Pablo Santiago

**Name of the Vulnerable Software and Affected Versions** Quick Playground versions prior to 1.3.5 **Description** The Quick Playground plugin for WordPress contains a path traversal flaw. The `qckply data()` function processes the `filename` POST parameter and passes it to `file get contents()` without proper validation, sanitization, or path restrictions. This allows authenticated attackers with Administrator-level access or higher to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`. This issue is exploitable only if the site is running on `playground.wordpress.net` or has been synced with WordPress Playground, indicated by the `is qckply clone` option being set. **Recommendations** Update the plugin to a version later than 1.3.4. As a temporary mitigation, restrict access to the `qckply data()` function or ensure the `is qckply clone` option is disabled if not required.

**Name of the Vulnerable Software and Affected Versions** Beehive Forum version 1.5.2 **Description** Beehive Forum version 1.5.2 has a host header injection flaw in the forgot password feature. This allows attackers to alter password reset requests. By injecting a malicious host header, attackers can intercept password reset tokens and change victim account passwords without needing to authenticate directly. The affected functionality involves manipulating password reset requests. **Recommendations** Apply a fix for the host header injection flaw in the forgot password functionality.

**Name of the Vulnerable Software and Affected Versions** Schben Adive version 2.0.7 **Description** The issue allows remote unprivileged users, such as editors or developers, to create an administrator account. This can be achieved via the `admin/user/add` endpoint, as demonstrated by a Python proof-of-concept script. **Recommendations** For Schben Adive version 2.0.7, consider restricting access to the `admin/user/add` endpoint until a patch is available. As a temporary workaround, limit the ability of unprivileged users to create new administrator accounts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BearDev JoomSport plugin version 3.3 **Description** The issue allows SQL injection, which can be used to steal, modify, or delete database information. This is achieved via the `joomsport season/new-yorkers/?action=playerlist` API endpoint, specifically through the `sid` parameter. **Recommendations** For BearDev JoomSport plugin version 3.3, consider restricting access to the `joomsport season/new-yorkers/?action=playerlist` API endpoint to minimize the risk of exploitation. Avoid using the `sid` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.