Patchstack

**Name of the Vulnerable Software and Affected Versions** Newses versions prior to 2.0.0.78 **Description** A missing authorization issue allows for the exploitation of incorrectly configured access control security levels. **Recommendations** Update to a version newer than 2.0.0.77.

**Name of the Vulnerable Software and Affected Versions** Gift Cards For WooCommerce Pro versions prior to 4.2.7 **Description** An unrestricted file upload issue allows the use of malicious files with dangerous types. This flaw has been confirmed to be exploited in the wild. **Recommendations** Update to a version newer than 4.2.6.

**Name of the Vulnerable Software and Affected Versions** Royal Elementor Addons versions prior to 1.7.1053 **Description** Improper neutralization of input during web page generation allows for Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server and later executed in the browser of a user visiting the affected page. **Recommendations** Update to version 1.7.1053 or later.

**Name of the Vulnerable Software and Affected Versions** Discount Rules for WooCommerce plugin for WordPress versions up to, and including, 2.0.2 **Description** The issue is related to missing authorization via several AJAX actions due to missing capability checks on various functions. This allows subscriber-level attackers to execute various actions, such as modifying rules and saving configurations. **Recommendations** For versions up to, and including, 2.0.2, update the Discount Rules for WooCommerce plugin to a version later than 2.0.2 to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the vulnerable AJAX actions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** pretix Widget WordPress plugin versions 1.0.0 through 1.0.5 **Description** The issue is a Local File Inclusion vulnerability in the pretix Widget WordPress plugin, which affects the plugin on Windows and allows PHP Local File Inclusion. This vulnerability is remotely exploitable. **Recommendations** For versions 1.0.0 through 1.0.5, upgrade to a version higher than 1.0.5 to mitigate the risk. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields PRO versions prior to 6.2.10 **Description** A Path Traversal vulnerability, also known as Improper Limitation of a Pathname to a Restricted Directory, was discovered in Advanced Custom Fields PRO during a planned security audit. This issue allows for PHP Local File Inclusion. **Recommendations** For versions prior to 6.2.10, update to version 6.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields PRO versions prior to 6.2.10 **Description** A Code Injection vulnerability was discovered in Advanced Custom Fields PRO due to improper control of code generation. This issue was identified during a planned security audit. **Recommendations** For versions prior to 6.2.10, update to version 6.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.