Muhamad Visat

**Name of the Vulnerable Software and Affected Versions** The SEO Plugin by Squirrly SEO plugin for WordPress versions up to, and including, 12.4.05 **Description** The issue is related to blind SQL Injection via the `search` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 12.4.05, consider restricting access to the `search` parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit Subscriber-level access and above to reduce the potential attack surface.

**Name of the Vulnerable Software and Affected Versions** Atlassian Jira Server for Slack plugin versions 0.0.3 through 2.0.14 **Description** The issue allows remote attackers to execute arbitrary code via a template injection vulnerability in an endpoint. **Recommendations** For Atlassian Jira Server for Slack plugin versions 0.0.3 through 2.0.14, update to version 2.0.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Login by Auth0 plugin for WordPress versions prior to 4.0.0 **Description** The issue arises from the plugin's failure to sanitize and validate data from various sources before exporting user data. This oversight can lead to CSV injection attacks if a maliciously crafted Excel document is uploaded. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the upload of Excel documents or implementing additional validation and sanitization of user data before export.

**Name of the Vulnerable Software and Affected Versions** Auth0 Lock versions prior to 11.21.0 **Description** The issue arises when `additionalSignUpFields` is used with an untrusted `placeholder` in Auth0 Lock, allowing cross-site scripting (XSS) on signup pages. This occurs when the `placeholder` property is obtained from an untrusted source, such as a query parameter, and is used to add a checkbox to the sign-up dialog. The vulnerability is present in versions of Auth0 Lock where the generated HTML code is not properly sanitized. **Recommendations** For Auth0 Lock versions prior to 11.21.0, upgrade to version 11.21.0 or later to fix the issue. In version 11.21.0, the `placeholder` property is treated as plain text, and a new `placeholderHTML` property is introduced for use with trusted sources. Developers using the `placeholder` property with HTML content from a trusted source should start using the `placeholderHTML` property to maintain the user experience.