Ori Gabriel

**Name of the Vulnerable Software and Affected Versions** demon image annotation plugin for WordPress versions up to, and including 5.0 **Description** The issue arises from improper input validation in the plugin, specifically when handling the number of characters supplied during an annotation. Despite having a setting to limit the number of characters input, the plugin fails to properly validate this, allowing unauthenticated attackers to bypass the length restrictions and input more characters than allowed via the settings. **Recommendations** For demon image annotation plugin for WordPress versions up to, and including 5.0, consider disabling the annotation feature until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of attackers modifying the input validation settings. Avoid using the plugin for sensitive annotations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wordfence Security – Firewall & Malware Scan plugin for WordPress versions up to and including 7.6.0 **Description** The issue allows authenticated users with administrative privileges to inject malicious web scripts into a setting on the options page due to insufficient escaping on the stored value. This makes it possible for the malicious scripts to execute whenever a user accesses a page displaying the affected setting on sites running a vulnerable version. **Recommendations** For versions up to and including 7.6.0, update to a version later than 7.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the options page to minimize the risk of exploitation.