Murat Demirci

**Name of the Vulnerable Software and Affected Versions** Backup and Restore version 1.0.3 **Description** Authenticated attackers can delete arbitrary files from the WordPress installation directory. This is achieved by sending POST requests to the 'admin-ajax.php' endpoint with manipulated `file name` and `folder name` parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AccessPress Social Icons version 1.8.2 **Description** A stored cross-site scripting issue allows authenticated attackers to inject malicious scripts. This occurs when JavaScript payloads, such as image tags with `onerror` event handlers, are entered into the `icon title` field. These scripts execute when a user views the plugin interface, affecting all users who access that page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate Product Catalog version 5.8.2 **Description** A stored cross-site scripting issue allows authenticated attackers to inject malicious scripts. This is achieved by submitting POST requests to the 'post.php' endpoint using the `price` parameter to include HTML or JavaScript payloads, which then execute arbitrary code when a product is viewed. **Recommendations** As a temporary workaround, restrict or validate the input of the `price` parameter in the 'post.php' endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Symposium Pro version 2021.10 **Description** A stored cross-site scripting issue exists where authenticated attackers can inject malicious scripts due to insufficient sanitization of the forum name. Attackers can submit POST requests to the admin setup page using the `wps admin forum add name` parameter to store JavaScript payloads that execute when the forum is accessed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Filterable Portfolio Gallery version 1.0 **Description** A stored cross-site scripting issue allows authenticated attackers to inject malicious JavaScript. This is achieved by entering payloads into the title field, such as image tags with `onerror` handlers. The injected code executes when users preview the gallery, affecting all visitors to the page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.