Nicolas Decayeux

**Name of the Vulnerable Software and Affected Versions** The Events Calendar plugin for WordPress versions up to, and including, 6.2.8.2 **Description** The issue allows unauthenticated attackers to extract potentially sensitive data, including post titles and IDs of pending, private, and draft posts, via the route function hooked into `wp ajax nopriv tribe dropdown`. This enables the exposure of sensitive information. **Recommendations** For versions up to, and including, 6.2.8.2, update to a version later than 6.2.8.2 to resolve the issue. As a temporary workaround, consider restricting access to the `wp ajax nopriv tribe dropdown` route function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** UpdraftPlus: WordPress Backup & Migration Plugin versions up to, and including, 1.23.10 **Description** The issue is related to Cross-Site Request Forgery due to a lack of nonce validation and insufficient validation of the `instance id` on the 'updraftmethod-googledrive-auth' action. This allows unauthenticated attackers to modify the Google Drive location where backups are sent by tricking a site administrator into performing an action, potentially giving attackers access to sensitive information. **Recommendations** For versions up to, and including, 1.23.10, update to a version that includes nonce validation and proper `instance id` validation for the 'updraftmethod-googledrive-auth' action to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the 'updraftmethod-googledrive-auth' action to minimize the risk of exploitation.