Mustafa Ahmed

**Name of the Vulnerable Software and Affected Versions** EventPress versions prior to 22.2 **Description** The EventPress WordPress theme fails to sanitize or escape the `id` parameter within the 'eventpress customizer notify dismiss action' AJAX handler. This allows unauthenticated attackers to execute Reflected Cross-Site Scripting (XSS) attacks against logged-in users by outputting the unsanitized input back in the response. **Recommendations** Update to version 22.2 or later.

**Name of the Vulnerable Software and Affected Versions** WP Maps versions prior to 4.9.3 **Description** The WP Maps WordPress plugin fails to properly sanitize a parameter used in a file path. This allows authenticated users to perform Local File Inclusion (LFI), a technique where an attacker includes files on the server through the web application to read sensitive data. **Recommendations** Update to version 4.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** reCaptcha by WebDesignBy WordPress plugin versions prior to 2.0 **Description** The plugin fails to sanitize or escape the Site Key setting before it is output within a JavaScript string context through the `grecaptcha js()` function. This allows administrators on multisite installations who lack the `unfiltered html` capability to inject arbitrary JavaScript that executes for all visitors to the WordPress login page. **Recommendations** Update the plugin to version 2.0 or later.