Naxus-Audit

**Name of the Vulnerable Software and Affected Versions** vscode-spell-checker versions prior to 4.5.4 **Description** The vscode-spell-checker extension is susceptible to a workspace-trust bypass that can lead to code execution. The `DocumentSettings. determineIsTrusted` function incorrectly relies on the `cSpell.trustedWorkspace` configuration value as the sole indicator of trust. This value defaults to true and is read from the workspace configuration. Consequently, an untrusted workspace can place a malicious `.cspell.config.js` file, and opening the workspace will cause the extension host to execute attacker-controlled Node.js code with the user’s privileges. The `ConfigLoader.setIsTrusted` function is involved in this process, allowing the execution of JavaScript/TypeScript configuration files. **Recommendations** Versions prior to 4.5.4 should be updated to version 4.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Koko Analytics versions prior to 2.1.3 **Description** Koko Analytics, an open-source analytics plugin for WordPress, is susceptible to arbitrary SQL execution due to unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary `pa` (path) and `r` (referrer) values to the public tracking endpoint in `src/Resources/functions/collect.php`, which are stored directly in the analytics tables. The admin export logic in `src/Admin/Data Export.php` writes these stored values into SQL INSERT statements without proper escaping. A crafted path, such as "),('999','x');DROP TABLE wp users;--", can break out of the value list. When an administrator imports the exported file, the import handler in `src/Admin/Data Import.php` reads the SQL file using `file get contents`, performs a basic header check, splits the content by semicolons, and executes each statement via `$wpdb->query` without validating table names or statement types. Authenticated users with `manage koko analytics` privileges can also upload arbitrary .sql files for execution in the same permissive manner. This allows attacker-controlled input to flow from the tracking endpoint into exported SQL and through the import execution, or directly via malicious uploads, enabling arbitrary SQL execution. Attackers could potentially delete core tables like `wp users` or insert backdoor administrator accounts. **Recommendations** Versions prior to 2.1.3 should be updated to version 2.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Weblate versions prior to 5.15 **Description** Weblate is a web-based localization tool. Versions prior to 5.15 were susceptible to unauthorized triggering of repository updates through a specially crafted webhook payload. Disabling webhooks using `ENABLE HOOKS` can be used as a temporary workaround. **Recommendations** Update to version 5.15 or later. As a temporary workaround, disable webhooks using `ENABLE HOOKS`.

**Name of the Vulnerable Software and Affected Versions** Weblate versions prior to 5.15 **Description** Weblate, a web-based localization tool, had a broken authorization issue in its REST API that allowed for systematic user and project enumeration. Specifically, it was possible to retrieve user notification settings or list all users via the API. **Recommendations** Update to version 5.15 or later.