Nitin Venkatesh

**Name of the Vulnerable Software and Affected Versions** WP Attachment Export WordPress plugin versions prior to 0.2.4 **Description** The issue concerns a lack of proper access controls, allowing unauthenticated users to download XML data containing details of attachments and posts on a WordPress site. **Recommendations** For WP Attachment Export WordPress plugin versions prior to 0.2.4, update to version 0.2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress Mobile Pack plugin versions prior to 2.1.3 **Description** The issue allows remote attackers to obtain sensitive information because the content of a privately published post is sent in JSON format through the export/content.php exportarticle feature. **Recommendations** For WordPress Mobile Pack plugin versions prior to 2.1.3, update to version 2.1.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 4.9.5 Description: The issue arises from the version string not being properly escaped in the get the generator function, potentially leading to XSS in a generator tag. Recommendations: For versions prior to 4.9.5, update to version 4.9.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MoinMoin versions prior to 1.9.10 **Description** A cross-site scripting (XSS) issue exists in the link dialogue of the GUI editor, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 1.9.10, update to version 1.9.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Analyticator Wordpress Plugin versions prior to 6.4.9.3 rev @1183563 **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 6.4.9.3 rev @1183563, update to version 6.4.9.3 rev @1183563 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** StageShow plugin versions prior to 5.0.9 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the `url` parameter in the Redirect function in stageshow redirect.php. **Recommendations** For versions prior to 5.0.9, update to version 5.0.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Roomcloud plugin versions prior to 1.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in the roomcloud.php file. The vulnerable parameters include `pin`, `start day`, `start month`, `start year`, `end day`, `end month`, `end year`, `lang`, `adults`, and `children`. **Recommendations** For Roomcloud plugin versions prior to 1.3, update to version 1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the roomcloud.php file or validating and sanitizing the input for the vulnerable parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Encrypted Contact Form plugin versions prior to 1.1 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks. This is achieved via the `iframe url` parameter in an Update Page action in the conformconf page to "wp-admin/options-general.php". **Recommendations** For Encrypted Contact Form plugin versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the conformconf page and the wp-admin/options-general.php endpoint to minimize the risk of exploitation. Avoid using the `iframe url` parameter in the affected Update Page action until the issue is resolved.