Muhammad Daffa

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 through 3.6 Description Processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo can lead to a NULL pointer dereference. This can cause applications that process attacker-controlled CMS data to crash before authentication or cryptographic operations, resulting in a Denial of Service. The issue occurs when the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence, leading to a NULL pointer dereference if the field is missing. Applications and services calling CMS decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected. Recommendations Update to a version after 3.6. As a temporary workaround, avoid processing untrusted CMS EnvelopedData messages with KeyAgreeRecipientInfo.

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 through 3.6 Description Processing a specially crafted CMS EnvelopedData message with KeyTransportRecipientInfo can lead to a NULL pointer dereference. This can cause applications that process attacker-controlled CMS data to crash before authentication or cryptographic operations, resulting in a Denial of Service. The issue occurs when examining the optional parameters field of RSA-OAEP SourceFunc algorithm identifier without verifying its presence, leading to a NULL pointer dereference if the field is missing. Applications and services using CMS decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected. Recommendations Update to a version after 3.6. Update to a version after 3.5. Update to a version after 3.4. Update to a version after 3.3. Update to a version after 3.0.

**Name of the Vulnerable Software and Affected Versions** Print Invoice & Delivery Notes for WooCommerce versions n/a through 4.7.2 **Description** The issue is related to a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. This can lead to a CSRF vulnerability, enabling unauthorized settings reset. **Recommendations** Update to the latest version of the plugin to secure your site.

Name of the Vulnerable Software and Affected Versions: Pinpoint Booking System versions through 2.9.9.5.2 Description: The issue is related to a Missing Authorization vulnerability in the Pinpoint Booking System, allowing exploitation of incorrectly configured access control security levels. Recommendations: For versions through 2.9.9.5.2, update to a version that addresses the Missing Authorization vulnerability to prevent exploitation of access control security levels. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VillaTheme CURCY versions 2.1.25 and earlier **Description** The issue is related to a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. This enables unauthenticated settings changes, potentially leading to exploitation. The vulnerability affects the Woo Multi Currency plugin for WordPress. **Recommendations** Update to the latest version to secure your site, as the latest version contains a fix for this issue. As a temporary workaround, consider restricting access to the vulnerable plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Clever Widgets Enhanced Text Widget versions 1.5.8 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the Enhanced Text Widget, which allows exploiting incorrectly configured access control security levels. **Recommendations** For versions 1.5.8 and earlier, update to a version that fixes the Missing Authorization issue. As a temporary workaround, consider restricting access to the Enhanced Text Widget to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GetPaid versions 2.8.11 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For versions 2.8.11 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UkrSolution Print Barcode Labels for your WooCommerce versions 3.4.9 and earlier **Description** The issue is related to a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. This can lead to unauthorized access and potentially other security issues. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions 3.4.9 and earlier, update to a version later than 3.4.9 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPMobile.App versions n/a through 11.48 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also store malicious scripts that can be executed by other users. **Recommendations** For versions n/a through 11.48, update to a version that fixes the CSRF vulnerability to prevent Stored XSS attacks. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Podlove Podcast Publisher versions prior to 4.1.14 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Code Injection. This means an attacker can trick a user into performing unintended actions on a web application, potentially leading to the execution of malicious code. **Recommendations** For versions prior to 4.1.14, update to version 4.1.14 or later to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as token-based validation, to minimize the risk of exploitation. Restrict access to sensitive areas of the application to minimize potential damage from code injection.

**Name of the Vulnerable Software and Affected Versions** Edwiser Bridge versions 3.0.7 and earlier **Description** The issue is a Server-Side Request Forgery (SSRF) vulnerability. This means that an attacker could potentially force the server to make unintended requests, leading to various security issues. **Recommendations** For Edwiser Bridge versions 3.0.7 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EasyJobs versions prior to 2.4.14 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Reflected XSS. **Recommendations** For versions prior to 2.4.14, update to version 2.4.14 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Portfoliohub WordPress Portfolio Builder – Portfolio Gallery versions 1.1.7 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, where an attacker can inject malicious scripts into a website, potentially affecting users who visit the compromised page. The vulnerability is present in the Portfoliohub WordPress Portfolio Builder – Portfolio Gallery plugin. **Recommendations** For versions 1.1.7 and earlier, update to a version later than 1.1.7 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until a patch is available. Avoid using the plugin's features that allow user input until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Pinpoint Booking System versions through 2.9.9.5.1 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that also allows Stored XSS in the Pinpoint Booking System. **Recommendations** For versions through 2.9.9.5.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Edwiser Bridge versions 3.0.7 and earlier **Description** The issue is related to an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS) or Stored XSS. This allows Stored XSS attacks, which can be executed by an attacker. **Recommendations** For Edwiser Bridge versions 3.0.7 and earlier, update to a version later than 3.0.7 to resolve the issue. As a temporary workaround, consider restricting user input to prevent malicious code execution until a patch is available. Avoid using potentially vulnerable features in Edwiser Bridge until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Podlove Podcast Publisher versions through 4.1.13 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions through 4.1.13, update to a version later than 4.1.13 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Like Button Rating versions through 2.6.54 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability that also allows Cross-Site Scripting (XSS). **Recommendations** For versions through 2.6.54, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Socio WP Telegram Widget and Join Link versions 2.1.27 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS. **Recommendations** For versions 2.1.27 and earlier, update to version 2.1.28 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable plugin until the update is applied.

Name of the Vulnerable Software and Affected Versions: Event Management Tickets Booking versions 1.4.0 and earlier Description: The issue is related to the exposure of sensitive information to unauthorized actors. This is a problem where sensitive data is made available to individuals who should not have access to it. Recommendations: For versions 1.4.0 and earlier, update to a version that contains a fix for this issue, as the current version exposes sensitive information to unauthorized actors. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** A WP Life Contact Form Widget versions 1.3.9 and earlier **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. This could potentially lead to the leak of sensitive information. **Recommendations** For versions 1.3.9 and earlier, update to a version later than 1.3.9 to resolve the issue. At the moment, there is no information about additional mitigation measures.