Prickly Cactus

**Name of the Vulnerable Software and Affected Versions** Slider Revolution versions 7.0.0 through 7.0.14 **Description** An issue exists where authenticated attackers with Contributor-level access or higher can extract sensitive data. This is achieved via the 'slider.get.full' AJAX Action, allowing the retrieval of raw social media API credentials stored in slider settings, specifically the `Instagram OAuth token`, `Flickr API key`, `YouTube Data API key`, and `Facebook App ID`. **Recommendations** Update Slider Revolution to a version later than 7.0.14. As a temporary workaround, restrict access to the 'slider.get.full' AJAX Action for users with Contributor-level permissions.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder versions prior to 6.1.22 **Description** An Insecure Direct Object Reference (IDOR) exists due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This allows unauthenticated attackers to modify the payment status of targeted pending submissions, such as changing the status to "failed", by manipulating the `submission id` parameter. **Recommendations** Update the plugin to a version newer than 6.1.21. Avoid using the `submission id` parameter in the Stripe SCA confirmation AJAX endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms Pro versions up to and including 6.1.17 **Description** The Fluent Forms Pro plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `fluentform step form save data` AJAX action. The draft form submission endpoint is publicly accessible without authentication or nonce verification. Insufficient input sanitization and output escaping of form field data allows unauthenticated attackers to inject arbitrary web scripts. These scripts execute when an administrator views a partial form entry. **Recommendations** Fluent Forms Pro versions prior to 6.1.17 should be updated.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms Pro Add On Pack versions up to and including 6.1.17 **Description** The Fluent Forms Pro Add On Pack plugin for WordPress has a missing authorization issue. The `deleteFile()` method within the `Uploader` class does not properly verify nonces or check user capabilities. An AJAX action is publicly registered, creating both `wp ajax ` and `wp ajax nopriv ` hooks. This allows unauthenticated attackers to delete arbitrary WordPress media attachments by manipulating the `attachment id` parameter. The vulnerability is exploitable through the `attachment id` parameter, not the `path` parameter as initially reported. **Recommendations** Update Fluent Forms Pro Add On Pack to a version later than 6.1.17.

**Name of the Vulnerable Software and Affected Versions** Fluent Forms Pro Add On Pack for WordPress versions through 6.1.17 **Description** The software contains a flaw related to insufficient verification of data authenticity. Specifically, PayPal IPN (Instant Payment Notification) verification is disabled by default, with the `disable ipn verification` setting defaulting to `'yes'` in the `PayPalSettings.php` file. This allows unauthenticated attackers to send fraudulent PayPal IPN notifications to the publicly accessible IPN endpoint. Successful exploitation can mark unpaid form submissions as "paid," triggering subsequent post-payment automation, such as emails, access grants, and digital product delivery. The API endpoint involved is the publicly accessible IPN endpoint. The vulnerable parameter is the forged PayPal IPN notification data. **Recommendations** Versions prior to 6.1.17 should be updated to address this issue.