Quentin Villain

Name of the Vulnerable Software and Affected Versions: Contact Form Advanced Database WordPress plugin versions 1.0.8 and earlier Description: The issue concerns the lack of authorization and CSRF checks in the `delete cf7 data` and `export cf7 data` AJAX actions, which are accessible to any authenticated users. This could allow users with a role as low as subscriber to call these actions, potentially leading to arbitrary metadata deletion. Additionally, if a suitable gadget chain is present in another plugin, it could result in PHP Object Injection, as user data is passed to the `maybe unserialize()` function without validation. Recommendations: For Contact Form Advanced Database WordPress plugin versions 1.0.8 and earlier, consider disabling the `delete cf7 data` and `export cf7 data` AJAX actions until a patch is available to add proper authorization and CSRF checks. Restrict access to these actions to minimize the risk of exploitation. Avoid using the `maybe unserialize()` function with unvalidated user data in the affected AJAX endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The Ultimate NoFollow WordPress plugin versions 1.4.8 and earlier Description: The issue allows users with a role as low as contributor to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of the `href` attribute in the plugin's shortcodes. Recommendations: For The Ultimate NoFollow WordPress plugin versions 1.4.8 and earlier, consider updating to a version that addresses this issue, as no specific fix is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Tawk.To Live Chat WordPress plugin versions prior to 0.6.0 Description: The issue concerns the lack of capability and CSRF checks in the `tawkto setwidget` and `tawkto removewidget` AJAX actions, which are available to any authenticated user. This allows low-privileged users, including simple subscribers, to change the `tawkto-embed-widget-page-id` and `tawkto-embed-widget-widget-id` parameters, effectively linking the vulnerable website to their own Tawk.to instance. As a result, they can monitor the website, interact with its visitors by receiving and answering contact messages, and display an arbitrary Knowledge Base. Additionally, the `tawkto removewidget` action can remove the live chat widget from pages. Recommendations: For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `tawkto setwidget` and `tawkto removewidget` AJAX actions to prevent unauthorized changes. Additionally, restrict the ability to change the `tawkto-embed-widget-page-id` and `tawkto-embed-widget-widget-id` parameters to only trusted users.

Name of the Vulnerable Software and Affected Versions: Batch Cat WordPress plugin versions 0.3 and earlier Description: The issue allows any authenticated user, including simple subscribers, to add, set, or delete arbitrary categories to posts. This is because the plugin defines 3 custom AJAX actions that require authentication but are available for all roles. Recommendations: For Batch Cat WordPress plugin versions 0.3 and earlier, update to a version that fixes this issue to restrict access to custom AJAX actions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.