Niv Kochan

**Name of the Vulnerable Software and Affected Versions** Fluent Forms versions prior to 6.2.2 **Description** Insufficient path validation in the `getAttachments()` function of `EmailNotificationActions` allows authenticated attackers with administrator access to read arbitrary files accessible by the web-server user, such as `wp-config.php` containing database credentials and authentication salts. The issue occurs because attacker-supplied file-upload URLs are resolved into filesystem paths without ensuring the path remains within the WordPress uploads directory. A prefix check using `strpos()` can be bypassed with traversal sequences, as `wp normalize path()` does not resolve `...` segments, which are subsequently resolved by `file exists()` at the kernel level. An attacker can exploit this by submitting a form where the admin notification is configured to attach a file-upload field and providing a crafted URL in the format `<upload baseurl>/../../<target>` as the file-field value. The targeted file is then attached to the outbound admin-notification email via `wp mail()`. **Recommendations** Update the plugin to a version later than 6.2.1.

**Name of the Vulnerable Software and Affected Versions** LatePoint versions prior to 5.5.1 **Description** The LatePoint plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs at the customer cabinet profile update endpoint because the `OsCustomerModel` does not override `params to sanitize()`, allowing raw POST parameters `first name`, `last name`, `phone`, and `notes` to be stored unsanitized in the database via `set data()`. Additionally, the `generate preview()` function fails to use `esc html()` when injecting these values into notification template HTML using `str replace()`. Authenticated attackers with customer-level access or higher can inject arbitrary web scripts that execute in the browser of an administrator or agent when a notification template referencing variables such as `customer full name`, `customer first name`, `customer last name`, `customer phone`, or `customer notes` is previewed. **Recommendations** Update the plugin to a version later than 5.5.0.