and no patch is mentioned. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP All Import plugin version 3.4.9 **Description** The issue concerns an XSS vulnerability in the WP All Import plugin for WordPress. It can be exploited via the Add Filtering Options (Add Rule) feature. The vendor has stated that this is not considered a vulnerability because the plugin can only be used by a logged-in administrator, and the described action can only be taken advantage of by a logged-in administrator. **Recommendations** For WP All Import plugin version 3.4.9, consider restricting access to the Add Filtering Options (Add Rule) feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.