Moresec

**Name of the Vulnerable Software and Affected Versions** Import any XML or CSV File to WordPress plugin versions prior to 3.6.8 **Description** The issue allows high privilege users, such as admins, to upload arbitrary files, including PHP files, by accepting all zip files and automatically extracting them without validating the extracted file type, leading to remote code execution (RCE). **Recommendations** For versions prior to 3.6.8, update to version 3.6.8 or later to resolve the issue. As a temporary workaround, consider restricting the upload of zip files or disabling the automatic extraction feature until a patch is applied. Restrict access to the plugin's upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Zillow Review Slider WordPress plugin versions prior to 2.4 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks, even when the `unfiltered html` capability is disallowed, such as in multisite environments. This is due to the plugin not escaping certain settings. **Recommendations** For WP Zillow Review Slider WordPress plugin versions prior to 2.4, update to version 2.4 or later to resolve the issue.