Naoya Takahashi

**Name of the Vulnerable Software and Affected Versions** Bookly versions prior to 27.3 **Description** The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping related to the `bookly-customer-full-name` cookie. Unauthenticated attackers can inject arbitrary web scripts into pages, which execute when a user accesses the affected page. This issue is only exploitable if the 'Remember personal information in cookies' setting is enabled. **Recommendations** Update to a version later than 27.2. Disable the 'Remember personal information in cookies' setting to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GEO my WP versions prior to 4.5.6 **Description** The plugin is subject to SQL Injection, allowing unauthenticated attackers to append additional SQL queries to extract sensitive information from the database. The issue occurs because the `swlatlng` and `nelatlng` parameters are read from `$ SERVER['QUERY STRING']` via `parse str()`, bypassing standard WordPress protection. These parameters are then split and interpolated directly into a SQL BETWEEN clause within the `gmw get locations within boundaries sql()` function without proper validation, casting, or escaping. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form id=N]`) on a public page and have at least one published post with an associated `gmw location` row. **Recommendations** Update to a version later than 4.5.5. As a temporary workaround, avoid using the `swlatlng` and `nelatlng` parameters or restrict access to pages hosting the Posts Locator search-results shortcode.

**Name of the Vulnerable Software and Affected Versions** NEX-Forms – Ultimate Forms Plugin for WordPress versions prior to 9.1.12 **Description** Insufficient input sanitization and output escaping in the `submit nex form()` function allow unauthenticated attackers to inject arbitrary web scripts via POST parameter key names. These scripts execute whenever a user accesses an affected page. This is a Stored Cross-Site Scripting issue, where malicious scripts are permanently stored on the target server. **Recommendations** Update the plugin to a version later than 9.1.11. As a temporary workaround, restrict access to the `submit nex form()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Geo Mashup versions prior to 1.13.19 **Description** The Geo Mashup plugin for WordPress contains a time-based blind SQL injection flaw. This issue allows unauthenticated attackers to append additional SQL queries to existing ones to extract sensitive information from the database. The flaw exists because user-supplied parameters are not sufficiently escaped or prepared before being used in SQL queries. Specifically, the `esc sql()` function is used but fails to protect against parenthesis or SQL keyword injection when values are placed in unquoted `IN(...)` or `NOT IN(...)` contexts. While a numeric-only sanitizer is present in the `sanitize query args()` function, it is only utilized in the AJAX code path and is missing from the `render-map.php` and template tag code paths. The affected parameters are 'object ids' and 'exclude object ids'. **Recommendations** Update the plugin to a version later than 1.13.18.

**Name of the Vulnerable Software and Affected Versions** Geo Mashup versions prior to 1.13.19 **Description** The Geo Mashup plugin for WordPress allows unauthenticated attackers to extract sensitive database information using a time-based blind SQL Injection approach. This occurs because the `SearchResults` hook uses `stripslashes deep($ POST)`, which removes protection, and subsequently concatenates the unsanitized `map post type` parameter into an `IN(...)` clause without using `esc sql()` or `$wpdb->prepare()`. This issue is specifically present in the else branch of the code, whereas the any branch is correctly handled. Exploitation is possible only if the Geo Search feature is enabled in the plugin settings. **Recommendations** Update to a version later than 1.13.18. As a temporary workaround, disable the Geo Search feature in the plugin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Geo Mashup versions prior to 1.13.19 **Description** The Geo Mashup plugin for WordPress contains a time-based blind SQL injection flaw. This issue occurs because the `sort` parameter is not properly escaped or prepared before being used in a SQL query, specifically within the `ORDER BY` clause where the `esc sql()` function is ineffective because the value lacks quotes. Although a `sanitize sort arg()` allowlist-based sanitizer exists, it is only implemented in the `sanitize query args()` function for AJAX requests and is missing from the `render-map.php` and template tag code paths. Consequently, unauthenticated attackers can append malicious SQL queries to extract sensitive information from the database. **Recommendations** Update the plugin to a version later than 1.13.18. As a temporary workaround, restrict access to the `render-map.php` file and avoid using the `sort` parameter in template tags until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MasterStudy LMS WordPress Plugin for Online Courses and Education versions prior to 3.7.26 **Description** An issue exists where authenticated attackers with subscriber-level access and above can perform time-based blind SQL injection. This occurs via the 'order' and 'orderby' parameters in the '/lms/stm-lms/order/items' REST API endpoint. The flaw stems from insufficient input sanitization and a design error in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. Specifically, when the Query builder detects parentheses in the `sort by` parameter, it treats the value as a SQL function and concatenates it directly into the ORDER BY clause without quoting. Although `esc sql()` is used, it fails to prevent injection when values are not wrapped in quotes. This allows for the extraction of sensitive database information, such as user credentials and session tokens. **Recommendations** Update to a version newer than 3.7.25. As a temporary workaround, restrict access to the '/lms/stm-lms/order/items' REST API endpoint or limit the use of the `order` and `orderby` parameters.

**Name of the Vulnerable Software and Affected Versions** Form Maker by 10Web versions prior to 1.15.41 **Description** Stored Cross-Site Scripting is possible via the Matrix field (Text Box input type) in form submissions. The issue arises from insufficient input sanitization using the `sanitize text field` function, which removes tags but fails to strip quotes, combined with a lack of output escaping when rendering submission data in the admin Submissions view. This allows unauthenticated attackers to inject arbitrary JavaScript that executes in the browser of an administrator viewing the submission details. **Recommendations** Update to a version later than 1.15.40.

**Name of the Vulnerable Software and Affected Versions** Popup Builder plugin for WordPress versions up to and including 4.4.1 **Description** The Popup Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin’s `sg popup` shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the Popup Builder plugin to a version later than 4.4.1.

**Name of the Vulnerable Software and Affected Versions** Extensive VC Addons for WPBakery page builder plugin for WordPress versions prior to 1.9.2 **Description** The software is susceptible to a Local File Inclusion issue due to insufficient path normalization and validation of the `shortcode name` parameter within the `extensive vc init shortcode pagination` AJAX action and the `extensive vc get module template part` function. This allows unauthenticated attackers to include and execute arbitrary PHP files on the server, potentially enabling the execution of any PHP code within those files. **Recommendations** Update Extensive VC Addons for WPBakery page builder plugin for WordPress to version 1.9.2 or later.

**Name of the Vulnerable Software and Affected Versions** RafflePress versions up to and including 1.12.19 **Description** The Giveaways and Contests by RafflePress plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. The issue stems from multiple social media username parameters. **Recommendations** Update RafflePress to a version later than 1.12.19.

**Name of the Vulnerable Software and Affected Versions** Data Tables Generator by Supsystic plugin for WordPress versions through 1.10.45 **Description** The Data Tables Generator by Supsystic plugin for WordPress has a flaw that allows authenticated attackers with Administrator-level access or higher to delete arbitrary files on the server. This is due to inadequate file path validation within the `cleanCache()` function. Deleting specific files, such as `wp-config.php`, could lead to remote code execution. **Recommendations** Update the Data Tables Generator by Supsystic plugin for WordPress to a version later than 1.10.45.

**Name of the Vulnerable Software and Affected Versions** The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.40.0 **Description** The software is susceptible to SQL Injection due to inadequate input validation and query preparation. Specifically, the `post types` parameter is not properly sanitized, allowing authenticated attackers with Editor-level access or higher to inject SQL queries. This could lead to the extraction of sensitive information from the database. **Recommendations** Update to a version beyond 3.40.0.

**Name of the Vulnerable Software and Affected Versions** Asgaros Forum plugin for WordPress versions up to and including 3.1.0 **Description** The Asgaros Forum plugin for WordPress is susceptible to SQL Injection due to insufficient escaping of user-supplied data and inadequate preparation of existing SQL queries. Specifically, the `$ COOKIE['asgarosforum unread exclude']` cookie is vulnerable. This allows unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database. **Recommendations** Update to version 3.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** WPCOM Member versions prior to 1.7.15 **Description** The WPCOM Member plugin for WordPress is susceptible to Local File Inclusion. This issue affects versions up to and including 1.7.14 and is triggered through the `action` parameter within a shortcode. Authenticated attackers with Contributor-level access or higher can exploit this to include and execute arbitrary .php files on the server. Successful exploitation allows for the execution of PHP code, potentially enabling attackers to bypass access controls and obtain sensitive data. The issue can lead to code execution if .php file uploads are permitted. The vulnerable parameter is `action`. **Recommendations** Update WPCOM Member to version 1.7.15 or later.

**Name of the Vulnerable Software and Affected Versions** Watu Quiz plugin for WordPress versions prior to 3.4.5 **Description** The Watu Quiz plugin for WordPress is susceptible to Stored Cross-Site Scripting through the HTTP Referer header. This occurs because of inadequate input sanitization and output escaping when the "Save source URL" option is enabled. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page. **Recommendations** Update the Watu Quiz plugin to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress versions prior to 2.5.1 **Description** The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is susceptible to SQL Injection via the `export csv()` function. Insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries allow authenticated attackers with Administrator-level access or higher to append additional SQL queries, potentially extracting sensitive information from the database. Lower-level users may also be able to exploit this if granted access to the plugin. **Recommendations** Update to version 2.5.1 or later.