Prajal Kulkarni

**Name of the Vulnerable Software and Affected Versions** flog plugin version 0.1 for WordPress **Description** The issue is related to a Cross-Site Scripting (XSS) problem. **Recommendations** For flog plugin version 0.1, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress **Description** The issue allows remote attackers to execute arbitrary web script or HTML via unspecified parameters, which can lead to Cross-site Scripting (XSS) attacks. **Recommendations** For the spreadshirt-rss-3d-cube-flash-gallery plugin 2014, consider disabling the plugin until a patch is available to prevent potential XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Easy Career Openings plugin versions 0.4 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For Easy Career Openings plugin versions 0.4 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the plugin's functionality to minimize the risk of XSS attacks. Avoid using unspecified parameters in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP-Planet plugin versions 0.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `url` parameter in the `rss.class/scripts/magpie debug.php` file. **Recommendations** For WP-Planet plugin versions 0.1 and earlier, consider updating to a version that contains a fix for this issue, as using earlier versions poses a risk of XSS attacks. As a temporary workaround, restrict access to the `magpie debug.php` file to minimize the risk of exploitation. Avoid using the `url` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Conversador plugin versions 2.61 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `page` parameter. This can lead to the execution of malicious code on the client-side. **Recommendations** For Conversador plugin versions 2.61 and earlier, update to a version later than 2.61 to resolve the issue. As a temporary workaround, consider restricting access to the `page` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ebay Feeds for WordPress plugin versions 1.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `rss url` parameter in the magpie/scripts/magpie slashbox.php file. **Recommendations** For Ebay Feeds for WordPress plugin versions 1.1 and earlier, consider disabling access to the `rss url` parameter in the magpie/scripts/magpie slashbox.php file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Import Legacy Media plugin versions 0.1 and earlier for WordPress **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `filename` parameter to "getid3/demos/demo.mimeonly.php". **Recommendations** For Import Legacy Media plugin versions 0.1 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the "getid3/demos/demo.mimeonly.php" endpoint to minimize the risk of XSS attacks. Avoid using the `filename` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Rezgo Online Booking plugin versions prior to 1.8.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to security breaches. This is achieved via the `tags` or `search for` parameter in the templates/default/index ajax.php file. **Recommendations** For versions prior to 1.8.2, update to version 1.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the templates/default/index ajax.php file or disabling the use of the `tags` and `search for` parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Social Connect plugin versions 1.0.4 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `testing` parameter in the diagnostics/test.php file. **Recommendations** For Social Connect plugin versions 1.0.4 and earlier, consider updating to a version that contains a fix for this issue, as using earlier versions poses a risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spotlight (spotlightyour) plugin versions 4.7 and earlier for WordPress **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `paymentType` parameter in the `library/includes/payment/paypalexpress/DoDirectPayment.php` file. **Recommendations** For Spotlight (spotlightyour) plugin versions 4.7 and earlier, consider restricting access to the vulnerable `DoDirectPayment.php` file until a patch is available. Avoid using the `paymentType` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ToolPage plugin versions 1.6.1 and earlier for WordPress **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `t` parameter in the includes/getTipo.php file. This could potentially lead to unauthorized actions on the affected website. **Recommendations** For ToolPage plugin versions 1.6.1 and earlier, update to a version later than 1.6.1 to resolve the issue. As a temporary workaround, consider restricting access to the includes/getTipo.php file or disabling the `t` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** wphotfiles plugin versions 1.0.0 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `mediaid` parameter in the tpls/editmedia.php file. **Recommendations** For wphotfiles plugin versions 1.0.0 and earlier, avoid using the `mediaid` parameter in the tpls/editmedia.php file until a fix is available. Consider temporarily restricting access to the tpls/editmedia.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WP Silverlight Media Player plugin version 0.8 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `post id` parameter in the uploader.php file. **Recommendations** For WP Silverlight Media Player plugin version 0.8 and earlier, consider disabling the uploader.php file or restricting access to it until a patch is available. Avoid using the `post id` parameter in the affected uploader.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP Plugin Manager (wppm) plugin version 1.6.4.b and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `filter` parameter in the wp-plugins-net/index.php file. This could potentially lead to unauthorized actions on the affected website. **Recommendations** For WP Plugin Manager (wppm) plugin version 1.6.4.b and earlier, update to a version later than 1.6.4.b to resolve the issue. As a temporary workaround, consider restricting access to the wp-plugins-net/index.php file or disabling the `filter` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Social Invitations plugin versions prior to 1.4.4.3 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `xhrurl` parameter in the test.php file. **Recommendations** For versions prior to 1.4.4.3, update to version 1.4.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the test.php file or avoiding the use of the `xhrurl` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP-Business Directory plugin versions 1.0.2 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the forms/search.php file of the WP-Business Directory plugin for WordPress. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `edit`, `search term`, `page id`, `page`, or `page links` parameters. **Recommendations** For WP-Business Directory plugin versions 1.0.2 and earlier, consider updating to a version that contains a fix for this issue, as using outdated versions poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Ultimate Email Marketer plugin versions 1.1.0 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The vulnerable parameters are the `listname` and `contact` parameters in the contact/edit.php file. **Recommendations** For WP Ultimate Email Marketer plugin versions 1.1.0 and earlier, update to a version later than 1.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the contact/edit.php file to minimize the risk of exploitation. Avoid using the `listname` and `contact` parameters in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Your Text Manager plugin versions 0.3.0 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `ytmpw` parameter in the settings/pwsettings.php file. **Recommendations** For Your Text Manager plugin versions 0.3.0 and earlier, update to a version later than 0.3.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress Social Login plugin versions 2.0.3 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `xhrurl` parameter in the services/diagnostics.php file. **Recommendations** For WordPress Social Login plugin versions 2.0.3 and earlier, update to a version later than 2.0.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** dsSearchAgent: WordPress Edition plugin version 1.0-beta10 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML via the `action` parameter in the client-assist.php file. **Recommendations** For dsSearchAgent: WordPress Edition plugin version 1.0-beta10 and earlier, update to a version later than 1.0-beta10 to resolve the issue. As a temporary workaround, consider restricting access to the client-assist.php file to minimize the risk of exploitation. Avoid using the `action` parameter in the affected API endpoint until the issue is resolved.