Nguyen C

**Name of the Vulnerable Software and Affected Versions** Royal Addons for Elementor versions prior to 1.7.1057 **Description** The Royal Addons for Elementor plugin for WordPress allows unauthorized modification of data due to a missing capability check on the `wpr update form action meta` AJAX action. The handler is registered on both `wp ajax` and `wp ajax nopriv` hooks, making it accessible to unauthenticated users. While a nonce (`wpr-addons-js`) is verified, it is publicly exposed in frontend JavaScript via `WprConfig.nonce` on pages loading Royal Addons widgets, rendering the protection ineffective. The endpoint lacks capability or ownership checks and directly calls the `update post meta()` function with user-controlled input on a whitelisted set of form action meta keys. This allows unauthenticated attackers to modify form action configuration metadata, including email, submissions, Mailchimp, and webhook settings on any post, which could lead to webhook or email action tampering and data exfiltration via modified webhook URLs. **Recommendations** Update the plugin to a version later than 1.7.1056.

Name of the Vulnerable Software and Affected Versions The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions through 7.8.10.2 Description The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is susceptible to unauthorized data modification. A missing capability check on the `hustle module converted` AJAX action allows unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules. This manipulation can affect marketing analytics and conversion statistics. Recommendations Update to a version beyond 7.8.10.2

**Name of the Vulnerable Software and Affected Versions** Phlox Theme plugin for WordPress versions through 2.17.13 **Description** The Shortcodes and extra features for Phlox theme plugin for WordPress is susceptible to information disclosure. This issue affects the `auxels ajax search` component due to inadequate restrictions on post inclusion. An unauthenticated attacker can potentially extract titles of draft posts that they are not authorized to view. **Recommendations** Update the Phlox Theme plugin to a version beyond 2.17.13.

**Name of the Vulnerable Software and Affected Versions** Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress versions prior to 1.6.18 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF). This is a result of inadequate or missing nonce validation within the `maybe duplicate` function. An unauthenticated attacker can exploit this to duplicate and publish product field groups, including those in draft or pending states, by deceiving a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later.