Muhan Luo

**Name of the Vulnerable Software and Affected Versions** JTL-Connector for WooCommerce versions prior to 2.4.2 **Description** The plugin contains missing authorization due to a lack of capability checks and nonce verification. This allows authenticated attackers with Subscriber-level access or higher to modify arbitrary plugin settings, download a ZIP archive of developer log files, and delete those logs. The issue affects the 'admin post settings save woo-jtl-connector' action handled by the `save()` function in `JtlConnectorAdmin`, as well as the 'wp ajax downloadJTLLogs' and 'wp ajax clearJTLLogs' AJAX actions handled by the `downloadJTLLogs()` and `clearJTLLogs()` functions. **Recommendations** Update the plugin to version 2.4.2 or later.

Name of the Vulnerable Software and Affected Versions: wpForo Forum plugin for WordPress versions prior to 2.4.6 Description: The wpForo Forum plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. Insufficient input sanitization and output escaping allow authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the SVG file. Recommendations: Update wpForo Forum plugin to version 2.4.6 or later.