Prashant Karman Patel

**Name of the Vulnerable Software and Affected Versions** jQuery Reply to Comment WordPress plugin versions 1.31 and earlier **Description** The issue concerns a Stored Cross-Site Scripting problem. It arises because the plugin lacks a CSRF check when saving its settings and does not properly sanitise or escape its `Quote String` and `Reply String` settings before outputting them in comments. **Recommendations** For jQuery Reply to Comment WordPress plugin versions 1.31 and earlier, consider disabling the plugin until a patch is available to prevent potential exploitation. Restrict access to the settings page to minimize the risk of unauthorized changes. Avoid using the `Quote String` and `Reply String` settings in comments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Per page add to head WordPress plugin versions prior to 1.4.4 **Description** The issue is related to the lack of CSRF checks when saving settings, which could allow attackers to make changes to the settings of a logged-in admin. Additionally, the plugin allows arbitrary HTML to be inserted in one of its settings, leading to a potential Stored XSS issue. This could be triggered in the backend, frontend, or both, depending on the payload used. **Recommendations** For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation. Avoid using the plugin's feature that allows arbitrary HTML insertion until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Per page add to head WordPress plugin versions 1.4.4 and earlier **Description** The issue allows malicious HTML to be inserted by high privilege users, even when the unfiltered html capability is disallowed, which could lead to Cross-Site Scripting issues. This occurs due to improper sanitization of one of the plugin's settings. **Recommendations** For Per page add to head WordPress plugin versions 1.4.4 and earlier, update to a version later than 1.4.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Shantz WordPress QOTD WordPress plugin versions 1.2.2 and earlier **Description** The issue is related to the lack of a CSRF check when updating settings, allowing attackers to make logged-in administrators change them to arbitrary values. This could potentially lead to unauthorized changes in the plugin's settings. **Recommendations** For Shantz WordPress QOTD WordPress plugin versions 1.2.2 and earlier, consider disabling the settings update functionality until a patch is available to prevent potential exploitation. Restrict access to the plugin's settings to minimize the risk of unauthorized changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.