Nex Team

**Name of the Vulnerable Software and Affected Versions** Auto Featured Image (Auto Post Thumbnail) plugin for WordPress versions up to, and including, 4.0.0 **Description** The issue allows authenticated attackers with author-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services via the `upload to library` AJAX action. **Recommendations** For versions up to, and including, 4.0.0, update to a version higher than 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the `upload to library` AJAX action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Unlimited Elements For Elementor plugin versions up to, and including, 1.5.89 **Description** The issue allows authenticated attackers with contributor access and above to execute code on the server via the template import functionality. This enables remote code execution, posing a significant risk. **Recommendations** For versions up to, and including, 1.5.89, update to a version higher than 1.5.89 to resolve the issue. As a temporary workaround, consider restricting access to the template import functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Pods – Custom Content Types and Fields plugin for WordPress versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2 **Description** The issue allows authenticated attackers with contributor level access or higher to execute code on the server via shortcode. This is a Remote Code Execution vulnerability. **Recommendations** For versions prior to 2.7.31.2, update to version 2.7.31.2 or higher. For versions prior to 2.8.23.2, update to version 2.8.23.2 or higher. For versions prior to 2.9.19.2, update to version 2.9.19.2 or higher. For versions 2.7.31.2, 2.8.23.2, and 2.9.19.2, and all versions up to 3.0.10, update to a version higher than 3.0.10. As a temporary workaround, consider restricting access to the shortcode feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Pods – Custom Content Types and Fields plugin for WordPress versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2. **Description** The issue is related to Missing Authorization, which allows authenticated attackers with contributor access or higher to create pods and users with default role. This is possible due to a file inclusion feature via shortcode. **Recommendations** For versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2, update to version 3.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the file inclusion feature via shortcode to minimize the risk of exploitation. Restrict contributor access or higher to prevent attackers from creating pods and users with default role.

**Name of the Vulnerable Software and Affected Versions** The Pods – Custom Content Types and Fields plugin for WordPress versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2 **Description** The issue arises from insufficient escaping on the `user supplied parameter` and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with contributor level access or higher to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database. **Recommendations** For versions prior to 3.0.11, excluding versions 2.7.31.2, 2.8.23.2, and 2.9.19.2, update to a version higher than 3.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the shortcode feature to minimize the risk of exploitation. Restrict contributor level access or higher to prevent authenticated attackers from appending additional SQL queries.

**Name of the Vulnerable Software and Affected Versions** WP Go Maps plugin for WordPress versions up to, and including, 9.0.28 **Description** The issue is related to Reflected Cross-Site Scripting via the `map id` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 9.0.28, update to a version higher than 9.0.28 to resolve the issue. As a temporary workaround, consider restricting access to the `map id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ElementsKit Elementor addons plugin for WordPress versions up to, and including, 3.0.3 **Description** The issue allows unauthenticated attackers to obtain contents of posts in draft, private, or pending review status that should not be visible to the general public. This applies to posts created with Elementor only. The `ekit widgetarea content` function is involved in this issue. **Recommendations** For versions up to, and including, 3.0.3, update to a version later than 3.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the `ekit widgetarea content` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Enable Media Replace plugin for WordPress versions up to, and including, 4.1.4 **Description** The issue allows for Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping via the `SHORTPIXEL DEBUG` parameter. This enables unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link. Exploitation requires the attacker to know the ID of an attachment uploaded by the user they are attacking. **Recommendations** For versions up to, and including, 4.1.4, update to a version higher than 4.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the `SHORTPIXEL DEBUG` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Envira Photo Gallery plugin for WordPress versions up to, and including, 1.8.7.1 **Description** The issue allows authenticated attackers with contributor access and above to modify galleries on other users' posts due to an improper capability check on the `envira gallery insert images` function. **Recommendations** For versions up to, and including, 1.8.7.1, update to a version higher than 1.8.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the `envira gallery insert images` function to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** The Orbit Fox by ThemeIsle plugin for WordPress versions up to, and including, 2.10.26 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's custom fields due to insufficient input sanitization and output escaping on user-supplied values. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.10.26, update to a version later than 2.10.26 to resolve the issue. As a temporary workaround, consider restricting access to the custom fields in the plugin to minimize the risk of exploitation. Additionally, restrict permissions to prevent contributors and above from injecting arbitrary web scripts.

**Name of the Vulnerable Software and Affected Versions** The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress versions up to, and including, 1.7.8 **Description** The issue is related to Stored Cross-Site Scripting via the `pagelayer header code`, `pagelayer body open code`, and `pagelayer footer code` meta fields due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability appears to be a reintroduction of a previously patched issue in version 1.7.7. **Recommendations** For versions up to, and including, 1.7.8, consider updating to a version that includes the fix for this issue, as the vulnerability was reintroduced after being patched in version 1.7.7. As a temporary workaround, consider restricting access to the `pagelayer header code`, `pagelayer body open code`, and `pagelayer footer code` meta fields to minimize the risk of exploitation. Avoid using these fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Backup Migration plugin for WordPress versions up to, and including, 1.3.7 **Description** The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include statement, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server. The estimated number of potentially affected devices worldwide is around 50,000 to 90,000 websites. **Recommendations** Update the Backup Migration plugin to version 1.3.8 or later to resolve the issue. As a temporary workaround, consider disabling the `includes/backup-heart.php` file until a patch is available. Restrict access to the vulnerable `backup-heart.php` file to minimize the risk of exploitation. Avoid using the Backup Migration plugin until the issue is resolved.