Quốc Huy

**Name of the Vulnerable Software and Affected Versions** Blocksy versions prior to 2.1.36 **Description** Insufficient input sanitization in the `blocksy sanitize post meta options()` function allows authenticated attackers with contributor-level access or higher to store serialized PHP object strings in post meta. The function only blocks values containing '<' or '>', failing to prevent the injection of serialized objects. When the V200 database migration occurs, the `SearchReplacer::run recursively()` function unconditionally deserializes all string values using `@unserialize()` without restricting allowed classes. This process can trigger the `RaiiPattern:: destruct()` function of an injected `BlocksyRaiiPattern` object, leading to remote code execution by executing arbitrary PHP callables via `call user func()`. This issue is accessible via the 'blocksy meta' REST API field. **Recommendations** Update to version 2.1.36 or later. As a temporary mitigation, restrict access to the 'blocksy meta' REST API field for users with contributor-level permissions.

**Name of the Vulnerable Software and Affected Versions** Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder versions prior to 3.4.8 **Description** The plugin is susceptible to unauthorized email sending because the `send test email()` function lacks a proper capability check. This allows authenticated users with Subscriber-level permissions or higher to send test emails to any arbitrary address from the server. **Recommendations** Update to a version later than 3.4.7. As a temporary workaround, restrict access to the `send test email()` function to prevent unauthorized users from triggering email transmissions.

Name of the Vulnerable Software and Affected Versions Optimole – Optimize Images plugin for WordPress versions through 4.2.2 Description The Optimole – Optimize Images plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is caused by inadequate input sanitization and output escaping of the `s` parameter (srcset descriptor) within the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint employs HMAC signature and timestamp validation, but these values are exposed in the frontend HTML. The plugin utilizes sanitize text field() which strips HTML tags but does not escape double quotes, and the poisoned descriptor is stored in transients and injected into the srcset attribute without proper escaping. Recommendations Update to a version beyond 4.2.2

Name of the Vulnerable Software and Affected Versions Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions through 1.4.9 Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is susceptible to unauthorized data access. This is due to a missing capability check within the `entries shortcode()` function. Authenticated attackers with Contributor-level access or higher can extract all form submissions, including sensitive information such as names, email addresses, and phone numbers. Recommendations Versions prior to 1.5.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** WordPress Download Manager plugin versions up to and including 3.3.49 **Description** The Download Manager plugin for WordPress is susceptible to unauthorized data access. A missing capability check on the `reviewUserStatus()` function allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive user information. This information includes email addresses, display names, and registration dates. **Recommendations** Update WordPress Download Manager plugin to a version later than 3.3.49.

**Name of the Vulnerable Software and Affected Versions** Royal Addons for Elementor – Addons and Templates Kit for Elementor versions prior to 1.7.1049 **Description** The Royal Addons for Elementor plugin for WordPress is susceptible to Information Exposure due to insufficient restrictions on post inclusion within the `get main query args()` function. This allows unauthenticated attackers to extract contents from non-public custom post types, including Contact Form 7 submissions and WooCommerce coupons. **Recommendations** Update Royal Addons for Elementor – Addons and Templates Kit for Elementor to version 1.7.1049 or later.

**Name of the Vulnerable Software and Affected Versions** GetGenie plugin for WordPress versions through 4.3.2 **Description** The GetGenie plugin for WordPress is susceptible to an Insecure Direct Object Reference issue due to missing validation on a user-controlled key within the `action` function. This allows authenticated attackers with Author-level access or higher to modify post metadata for any post. The lack of input sanitization, combined with this issue, can lead to Stored Cross-Site Scripting when a user with higher privileges, such as an Administrator, views the "Competitor" tab in the GetGenie sidebar of an affected post. The vulnerable parameter is a user-controlled key used in the `action` function. **Recommendations** Update the GetGenie plugin to a version later than 4.3.2.

**Name of the Vulnerable Software and Affected Versions** WP ULike versions up to and including 5.0.1 **Description** The WP ULike plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `[wp ulike likers box]` shortcode `template` attribute. This occurs because `html entity decode()` is used on shortcode attributes without proper output sanitization, bypassing WordPress’s `wp kses post()` content filtering. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute when a user accesses the affected page, but only if the post has at least one like. The vulnerable parameter is `template`. **Recommendations** Update WP ULike to a version newer than 5.0.1.

**Name of the Vulnerable Software and Affected Versions** Greenshift – animation and page builder blocks versions through 12.8.3 **Description** The Greenshift plugin for WordPress is susceptible to exposure of sensitive information. This occurs due to the automated Settings Backup being stored in a publicly accessible file, allowing unauthenticated attackers to extract data. Compromised data includes API keys for OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile. **Recommendations** Versions prior to 12.8.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** WP-Members Membership Plugin versions up to and including 3.5.5.1 **Description** The WP-Members Membership Plugin for WordPress is susceptible to SQL Injection through the `order by` attribute of the [wpmem user membership posts] shortcode. This is caused by inadequate escaping of user-supplied parameters and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can append additional SQL queries to existing queries, potentially allowing them to extract sensitive information from the database. **Recommendations** Versions prior to and including 3.5.5.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** Blocksy theme for WordPress versions up to and including 2.1.30 **Description** The Blocksy theme for WordPress is susceptible to Stored Cross-Site Scripting through the `blocksy meta` metadata fields. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The vulnerable parameter is `blocksy meta`. **Recommendations** Update to a version of the Blocksy theme for WordPress later than 2.1.30.

**Name of the Vulnerable Software and Affected Versions** WP Mail Logging versions prior to 1.15.1 **Description** The WP Mail Logging plugin for WordPress is susceptible to PHP Object Injection in versions up to and including 1.15.0. This occurs due to the deserialization of untrusted input from the email log message field. The `BaseModel` class constructor uses `maybe unserialize()` on database properties without proper validation, allowing attackers to inject a PHP Object through a double-serialized payload. This payload can be submitted through any public-facing form that sends email, such as Contact Form 7. When an administrator views the logged email, the malicious payload is deserialized. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed, which could allow actions like file deletion, data retrieval, or code execution. **Recommendations** Update WP Mail Logging to version 1.15.1 or later.

**Name of the Vulnerable Software and Affected Versions** WP Accessibility plugin for WordPress versions prior to 2.3.2 **Description** The WP Accessibility plugin for WordPress is susceptible to Stored DOM-Based Cross-Site Scripting through the 'alt' attribute of images processed by the "Long Description UI" feature. The issue arises because the plugin’s JavaScript retrieves the alt attribute using `getAttribute()` and concatenates it into `innerHTML` and `insertAdjacentHTML` calls without sufficient sanitization or escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description." **Recommendations** Update the WP Accessibility plugin to version 2.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** WP Recipe Maker versions prior to 10.3.3 **Description** The software is susceptible to an Insecure Direct Object Reference (IDOR) issue. The `/wp-json/wp-recipe-maker/v1/integrations/instacart` API endpoint has a permission check set to always return true, and lacks authorization checks on the `recipeId` parameter provided by the user. This allows unauthenticated attackers to modify arbitrary post metadata (`wprm instacart combinations`) using the `recipeId` parameter. **Recommendations** Update WP Recipe Maker to version 10.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress versions through 6.4.7 **Description** The software contains a flaw due to insufficient verification of data authenticity. The plugin decrypts and trusts attacker-controlled `email data` in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This allows attackers to manipulate form email routing and redirection values, potentially triggering unauthorized email relay and redirection via the `email data` parameter. The affected component is an AJAX handler. **Recommendations** Update to version 6.4.8 or later.