Ngô Thiên An

Name of the Vulnerable Software and Affected Versions: EventON versions n/a through 2.3.2 Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion'. This is a type of vulnerability where an attacker can manipulate the filename used in include or require statements, potentially allowing them to execute malicious code. Recommendations: For versions n/a through 2.3.2, update to a version later than 2.3.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AREOI All Bootstrap Blocks versions 1.3.19 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion. Recommendations: For versions 1.3.19 and earlier, update to a version that fixes this issue, as the current version allows for PHP Local File Inclusion due to improper control of filenames in include/require statements. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Andy Moyle Church Admin versions n/a through 4.4.4 **Description** The issue is related to a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. **Recommendations** For versions n/a through 4.4.4, update to a version later than 4.4.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Blockspare versions 3.2.4 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, which allows Stored XSS. This means that an attacker can inject malicious code into the web page, potentially affecting users who access the page. **Recommendations** For versions 3.2.4 and earlier, update to a version later than 3.2.4 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Restrict access to sensitive areas of the web application to minimize the risk of Stored XSS attacks.

**Name of the Vulnerable Software and Affected Versions** ElementsKit Pro versions through 3.6.0 **Description** The issue is related to an improper limitation of a pathname to a restricted directory, also known as a 'Path Traversal' vulnerability, which allows PHP Local File Inclusion. This could potentially lead to system compromise. **Recommendations** For versions through 3.6.0, update the plugin to the latest patched version as soon as possible. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delicious Recipes – WordPress Recipe Plugin versions 1.6.7 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. A Cross Site Scripting (XSS) vulnerability exists in the WP Delicious Delicious Recipes – WordPress Recipe Plugin. **Recommendations** For Delicious Recipes – WordPress Recipe Plugin versions 1.6.7 and earlier, update to a version later than 1.6.7 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Collapsing Archives versions 3.0.5 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 3.0.5 and earlier, update to a version later than 3.0.5 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable input fields until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DSGVO All in one for WP versions n/a through 4.5 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, which allows Stored Cross-site Scripting (XSS). This is a type of security vulnerability that occurs when an application includes user input in its output without proper validation or sanitization, enabling an attacker to inject malicious scripts into the website. **Recommendations** For versions n/a through 4.5, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor versions up to, and including, 5.6.2 **Description** The issue is related to Stored Cross-Site Scripting via the `carousel direction` parameter of the testimonials widget. This is due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.6.2, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the testimonials widget or disabling the `carousel direction` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AREOI All Bootstrap Blocks versions 1.3.19 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS), which allows Stored XSS. This means that an attacker can inject malicious code into the website, which will be stored and executed when other users access the site. **Recommendations** For versions 1.3.19 and earlier, update to a version that fixes the Improper Neutralization of Input During Web Page Generation vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Meta Field Block versions 1.2.13 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 1.2.13 and earlier, update to version 1.2.14 to resolve the issue. As a temporary workaround, consider restricting access to the Meta Field Block plugin until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Custom Layouts – Post + Product grids made easy versions n/a through 1.4.11 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS), which allows Stored XSS. This means that an attacker can inject malicious code into a website, potentially affecting users who visit the site. **Recommendations** For versions n/a through 1.4.11, update to version 1.4.12 to resolve the issue. As a temporary workaround, consider restricting user input in custom layouts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Blockspare versions 3.2.0 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For Blockspare versions 3.2.0 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Element Pack Elementor Addons plugin for WordPress versions up to, and including, 5.7.2 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user-supplied attributes like `title tag`. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.7.2, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the plugin's widgets for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Spectra Pro plugin for WordPress versions up to, and including, 1.1.4 **Description** The issue is related to Stored Cross-Site Scripting via block ids due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For Spectra Pro plugin for WordPress versions up to, and including, 1.1.4, update to a version higher than 1.1.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SiteOrigin Widgets Bundle plugin for WordPress versions up to, and including, 1.62.2 Description: The issue is related to Stored Cross-Site Scripting via the Image Grid widget due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.62.2, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the Image Grid widget for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Elegant Themes Icons versions 1.3 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For Elegant Themes Icons versions 1.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arkhe Blocks versions 2.22.1 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 2.22.1 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Caxton – Create Pro page layouts in Gutenberg versions 1.30.1 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, which can be exploited. **Recommendations** For versions 1.30.1 and earlier, update to a version later than 1.30.1 to resolve the issue. At the moment, there is no information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Genesis Blocks plugin for WordPress versions up to, and including, 3.1.3 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's Sharing block due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For Genesis Blocks plugin for WordPress versions up to, and including, 3.1.3, update to a version later than 3.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the Sharing block for users with contributor-level access and above until a patch is available.