Rafael Castilho

**Name of the Vulnerable Software and Affected Versions** The Event Manager and Tickets Selling for WooCommerce WordPress plugin versions prior to 3.5.8 **Description** The issue concerns a lack of validation and escaping for the `post author gutenberg` parameter in SQL statements when creating or editing events. This could allow users with a role as low as contributor to perform SQL Injection attacks. **Recommendations** For versions prior to 3.5.8, update to version 3.5.8 or later to resolve the issue. As a temporary workaround, consider restricting the ability to create or edit events to higher roles until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Testimonial WordPress Plugin versions prior to 1.4.7 **Description** The issue arises from the lack of validation and escaping of the `id` parameter before its use in a SQL statement, leading to SQL Injection when retrieving a testimonial to edit. **Recommendations** For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Testimonial WordPress Plugin versions prior to 1.4.7 **Description** The issue is related to a Reflected cross-Site Scripting problem. It occurs because the `id` parameter is not properly sanitised and escaped before being outputted back in an attribute. This allows for potential malicious script injection. **Recommendations** For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected attribute that outputs the `id` parameter until a patch is applied.