Nicolai Hellesnes

**Name of the Vulnerable Software and Affected Versions** WP to LinkedIn Auto Publish plugin for WordPress versions up to and including 1.9.8 **Description** The WP to LinkedIn Auto Publish plugin for WordPress is susceptible to Reflected Cross-Site Scripting via PostMessage. This is due to inadequate input sanitization and output escaping. An unauthenticated attacker could inject arbitrary web scripts into pages, which would execute if a user is tricked into performing an action, such as clicking a link. **Recommendations** Update the WP to LinkedIn Auto Publish plugin to a version later than 1.9.8.

**Name of the Vulnerable Software and Affected Versions** The Social Media Auto Publish plugin for WordPress versions up to and including 3.6.5 **Description** The software is susceptible to Reflected Cross-Site Scripting through the `PostMessage` parameter due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a user into performing an action, such as clicking a link, to execute the injected scripts. **Recommendations** Update The Social Media Auto Publish plugin to a version later than 3.6.5.

**Name of the Vulnerable Software and Affected Versions** Link Whisper Free plugin for WordPress versions up to and including 0.8.8 **Description** The Link Whisper Free plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a user into performing an action, such as clicking a link. The vulnerability affects the `type` parameter. **Recommendations** Update the Link Whisper Free plugin to a version newer than 0.8.8.

**Name of the Vulnerable Software and Affected Versions** WP Twitter Auto Publish versions prior to 1.7.4 **Description** The WP Twitter Auto Publish plugin for WordPress is susceptible to Reflected Cross-Site Scripting via PostMessage. This is due to insufficient input sanitization and output escaping. An unauthenticated attacker could inject arbitrary web scripts into pages, which would execute if a user is tricked into performing an action, such as clicking a link. **Recommendations** Update the WP Twitter Auto Publish plugin to version 1.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** ArtiBot Free Chat Bot for WebSites plugin for WordPress versions through 1.1.7 **Description** The software is susceptible to Reflected Cross-Site Scripting via PostMessage due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a user into performing an action, such as clicking a link. **Recommendations** Update to a version later than 1.1.7.

**Name of the Vulnerable Software and Affected Versions** WP2Social Auto Publish versions through 2.4.7 **Description** The WP2Social Auto Publish plugin for WordPress is susceptible to Reflected Cross-Site Scripting via PostMessage due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a user into performing an action, such as clicking a link. **Recommendations** Update WP2Social Auto Publish to a version later than 2.4.7.

**Name of the Vulnerable Software and Affected Versions** FunnelCockpit plugin for WordPress versions up to and including 1.4.2 **Description** The plugin is susceptible to Reflected Cross-Site Scripting via the `error` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute if an administrative user is tricked into performing an action, such as clicking a link. **Recommendations** Update the FunnelCockpit plugin to a version later than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** EUCookieLaw plugin for WordPress versions up to and including 2.7.2 **Description** The issue allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially containing sensitive information, via the `file get contents` function. This can be exploited if a caching plugin, such as W3 Total Cache, is installed and activated. **Recommendations** For EUCookieLaw plugin for WordPress versions up to and including 2.7.2, consider disabling the plugin until a patch is available to prevent exploitation. Additionally, restrict access to sensitive files on the server to minimize the risk of information disclosure. As a temporary workaround, consider disabling caching plugins like W3 Total Cache to reduce the vulnerability's impact.