Neven Biruski

**Name of the Vulnerable Software and Affected Versions** 10Web Form Maker plugin versions prior to 1.13.5 **Description** The issue allows for CSRF via the "wp-admin/admin-ajax.php" action parameter, potentially leading to local file inclusion through directory traversal. This is due to a discrepancy between the `$ POST['action']` value and the `$ GET['action']` value, where the latter is unsanitized. **Recommendations** For versions prior to 1.13.5, update to version 1.13.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" endpoint to minimize the risk of exploitation. Avoid using unsanitized `$ GET['action']` values in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Snazzy Maps plugin versions prior to 1.1.5 **Description** The issue allows for XSS attacks via the `text` or `tab` parameter. **Recommendations** For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gwolle Guestbook (gwolle-gb) plugin versions prior to 2.5.4 **Description** A security issue exists in the admin/gb-dashboard-widget.php file of the Gwolle Guestbook plugin for WordPress. This issue can be exploited via the PATH INFO to wp-admin/index.php, allowing for potential attacks. **Recommendations** For versions prior to 2.5.4, update to version 2.5.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** wp-noexternallinks plugin versions prior to 3.5.19 **Description** A Cross Site Scripting (XSS) issue exists, allowing exploitation via the `date1` or `date2` parameter to the "wp-admin/options-general.php" API endpoint. **Recommendations** For versions prior to 3.5.19, update to version 3.5.19 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Modal plugin versions prior to 2.1.0 **Description** The issue concerns SQL injection in the delete action of the Easy Modal plugin, specifically affecting the `id`, `ids`, or `modal` parameter to `wp-admin/admin.php`. This can be exploited by administrators. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Modal plugin versions prior to 2.1.0 **Description** The issue concerns SQL injection in the Easy Modal plugin for WordPress. It affects the untrash action and involves the `id`, `ids`, or `modal` parameter to "wp-admin/admin.php". This exploit is accessible by administrators. **Recommendations** For versions prior to 2.1.0, update the Easy Modal plugin to version 2.1.0 or later to resolve the issue.