Muhammad Zeeshan

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.3 through 12.2.15 **Description** An easily exploitable issue exists in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). An unauthenticated attacker with network access via HTTP can compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker. While the issue is in Oracle Scripting, attacks may impact additional products. Successful attacks can result in unauthorized update, insert, or delete access to some Oracle Scripting accessible data, as well as unauthorized read access to a subset of Oracle Scripting accessible data. **Recommendations** Versions 12.2.3 through 12.2.15 are affected and require attention.

**Name of the Vulnerable Software and Affected Versions** Fancy Product Designer plugin for WordPress versions prior to 6.4.9 **Description** The software is susceptible to a Full Path Disclosure issue. This stems from improper error handling within the PDF upload functionality, which reveals server filesystem paths and stack traces in error messages. An unauthenticated attacker can potentially retrieve the full path of the web application. The disclosed information, while not directly damaging, can assist in facilitating other attacks. **Recommendations** Update Fancy Product Designer plugin to version 6.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** The Fancy Product Designer versions prior to 6.4.9 **Description** The software is susceptible to a Server-Side Request Forgery (SSRF) issue. This is caused by a time-of-check/time-of-use (TOCTOU) race condition within the 'url' parameter of the `fpd custom uplod file` AJAX action. The validation process uses `getimagesize()` followed by `file get contents()` on the same URL, creating a timing gap that allows attackers to redirect requests to arbitrary internal or external URLs. **Recommendations** Update The Fancy Product Designer plugin to version 6.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** Fancy Product Designer plugin for WordPress versions prior to 6.4.9 **Description** The software contains a flaw due to inadequate validation of user-provided input in the `url` parameter of the 'fpd custom uplod file' AJAX action. This input is directly passed to the `getimagesize()` function without proper sanitization. While exploitation via PHP filter chains is restricted on PHP 8 and later versions, the issue can be exploited through a TOCTOU race condition or may be directly exploitable on PHP 7.x installations. This allows unauthenticated attackers to read arbitrary sensitive files from the server, such as `wp-config.php`. **Recommendations** Update Fancy Product Designer plugin to version 6.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** The Fancy Product Designer plugin for WordPress versions prior to 6.4.9 **Description** The software is susceptible to Stored Cross-Site Scripting through SVG File uploads. Insufficient input sanitization and output escaping in the `data-to-image.php` and `pdf-to-image.php` files allow unauthenticated attackers to inject arbitrary web scripts. These scripts execute when a user accesses the SVG file. **Recommendations** Update The Fancy Product Designer plugin to version 6.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** Evisions MAPS version 6.10.2.267 **Description** A reflected cross-site scripting issue allows attackers to execute arbitrary code in the context of a user's browser by injecting a crafted payload into the "mw/" endpoint. **Recommendations** For Evisions MAPS version 6.10.2.267, consider restricting access to the /mw/ endpoint until a fix is available. As a temporary workaround, avoid using the vulnerable endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Super Store Finder plugin for WordPress versions up to, and including, 7.0 **Description** The issue allows unauthenticated attackers to perform SQL Injection via the `ssf wp user name` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into an already existing query, potentially leading to stored cross-site scripting in store reviews. **Recommendations** For Super Store Finder plugin for WordPress versions up to, and including, 7.0, consider disabling the `ssf wp user name` parameter until a patch is available to prevent SQL Injection attacks. Restrict access to store reviews to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.6 **Description** The issue allows authenticated attackers with contributor-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services through the `form to url action` function. **Recommendations** For Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.6, consider disabling the `form to url action` function until a patch is available to prevent exploitation. Restrict access to internal services to minimize the risk of information query and modification.

**Name of the Vulnerable Software and Affected Versions** Avada theme for WordPress versions up to, and including, 7.11.6 **Description** The issue allows authenticated attackers with editor-level access and above to perform SQL Injection via the `entry` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. **Recommendations** For Avada theme for WordPress versions up to, and including, 7.11.6, update to a version later than 7.11.6 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Permalink Manager Lite and Pro plugins for WordPress versions up to, and including, 2.4.3.1 **Description** The issue is related to Reflected Cross-Site Scripting via the `s` parameter in multiple instances due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For Permalink Manager Lite and Pro plugins for WordPress versions up to, and including, 2.4.3.1, update to a version later than 2.4.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the `s` parameter in affected instances to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Permalink Manager Lite plugin for WordPress versions up to, and including, 2.4.3.1 **Description** The issue allows unauthorized access to data due to a missing capability check on the `get uri editor` function. This enables unauthenticated attackers to view the permalinks of all posts. **Recommendations** For versions up to, and including, 2.4.3.1, update to a version higher than 2.4.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the `get uri editor` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Avada theme for WordPress versions up to, and including, 7.11.6 **Description** The issue allows unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. This is possible due to sensitive information exposure in the '/wp-content/uploads/fusion-forms/' directory. **Recommendations** For versions up to, and including, 7.11.6, update to a version later than 7.11.6 to resolve the issue. As a temporary workaround, consider restricting access to the '/wp-content/uploads/fusion-forms/' directory until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Avada theme for WordPress versions up to, and including, 7.11.6 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's shortcodes due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For Avada theme for WordPress versions up to, and including, 7.11.6, update to a version later than 7.11.6 to resolve the issue. As a temporary workaround, consider restricting access to the shortcodes feature for users with contributor-level and above permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Responsive theme for WordPress versions up to, and including, 5.0.2 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `save footer text callback` function. This makes it possible for unauthenticated attackers to inject arbitrary HTML content into the site's footer. **Recommendations** For versions up to, and including, 5.0.2, update to a version higher than 5.0.2 to resolve the issue. As a temporary workaround, consider disabling the `save footer text callback` function until a patch is available. Restrict access to the footer modification feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress versions up to, and including, 1.1.9 **Description** The issue is related to a missing capability check on the `admin reload nav menu()` function, which allows unauthenticated attackers to modify the location of display menus. This makes it possible for unauthorized modification of data. **Recommendations** For versions up to, and including, 1.1.9, consider disabling the `admin reload nav menu()` function until a patch is available to prevent unauthorized modification of data. Restrict access to the admin navigation menu to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Permalink Manager Lite plugin for WordPress versions up to, and including, 2.4.3.1 **Description** The issue arises from a missing capability check on the `ajax save permalink` function, allowing authenticated attackers with author access or above to modify the permalinks of arbitrary posts. This enables unauthorized modification of data. **Recommendations** For Permalink Manager Lite plugin for WordPress versions up to, and including, 2.4.3.1, consider disabling the `ajax save permalink` function until a patch is available to prevent unauthorized modification of permalinks. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with author access and above.

**Name of the Vulnerable Software and Affected Versions** Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to and including 7.11.5 **Description** The issue allows authenticated attackers with contributor access and above to view the contents of all form submissions, including fields that are obfuscated, such as the contact form's `password` field, via the form entries page. **Recommendations** For versions up to and including 7.11.5, update to a version later than 7.11.5 to resolve the issue. As a temporary workaround, consider restricting access to the form entries page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.4 **Description** The issue is related to arbitrary file uploads due to missing file type validation in the `ajax import options()` function. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server, which may lead to remote code execution. The flaw is estimated to affect nearly 950,000 sales. **Recommendations** For versions up to, and including, 7.11.4, update to a version above 7.11.4 to resolve the issue. As a temporary workaround, consider disabling the `ajax import options()` function until a patch is available. Restrict access to the affected site's server to minimize the risk of exploitation. Avoid using the vulnerable function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chained Quiz plugin for WordPress versions up to, and including, 1.3.2.2 **Description** The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with administrative privileges to inject arbitrary web scripts in pages via the `api key` parameter. This enables the execution of injected scripts whenever a user accesses an injected page. **Recommendations** For Chained Quiz plugin for WordPress versions up to, and including, 1.3.2.2, consider updating to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, restrict access to the `api key` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Chained Quiz plugin for WordPress versions up to, and including, 1.3.2.4 **Description** The issue is related to Cross-Site Request Forgery due to missing nonce validation on the `list quizzes()` function. This allows unauthenticated attackers to delete quizzes and copy quizzes via a forged request if they can trick a site administrator into performing a specific action. **Recommendations** For Chained Quiz plugin for WordPress versions up to, and including, 1.3.2.4, consider disabling the `list quizzes()` function until a patch is available to prevent exploitation. Restrict access to quiz management features to minimize the risk of unauthorized modifications.