Nguyen Ngoc Quang Bach

**Name of the Vulnerable Software and Affected Versions** Jenkins LoadNinja Plugin versions 2.1 and earlier **Description** The Jenkins LoadNinja Plugin does not properly mask LoadNinja API keys as they are displayed on the job configuration form. This could allow attackers to observe and capture these keys. **Recommendations** Update to a newer version of the Jenkins LoadNinja Plugin that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.554 and earlier Jenkins LTS versions 2.541.2 and earlier **Description** The software does not safely handle symbolic links when extracting .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, limited by the file system access permissions of the user running Jenkins. An attacker with Item/Configure permission, or control over agent processes, can exploit this to deploy malicious scripts or plugins on the controller. **Recommendations** Update Jenkins to a version later than 2.554. Update Jenkins LTS to a version later than 2.541.2.

**Name of the Vulnerable Software and Affected Versions** UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions through 1.2.44 **Description** The UsersWP plugin for WordPress is susceptible to a time-based SQL Injection issue due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows unauthenticated attackers to append additional SQL queries, potentially extracting sensitive information from the database via the `upload file remove` function and the `htmlvar` parameter. **Recommendations** Update to version 1.2.45.

Name of the Vulnerable Software and Affected Versions: Arraytics Eventin versions n/a through 4.0.31 Description: Deserialization of untrusted data in Arraytics Eventin allows object injection. This issue impacts the application by enabling the injection of objects through deserialization processes. Recommendations: Update Arraytics Eventin to a version later than 4.0.31.

Name of the Vulnerable Software and Affected Versions: VonStroheim TheBooking versions n/a through 1.4.4 Description: TheBooking software contains a missing authorization flaw that allows access to functionality not properly constrained by Access Control Lists (ACLs). Recommendations: Update VonStroheim TheBooking to a version later than 1.4.4.

Name of the Vulnerable Software and Affected Versions: moshensky CF7 Spreadsheets versions through 2.3.2 Description: The vulnerability involves improper neutralization of input during web page generation, leading to a stored cross-site scripting (XSS) issue in moshensky CF7 Spreadsheets. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce versions prior to 3.1.50 **Description** The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `organizer name` parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses an injected page. **Recommendations** Update WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce to version 3.1.50 or later.

**Name of the Vulnerable Software and Affected Versions** WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce versions up to and including 3.1.49 **Description** The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting issue due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. This only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** Update WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce to a version later than 3.1.49.

Name of the Vulnerable Software and Affected Versions: Arraytics Eventin versions through 4.0.28 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. Recommendations: For versions through 4.0.28, update to a version later than 4.0.28 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: aharonyan WP Front User Submit / Front Editor versions through 4.9.3 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS in aharonyan WP Front User Submit / Front Editor. Recommendations: For versions through 4.9.3, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: EC Stars Rating versions 1.0.0 through 1.0.11 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This enables attackers to inject malicious scripts into web pages. Recommendations: For versions 1.0.0 through 1.0.11, update to a version that fixes the Stored XSS issue to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: gioni Plugin Inspector versions n/a through 1.5 Description: The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows for Path Traversal in the gioni Plugin Inspector. Recommendations: For versions n/a through 1.5, consider restricting access to sensitive directories to minimize the risk of exploitation until a patch is available.

Name of the Vulnerable Software and Affected Versions: douglaskarr Podcast Feed Player Widget and Shortcode versions 2.2.0 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This means that an attacker can inject malicious scripts into the web page, potentially leading to unauthorized actions. Recommendations: For douglaskarr Podcast Feed Player Widget and Shortcode versions 2.2.0 and earlier, update to a version later than 2.2.0 to resolve the issue. At the moment, there is no information about additional mitigation measures.

Name of the Vulnerable Software and Affected Versions: Theme Junkie Team Content versions 0.1.1 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for DOM-Based XSS attacks. This can potentially lead to malicious scripts being executed on the client-side. Recommendations: For Theme Junkie Team Content versions 0.1.1 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Pre-Publish Post Checklist versions 3.1 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. Recommendations: For versions 3.1 and earlier, update to a version that contains a fix for this issue, as no specific workaround is provided in the given information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Dilip kumar Beauty Contact Popup Form versions n/a through 6.0 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS in the Beauty Contact Popup Form. Recommendations: For versions n/a through 6.0, update to a version that fixes the Stored XSS issue to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: My Resume Builder versions 1.0.3 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for Stored Cross-site Scripting (XSS). This means that an attacker can inject malicious scripts into the application, potentially leading to unauthorized actions on behalf of other users. Recommendations: For My Resume Builder versions 1.0.3 and earlier, update to a version that fixes the Stored XSS issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hand Talk versions n/a through 6.0 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This enables attackers to inject malicious scripts into the application, potentially affecting user sessions. Recommendations: For Hand Talk versions n/a through 6.0, update to a version later than 6.0 to resolve the issue. As a temporary workaround, consider restricting user input to prevent malicious script injection until a patch is available.

Name of the Vulnerable Software and Affected Versions: brijeshk89 IP Based Login versions n/a through 2.4.2 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. Recommendations: For versions n/a through 2.4.2, update to a version that fixes the Stored XSS issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: iamapinan PDPA Consent for Thailand versions 1.1.1 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the web page, potentially leading to unauthorized access or data theft. Recommendations: For versions 1.1.1 and earlier, update to a version that fixes the Stored XSS issue to prevent exploitation. As a temporary workaround, consider restricting user input to prevent malicious scripts from being injected into the web page. Avoid using the vulnerable version of iamapinan PDPA Consent for Thailand until a patch is available.