Niraj Mahajan

**Name of the Vulnerable Software and Affected Versions** GetPaid Plugin version 2.4.6 **Description** An HTML injection issue allows authenticated attackers to inject arbitrary HTML code, including image tags and scripts, by exploiting the Help Text field in payment forms. The injected code is stored in the database and executed in the browser when the form is viewed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dynamics 365 Customer Insights (affected versions not specified) **Description** The issue is related to the failure to properly secure the web page structure in Microsoft Dynamics 365 Customer Insights, allowing a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Login using WordPress Users (WP as SAML IDP) versions prior to 1.13.4 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, for example in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.13.4, update to version 1.13.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the unfiltered html capability to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin versions prior to 4.2.1 **Description** The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is disallowed, such as in a multisite setup. This occurs due to the plugin's failure to properly sanitise and escape some of its settings. **Recommendations** For versions prior to 4.2.1, update to version 4.2.1 or later to resolve the issue. As a temporary workaround, consider restricting administrator privileges to trusted users only until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Limit Login Attempts WordPress plugin versions prior to 4.0.72 **Description** The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is disallowed, such as in a multisite setup. **Recommendations** For versions prior to 4.0.72, update to version 4.0.72 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Authenticator WordPress plugin versions prior to 1.0.5 **Description** The issue allows attackers to perform Cross-Site Scripting attacks by making a logged-in admin change settings without proper CSRF checks and input sanitization and escaping. **Recommendations** For Google Authenticator WordPress plugin versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** miniOrange's Google Authenticator WordPress plugin versions prior to 5.5.6 **Description** The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is disallowed, such as in a multisite setup. **Recommendations** For versions prior to 5.5.6, update to version 5.5.6 or later to resolve the issue. As a temporary workaround, consider restricting administrator privileges and ensuring proper input validation and sanitization for all plugin settings.

**Name of the Vulnerable Software and Affected Versions** Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin versions prior to 1.0.8 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks, even when the unfiltered html is disallowed, due to the plugin not escaping its settings. **Recommendations** For versions prior to 1.0.8, update to version 1.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Malware Scanner WordPress plugin versions prior to 4.5.2 **Description** The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is disallowed, such as in multisite setups. **Recommendations** For versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue. As a temporary workaround, consider restricting administrator privileges and monitoring plugin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Meta WordPress plugin versions prior to 2.4.3 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of the Form Name and Shared Field Labels in the admin dashboard when editing a form. This could be exploited even when unfiltered html is disallowed. **Recommendations** For versions prior to 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin dashboard for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP Social Buttons WordPress plugin versions through 2.1 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the lack of sanitization and escaping of its settings. This can occur even when the unfiltered html capability is disallowed. **Recommendations** For WP Social Buttons WordPress plugin versions through 2.1, consider updating to a version that addresses the sanitization and escaping of settings to prevent cross-Site Scripting attacks. As a temporary workaround, restrict administrative access to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Page Restriction WordPress plugin versions prior to 1.2.7 **Description** The issue allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings, leading to stored Cross-Site Scripting that will only affect administrator users. **Recommendations** For versions prior to 1.2.7, update to version 1.2.7 or later to resolve the issue.