Muhammad Nur Ibnu Hubab

**Name of the Vulnerable Software and Affected Versions** Remove meta boxes per user role versions prior to 1.02 **Description** The plugin is subject to Cross-Site Request Forgery, a flaw where an attacker tricks a victim into executing an unwanted action. This occurs due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. Unauthenticated attackers can modify or reset the per-role meta box visibility settings by inducing a site administrator to click a malicious link. **Recommendations** Update to a version later than 1.01.

The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This vulnerability bypasses WordPress's DISALLOW UNFILTERED HTML protection because the unsanitized value is written directly via update option at the plugin level, entirely outside of WordPress post content handling.

The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the options page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Name of the Vulnerable Software and Affected Versions** WP Promoter versions prior to 1.4 **Description** The WP Promoter plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation—a security token used to ensure requests are legitimate—on a function. Unauthenticated attackers can exploit this to update settings and inject malicious web scripts via the `popup width` parameter by inducing a site administrator to click a forged link. **Recommendations** Update the plugin to a version later than 1.3.

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset stats() function in versions up to, and including, 1.3. The function is hooked to both the wp ajax wpp-reset stats and wp ajax nopriv wpp-reset stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp bar and wpp popup options.

**Name of the Vulnerable Software and Affected Versions** Alfie – Feed Plugin for WordPress versions prior to 1.2.2 **Description** Cross-Site Request Forgery occurs due to missing nonce validation in the `alfie manage()` function, which handles feed deletion through the 'delete' GET parameter. This allows unauthenticated attackers to delete arbitrary plugin feed data from the `alfie colindex`, `alfie producten`, `alfie reactions`, and `alfie searchproduct` tables by tricking a site administrator into clicking a forged link. Nonce validation is a security mechanism used to ensure that a request was intentionally sent by the user and not forged by a third party. **Recommendations** Update to a version newer than 1.2.1. As a temporary workaround, restrict access to the `alfie manage()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Amazon Scraper versions prior to 1.2 **Description** The Amazon Scraper plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs because of missing or incorrect nonce validation—a security token used to ensure requests are intentional—on a function. This allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update the plugin to a version later than 1.1.

**Name of the Vulnerable Software and Affected Versions** General Options versions prior to 1.1.1 **Description** The General Options plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `sanitize text field()` function is used for output escaping in the Contact Number `ad contact number` field. While this function removes HTML tags, it fails to encode double-quote characters. When a stored value is placed within a double-quoted HTML attribute, an attacker can use a double-quote character to break out of the attribute context. The `wp magic quotes` mechanism does not prevent this, as HTML parsers treat the resulting backslash as a literal character, allowing the double-quote to close the attribute. Consequently, authenticated attackers with Administrator-level access or higher can inject arbitrary web scripts into the admin settings page, which execute when any administrator visits the General Options settings page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bigfishgames Syndicate versions prior to 1.3 **Description** The Bigfishgames Syndicate plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs because the `bigfishgames syndicate submenu()` function lacks proper nonce validation. A nonce is a unique token used to verify that a request was intentionally sent by the user. This allows unauthenticated attackers to reset and update plugin settings by tricking a site administrator into clicking a malicious link. **Recommendations** Update the plugin to a version later than 1.2. As a temporary workaround, restrict access to the `bigfishgames syndicate submenu()` function to minimize the risk of exploitation.

The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create admin page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Name of the Vulnerable Software and Affected Versions** Anomify AI – Anomaly Detection and Alerting versions prior to 0.3.7 **Description** The plugin is subject to Cross-Site Request Forgery (CSRF) which can lead to Stored Cross-Site Scripting (XSS). The issue stems from missing nonce verification on the settings page handler and insufficient output escaping in the `admin options.php` template. Specifically, the settings form lacks `wp nonce field()` and the handler does not perform a `check admin referer()` check, allowing cross-origin POST requests to modify plugin settings. The API key field is processed using `sanitize text field()`, which removes HTML tags but fails to encode double-quote characters. This value is then rendered into an HTML attribute using a bare echo without `esc attr()`, enabling a double-quote attribute-escape payload to be stored. Consequently, unauthenticated attackers can inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, causing the script to execute in the administrator's browser when the settings page is accessed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bottom Bar versions prior to 0.1.8 **Description** The Bottom Bar plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to do. The issue exists in the settings update forms handled in 'bottom-bar-admin.php' because they lack nonce verification. Specifically, the main settings, sharing services, and restore defaults forms do not include `wp nonce field()`, and the server-side code fails to call `check admin referer()` or equivalent validation before processing POST data via `update option()`. This allows unauthenticated attackers to deceive a logged-in administrator into submitting a crafted request to modify configuration options, including language settings, maximum post counts, or enabled sharing services. **Recommendations** Update to a version later than 0.1.7. As a temporary workaround, restrict access to the 'bottom-bar-admin.php' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Child Height Predictor by Ostheimer versions prior to 1.4 **Description** The plugin is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a user into performing actions they did not intend to. This occurs because the `options()` function, which manages plugin settings updates, lacks nonce verification. A nonce is a unique token used to ensure that a request was intentionally sent by the user. Specifically, the form template lacks a `wp nonce field()` call, and the handler does not utilize `check admin referer()` or `wp verify nonce()`. Consequently, unauthenticated attackers can deceive a site administrator into clicking a malicious link or visiting a page that submits a forged POST request, leading to unauthorized changes in plugin settings, such as unit preferences, being saved to the database via `update option()`. **Recommendations** Update the plugin to a version later than 1.3. As a temporary workaround, restrict access to the plugin settings page to only trusted administrators until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Games Catalog versions prior to 1.2.1 **Description** The Games Catalog plugin for WordPress is susceptible to Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs because the `gc crud()` function fails to properly validate nonces—unique tokens used to verify that a request is legitimate—when handling the `action` parameter with the value `delete` via a GET request. Consequently, unauthenticated attackers can delete arbitrary game catalog entries and their associated WordPress posts by inducing a site administrator to click a malicious link. **Recommendations** Update the plugin to a version later than 1.2.0. As a temporary workaround, restrict access to the `gc crud()` function or avoid using the `action` parameter with the `delete` value until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Anomify AI – Anomaly Detection and Alerting plugin for WordPress versions prior to 0.3.7 **Description** The plugin is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The issue occurs because the plugin uses `sanitize text field()` on the Metric Data Key input before saving it with `update option()`, but this function does not encode double-quote characters. Subsequently, the value is echoed into an HTML attribute context without using `esc attr()`. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts via the `anomify api key` parameter, which execute when a user visits the plugin settings page. **Recommendations** Update the plugin to a version later than 0.3.6. As a temporary workaround, restrict administrator access to the plugin settings page to minimize the risk of script injection via the `anomify api key` parameter.

**Name of the Vulnerable Software and Affected Versions** BLOGCHAT Chat System versions prior to 1.3.6.4 **Description** The BLOGCHAT Chat System plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs due to missing or incorrect nonce validation—a security token used to ensure that a request was intentionally sent by the user—on a function. This allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, provided they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update to a version newer than 1.3.6.3.

**Name of the Vulnerable Software and Affected Versions** Remove Yellow BGBOX versions prior to 1.1 **Description** The Remove Yellow BGBOX plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to do. This occurs due to missing or incorrect nonce validation on the 'rybb api settings' page. Unauthenticated attackers can exploit this to reset stored settings by overwriting the plugin configuration if a site administrator is deceived into clicking a malicious link. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JaviBola Custom Theme Test versions prior to 2.0.6 **Description** The JaviBola Custom Theme Test plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw, which occurs when a web application allows an attacker to induce a user to perform actions they did not intend to. This issue is caused by missing or incorrect nonce validation on the options page. Unauthenticated attackers can change the active theme of a site by modifying the `jbct theme` option through a forged request, provided they can trick a site administrator into clicking a link. **Recommendations** Update to a version newer than 2.0.5.

**Name of the Vulnerable Software and Affected Versions** WordPress Custom Logo plugin versions prior to 2.3 **Description** The Custom Logo plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts into pages. These scripts execute when a user accesses the injected page. This issue only impacts multi-site installations and installations where unfiltered html has been disabled. **Recommendations** Update to version 2.3 or later.

**Name of the Vulnerable Software and Affected Versions** WP Social Meta versions prior to 1.0.2 **Description** The WP Social Meta plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update WP Social Meta to version 1.0.2 or later.