Momopon1415

**Name of the Vulnerable Software and Affected Versions** Location Weather versions prior to 3.0.3 **Description** The Location Weather plugin for WordPress allows unauthorized modification of data because the `splw update block options()` and `lwp clean weather transients()` functions lack capability checks. Authenticated attackers with Contributor-level access or higher can exploit this to disable all weather blocks and purge all weather cache transients. The required nonce is exposed to all authenticated users through `wp localize script()` on the `init` hook. **Recommendations** Update to a version later than 3.0.2. As a temporary workaround, restrict access to the `splw update block options()` and `lwp clean weather transients()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Classified Listing – AI-Powered Classified ads & Business Directory Plugin versions prior to 5.3.11 **Description** The plugin fails to properly verify user authorization for certain actions. This allows authenticated attackers with subscriber-level access or higher to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization. This is achieved through the AJAX actions `add order note` and `send email to user by moderator`. **Recommendations** Update to a version later than 5.3.10.

**Name of the Vulnerable Software and Affected Versions** RTMKit Addons for Elementor versions prior to 2.0.3 **Description** The plugin is susceptible to Local File Inclusion (LFI), a condition where an application includes files on a server without proper validation. Authenticated attackers with Author-level access or higher can exploit the 'get content' AJAX action through the `path` parameter to include and execute arbitrary PHP files. This may lead to the bypass of access controls, unauthorized access to sensitive data, or remote code execution if PHP files can be uploaded to the server. **Recommendations** Update to a version later than 2.0.2. As a temporary workaround, restrict access to the 'get content' AJAX action or the `path` parameter for users with Author-level permissions.

**Name of the Vulnerable Software and Affected Versions** RTMKit Addons for Elementor versions prior to 2.0.3 **Description** The RTMKit Addons for Elementor plugin for WordPress allows unauthorized modification of data because of missing capability checks in the `save widget()` and `reset all widgets()` functions. Authenticated attackers with Author-level access or higher can exploit this to modify or reset site-wide widget configurations. **Recommendations** Update to a version later than 2.0.2. As a temporary workaround, restrict access to the `save widget()` and `reset all widgets()` functions for users with Author-level permissions.

**Name of the Vulnerable Software and Affected Versions** Brizy – Page Builder versions prior to 2.8.12 **Description** Unauthenticated Stored Cross-Site Scripting occurs due to missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via `html entity decode()` followed by unescaped output in the admin view. Specifically, the `submit form()` function skips nonce verification for non-logged-in users, and the `handleFileTypeFields()` function fails to overwrite user-supplied values when no file is attached. While `htmlentities()` is used during storage, `html entity decode()` reverses this on display, and the `form-data.php` template outputs FileUpload values directly in href attributes without `esc url()`. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page. **Recommendations** Update to a version later than 2.8.11.

**Name of the Vulnerable Software and Affected Versions** Booking Package versions prior to 1.7.07 **Description** Price Manipulation occurs because the `intentForStripe()` function passes the user-controlled `$ POST['amount']` variable directly to the Stripe PaymentIntent API without validation. Additionally, the `commitStripe()` function ignores the server-calculated amount during payment confirmation. Although the `getAmount()` function correctly calculates costs based on services, guests, taxes, and coupons, this value is not validated against the PaymentIntent because the necessary code in CreditCard.php is commented out. This allows unauthenticated attackers to book services at arbitrary prices by manipulating the `amount` parameter during PaymentIntent creation. **Recommendations** Update the plugin to a version later than 1.7.06.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS versions prior to 3.9.9 **Description** The Tutor LMS plugin for WordPress allows unauthorized course content manipulation. This occurs because the `tutor update course content order()` function fails to verify if a user has the necessary permissions to manage course content, validating only the nonce for CSRF protection. The `can user manage()` authorization check is only triggered if the `content parent` parameter is included in the request. If the `content parent` parameter is omitted, the system calls `save course content order()`, which modifies the wp posts table without authorization. Consequently, authenticated attackers with subscriber-level access or higher can detach lessons from topics, move lessons between topics, and change the `menu order` of course content, disrupting the course structure. **Recommendations** Update the plugin to a version newer than 3.9.8. As a temporary workaround, restrict access to the `tutor update course content order()` function for users with low-level privileges.

Name of the Vulnerable Software and Affected Versions LifterLMS plugin for WordPress versions up to and including 9.2.1 Description The LifterLMS plugin for WordPress is susceptible to SQL Injection via the `order` parameter. Insufficient escaping of user-supplied input and inadequate SQL query preparation allow authenticated attackers with Instructor-level access or higher, possessing the `edit post` capability on the quiz, to append SQL queries and extract sensitive database information. Recommendations Update to a version later than 9.2.1.

**Name of the Vulnerable Software and Affected Versions** Simply Schedule Appointments Booking Plugin for WordPress versions prior to 1.6.10.0 **Description** The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to SQL Injection due to inadequate input sanitization and query preparation. Specifically, the `fields` parameter is not properly escaped, allowing attackers to inject additional SQL queries into existing database queries. This could allow unauthenticated attackers to extract sensitive information from the database, including usernames, email addresses, and password hashes. **Recommendations** Update Simply Schedule Appointments Booking Plugin to version 1.6.10.0 or later.