Norbert Hofmann

Name of the Vulnerable Software and Affected Versions: GamiPress versions prior to 1.0.1 Description: The issue concerns the lack of CSRF check when updating settings, which could allow attackers to make a logged-in administrator change them via a CSRF attack. This could potentially permit attackers to modify the configuration of the plugin. Recommendations: For versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings update functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WP MultiTasking WordPress plugin versions 0.1.12 and earlier Description: The WP MultiTasking WordPress plugin does not have a CSRF check when updating its permalink suffix settings, which could allow attackers to make logged-in administrators perform such actions via a CSRF attack. Recommendations: For WP MultiTasking WordPress plugin versions 0.1.12 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the permalink suffix settings to minimize the risk of exploitation. Avoid using the plugin's settings update functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WP MultiTasking WordPress plugin versions 0.1.12 and earlier Description: The issue concerns a lack of CSRF check when updating Header, Footer, and Body Script Settings. This could allow attackers to make logged-in admins perform such actions via a CSRF attack. Recommendations: For WP MultiTasking WordPress plugin versions 0.1.12 and earlier, consider disabling the update functionality for Header, Footer, and Body Script Settings until a patch is available. Restrict access to these settings to minimize the risk of exploitation. Avoid using the plugin's settings update feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** adstxt Plugin WordPress plugin version 1.0.0 **Description** The issue is related to the lack of a CSRF check when updating settings in the adstxt Plugin WordPress plugin. This could allow attackers to make a logged-in admin change settings via a CSRF attack. **Recommendations** For version 1.0.0, consider disabling the settings update functionality until a patch is available to prevent potential CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP MultiTasking WordPress plugin versions 0.1.12 and earlier **Description** The issue is related to the lack of CSRF protection when updating settings in the WP MultiTasking WordPress plugin. This could allow attackers to make a logged-in admin change settings via a CSRF attack. **Recommendations** For WP MultiTasking WordPress plugin versions 0.1.12 and earlier, consider disabling the settings update functionality until a patch is available to prevent potential CSRF attacks. Restrict access to the plugin's settings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP MultiTasking WordPress plugin versions 0.1.12 and earlier **Description** The issue is related to the lack of a CSRF check when updating settings in the WP MultiTasking WordPress plugin. This could allow attackers to make a logged-in admin change settings via a CSRF attack. **Recommendations** For versions 0.1.12 and earlier, as a temporary workaround, consider disabling the settings update functionality until a patch is available. Restrict access to the plugin's settings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP MultiTasking WordPress plugin versions 0.1.12 and earlier **Description** The issue is related to a lack of CSRF check when updating welcome popups, which could allow attackers to make logged admins perform such actions via a CSRF attack. **Recommendations** For WP MultiTasking WordPress plugin versions 0.1.12 and earlier, update to a version that includes a CSRF check for welcome popup updates. As a temporary workaround, consider restricting access to the welcome popup update functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP MultiTasking WordPress plugin versions 0.1.12 and earlier **Description** The issue is related to a lack of CSRF check when updating exit popups, which could allow attackers to make logged admins perform such actions via a CSRF attack. This could enable attackers to perform unauthorized actions. **Recommendations** For WP MultiTasking WordPress plugin versions 0.1.12 and earlier, update to a version that includes a CSRF check for exit popup updates to prevent exploitation. As a temporary workaround, consider restricting access to the exit popup update functionality to minimize the risk of unauthorized actions.

**Name of the Vulnerable Software and Affected Versions** Organization chart plugin for WordPress versions up to, and including, 1.5.0 **Description** The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages via the `title input` and `node description` parameters. This enables the execution of injected scripts whenever a user accesses an injected page. By default, exploitation is limited to administrators, but subscribers can also exploit this if they have been granted the ability to use and configure charts. **Recommendations** For versions up to, and including, 1.5.0, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent exploitation. As a temporary workaround, consider restricting access to the `title input` and `node description` parameters to minimize the risk of arbitrary web script injection. Additionally, limiting the ability to use and configure charts to administrators only can help reduce the attack surface until a fix is applied.

Name of the Vulnerable Software and Affected Versions: ContentLock WordPress plugin versions 1.0.0 through 1.0.3 Description: The issue is related to the lack of a CSRF check when updating settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Recommendations: For ContentLock WordPress plugin versions 1.0.0 through 1.0.3, consider disabling the settings update functionality until a patch is available. Restrict access to the settings update module to minimize the risk of exploitation. Avoid using the plugin's settings update feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ContentLock WordPress plugin versions 1.0.0 through 1.0.3 Description: The issue concerns a lack of CSRF check when adding emails, which could allow attackers to make a logged-in admin perform such an action via a CSRF attack. Recommendations: For ContentLock WordPress plugin versions 1.0.0 through 1.0.3, consider disabling the email addition feature until a patch is available to prevent potential CSRF attacks.