Phat Rio - Bluerock

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master versions through 10.2.5 **Description** Deserialization of untrusted data in ExpressTech Systems Quiz And Survey Master allows for object injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop File Upload for Elementor Forms versions n/a through 1.5.3 **Description** The Drag and Drop File Upload for Elementor Forms WordPress plugin is susceptible to an unrestricted file upload issue. This allows for the upload of a Web Shell to a web server. Attackers can exploit this to upload malicious files. **Recommendations** Drag and Drop File Upload for Elementor Forms versions prior to 1.5.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** Ovatheme Events versions through 1.2.8 **Description** The software contains an Improper Control of Filename for Include/Require Statement, leading to a PHP Local File Inclusion issue. **Recommendations** Versions prior to 1.2.8 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping versions through 4.3.1 Description: An unrestricted file upload vulnerability exists that allows the use of malicious files. This issue impacts e-commerce platforms utilizing the affected plugin. Recommendations: Disable the plugin until a fix is available. Tighten upload restrictions to prevent the upload of dangerous file types.

Name of the Vulnerable Software and Affected Versions: Mitchell Bennis Simple File List versions through 6.1.14 Description: An improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in Mitchell Bennis Simple File List, allowing path traversal. Recommendations: Update to a version later than 6.1.14.

Name of the Vulnerable Software and Affected Versions: epiphyt Form Block versions n/a through 1.5.5 Description: An unrestricted file upload issue exists in epiphyt Form Block, allowing the upload of a web shell to a web server. This enables malicious actors to potentially gain control of the server. Recommendations: Update epiphyt Form Block to a version later than 1.5.5.

Name of the Vulnerable Software and Affected Versions: Easy Form Builder versions through 3.8.15 Description: The software contains an improper neutralization of special elements used in an SQL command, resulting in a blind SQL injection issue. Recommendations: Update Easy Form Builder to a version later than 3.8.15.

Name of the Vulnerable Software and Affected Versions: ExpressTech Systems Quiz And Survey Master versions through 10.2.4 Description: The software contains a SQL Injection issue due to improper neutralization of special elements used in an SQL command. This allows for potential unauthorized access. Recommendations: Update ExpressTech Systems Quiz And Survey Master to a version later than 10.2.4.

Name of the Vulnerable Software and Affected Versions: Cube Portfolio versions n/a through 1.16.8 Description: Cube Portfolio is susceptible to a SQL injection issue due to improper neutralization of special elements within SQL commands. This allows for potential SQL injection attacks. Recommendations: Update Cube Portfolio to a version later than 1.16.8.

Name of the Vulnerable Software and Affected Versions: Sofass versions 1.3.4 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This means that an attacker could potentially include and execute local files on the server, leading to unauthorized access or code execution. Recommendations: For Sofass versions 1.3.4 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BZOTheme Zenny versions 1.7.5 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion in BZOTheme Zenny. Recommendations: For BZOTheme Zenny versions 1.7.5 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: thembay Puca versions n/a through 2.6.33 Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This is a type of security vulnerability that can be exploited by manipulating the filename parameter in include or require statements, potentially allowing an attacker to execute arbitrary PHP code. Recommendations: For thembay Puca versions n/a through 2.6.33, update to a version that fixes the Improper Control of Filename for Include/Require Statement issue to prevent PHP Local File Inclusion attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FocuxTheme WPKit For Elementor versions 1.1.0 and earlier Description: The issue is related to a Missing Authorization vulnerability that allows Privilege Escalation in FocuxTheme WPKit For Elementor. Recommendations: For FocuxTheme WPKit For Elementor versions 1.1.0 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ApusWP Domnoo versions 1.49 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion in ApusWP Domnoo. Recommendations: For ApusWP Domnoo versions 1.49 and earlier, update to a version that fixes this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BZOTheme PrintXtore versions 1.7.5 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This means that an attacker could potentially include and execute local files on the server, leading to unauthorized access or code execution. Recommendations: For BZOTheme PrintXtore versions 1.7.5 and earlier, update to a version that fixes the Improper Control of Filename for Include/Require Statement issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** thembay Lasa versions 1.1 and earlier **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This is a type of security vulnerability that can be exploited by manipulating the filename used in include or require statements in PHP programs. **Recommendations** For thembay Lasa versions 1.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** thembay Besa versions n/a through 2.3.8 **Description** The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This means that an attacker could potentially include and execute local files on the server, leading to unauthorized access or code execution. **Recommendations** For thembay Besa versions n/a through 2.3.8, update to a version later than 2.3.8 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** thembay Fana versions 1.1.28 and earlier **Description** The issue is related to improper control of filename for include/require statement in PHP program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion. **Recommendations** For thembay Fana versions 1.1.28 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NasaTheme Flozen (affected versions not specified) **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling an attacker to upload a web shell to a web server. This can lead to further exploitation and potential control of the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** thembay Aora versions 1.3.9 and earlier **Description** The issue is related to improper control of filename for include/require statement in PHP program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Local File Inclusion. **Recommendations** For thembay Aora versions 1.3.9 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.