Muhammad Sharief

**Name of the Vulnerable Software and Affected Versions** Mercado Pago payments for WooCommerce versions prior to 8.7.12 **Description** The Mercado Pago payments for WooCommerce plugin for WordPress allows unauthorized access to data because of a missing capability check on the 'mp pix image' API endpoint. This allows unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. These images contain sensitive merchant information, including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name, city, and MercadoPago transaction references. **Recommendations** Update the plugin to a version later than 8.7.11. As a temporary workaround, restrict access to the 'mp pix image' API endpoint to minimize the risk of exploitation.

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

**Name of the Vulnerable Software and Affected Versions** Appointment Booking Calendar — Simply Schedule Appointments versions through 1.6.9.29 **Description** The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is susceptible to unauthorized access of sensitive data. This occurs because a `public nonce` not tied to a specific user is exposed to unauthenticated users through the `/wp-json/ssa/v1/embed-inner` REST endpoint. Additionally, the `get item()` method within `SSA Settings Api` utilizes `nonce permissions check()` for authorization, which accepts this public nonce, but fails to call `remove unauthorized settings for current user()` to filter restricted fields. This allows unauthenticated attackers to access administrator-only plugin settings, including the administrator's email address, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. Exposure of appointment tokens also enables attackers to modify or cancel appointments. **Recommendations** Versions through 1.6.9.29 should be updated to a newer, fixed version. As a temporary workaround, consider restricting access to the `/wp-json/ssa/v1/embed-inner` endpoint. Additionally, temporarily disable the `SSA Settings Api` module if possible.

**Name of the Vulnerable Software and Affected Versions** weForms versions up to and including 1.6.27 **Description** The weForms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the REST API entry submission endpoint. This occurs because of inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API, the `prepare entry()` method in `class-abstract-fields.php` receives the WP REST Request object as `$args`, bypassing the sanitization process applied to `$ POST` data for frontend submissions. The base field handler only applies `trim()` to the value. This allows authenticated attackers with Subscriber-level access or higher to inject malicious web scripts into form entry hidden field values via the REST API endpoint: `/wp-json/weforms/v1/forms/{id}/entries/`. These scripts execute when an administrator views the form entries page, where data is rendered using a Vue.js `v-html` directive without proper escaping. **Recommendations** Update weForms to a version later than 1.6.27.

**Name of the Vulnerable Software and Affected Versions** Media Library Assistant plugin for WordPress versions prior to 3.34 **Description** The software is susceptible to unauthorized data modification because of a missing capability check within the `mla update compat fields action()` function. Authenticated attackers possessing Subscriber-level access or higher can alter taxonomy terms associated with arbitrary attachments. **Recommendations** Update the Media Library Assistant plugin to version 3.34 or later.