Muhamad Agil Fachrian

**Name of the Vulnerable Software and Affected Versions** DeBounce Email Validator versions n/a through 5.6.5 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This means that an attacker can inject malicious scripts into the website, potentially stealing user data or taking control of user sessions. **Recommendations** For DeBounce Email Validator versions n/a through 5.6.5, update to a version later than 5.6.5 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific issue.

**Name of the Vulnerable Software and Affected Versions** Child Themes Helper versions n/a through 2.2.7 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Path Traversal. This means an attacker could potentially trick a user into performing unintended actions on a web application, and also traverse the file system to access sensitive information. **Recommendations** For versions n/a through 2.2.7, update to a version that fixes the CSRF vulnerability to prevent Path Traversal attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThriveDesk versions prior to 2.0.7 **Description** The issue is related to improper neutralization of input during web page generation, which allows reflected Cross-site Scripting (XSS). This means an attacker can inject malicious scripts into the website, potentially stealing user data or taking control of user sessions. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.0.7, update to version 2.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures, such as input validation and output encoding, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OneTeamSoftware Radio Buttons and Swatches for WooCommerce versions 1.1.20 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This means an attacker can inject malicious scripts into a website, potentially stealing user data or taking control of user sessions. **Recommendations** For versions 1.1.20 and earlier, update to a version later than 1.1.20 to resolve the issue. As a temporary workaround, consider restricting access to the Radio Buttons and Swatches for WooCommerce plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Hide Login+ versions 3.5.1 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. **Recommendations** For Hide Login+ versions 3.5.1 and earlier, update to a version later than 3.5.1 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the web application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SKT Donation versions 1.9 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential attackers to inject malicious scripts into web pages. **Recommendations** For SKT Donation versions 1.9 and earlier, update to a version that fixes this issue, as the current version is affected by the Improper Neutralization of Input During Web Page Generation vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThimPress LearnPress versions prior to 4.2.7.1 **Description** The issue is related to a URL redirection to an untrusted site, also known as an "Open Redirect". This problem allows redirection to potentially malicious sites. **Recommendations** For versions prior to 4.2.7.1, update to version 4.2.7.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Clodeo Shipdeo versions 1.2.8 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows Reflected XSS. This means an attacker can inject malicious scripts into a website, potentially stealing user data or taking control of user sessions. **Recommendations** For Clodeo Shipdeo versions 1.2.8 and earlier, update to a version that fixes the improper neutralization of input during web page generation issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KB Support versions 1.6.7 and earlier **Description** The issue is related to a URL redirection to an untrusted site, also known as an "Open Redirect" problem. This allows an attacker to redirect users to a malicious website. **Recommendations** For versions 1.6.7 and earlier, update to a version later than 1.6.7 to resolve the issue. As a temporary workaround, consider restricting access to the URL redirection feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ArtkanMedia Book a Place versions 0.7.1 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on the web application, and also store malicious scripts that can be executed by other users. **Recommendations** For versions 0.7.1 and earlier, update to a version that fixes the CSRF vulnerability to prevent Stored XSS attacks. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Event Countdown Timer Plugin by TechMix versions n/a through 1.4 **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows reflected XSS. This problem affects the Event Countdown Timer Plugin by TechMix. **Recommendations** For versions n/a through 1.4, update to a version later than 1.4 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Myriad Solutionz Stars SMTP Mailer versions 1.7 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows Reflected XSS. This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized actions. **Recommendations** For Myriad Solutionz Stars SMTP Mailer versions 1.7 and earlier, consider disabling the web page generation feature until a patch is available. Restrict access to the affected module to minimize the risk of exploitation. Avoid using user-inputted data in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Poco Blogger Image Import versions 2.1 through n/a **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows stored XSS. This enables potential attackers to inject malicious scripts into the application. **Recommendations** For versions 2.1 through n/a, update to a version that fixes the improper neutralization of input during web page generation to prevent stored XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Faizaan Gagan Course Migration for LearnDash versions 1.0.2 through n/a **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability, which allows for Server Side Request Forgery. This means an attacker can potentially trick the server into making requests to unintended locations, potentially leading to unauthorized access or data leakage. No information is provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions 1.0.2 through n/a, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Johan Ström Background Control versions 1.0.5 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Path Traversal in Johan Ström Background Control. **Recommendations** For versions 1.0.5 and earlier, update to a version later than 1.0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPExperts User Management versions 1.2 and earlier **Description** The issue is related to an incorrect privilege assignment, allowing privilege escalation. This problem affects WPExperts User Management, enabling potential attackers to gain higher privileges than intended. **Recommendations** For versions 1.2 and earlier, update to a version that includes the fix for this issue, as the current version allows privilege escalation due to incorrect privilege assignment. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThemeGlow JobBoard Job listing versions 1.2.6 and earlier **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can be exploited by uploading a malicious web shell. **Recommendations** For versions 1.2.6 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Preloader by WordPress Monsters versions 1.2.3 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential attackers to inject malicious scripts into web pages. **Recommendations** For versions 1.2.3 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Foliovision FV Descriptions versions n/a through 1.4 **Description** The issue affects Foliovision FV Descriptions, allowing Reflected XSS due to improper neutralization of input during web page generation. This is a type of Cross-site Scripting vulnerability. **Recommendations** For versions n/a through 1.4, consider disabling any functionality that generates web pages based on user input until a patch is available. Restrict access to any modules or functions that may be vulnerable to Cross-site Scripting attacks to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ACF City Selector versions 1.14.0 and earlier **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can be exploited by uploading malicious files. **Recommendations** For versions 1.14.0 and earlier, update to a version that fixes this issue, as the current version allows for the upload of dangerous file types. As a temporary workaround, consider restricting file uploads to only allow safe file types until a patch is available.