Nguyen Hung

**Name of the Vulnerable Software and Affected Versions** The Events Calendar for GeoDirectory plugin for WordPress versions prior to 2.3.29 **Description** Authenticated attackers with Subscriber-level access or higher can elevate their privileges to Administrator. This occurs because the `ajax ayi action()` handler fails to use an allow-list when processing the `type` and `postid` variables from the `$ POST` array, applying only `strip tags(esc sql())` before passing them to the `update ayi data()` function. This function subsequently calls `update user meta()`, allowing an attacker to write `['subscriber'=>true,'administrator'=>'administrator']` into their own `wp capabilities` user meta by setting `type` to `wp capabilities` and `postid` to `administrator`. Consequently, `WP User::get role caps()` recognizes the `administrator` key as an active role during the next request. **Recommendations** Update the plugin to a version later than 2.3.28.

**Name of the Vulnerable Software and Affected Versions** Hippoo Mobile App for WooCommerce versions prior to 1.9.5 **Description** An authentication bypass exists that allows for administrator account takeover. The issue stems from a logic conflation in the `get user permissions()` function within `HippooPermissions`, which returns an identical null sentinel for both administrators and unauthenticated visitors. The `has role access()` function interprets this value as full administrator access, leading `override extension permission callback()` to assign ` return true` as the permission callback for all WordPress and WooCommerce REST routes cloned under the '/wc-hippoo/v1/ext/' endpoint by `re register external routes()`. Additionally, the `block unauthorized access()` pre-dispatch guard fails to block unauthenticated users due to the same logic error. This allows unauthenticated attackers to invoke core REST endpoints without credentials, specifically by sending a POST request to '/wc-hippoo/v1/ext/wp/v2/users/<id>' with a `password` variable in the request body to reset the password of any user, including the site administrator. **Recommendations** Update to a version later than 1.9.4.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop Multiple File Upload for Contact Form 7 versions prior to 1.3.9.7 **Description** Insufficient file type validation occurs when custom blacklist types are configured, as the system replaces the default dangerous extension denylist instead of merging with it. Additionally, the `wpcf7 antiscript file name()` function can be bypassed using filenames containing non-ASCII characters. This allows unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, potentially leading to remote code execution. **Recommendations** Update to a version later than 1.3.9.6.