Rafshanzani Suhada

**Name of the Vulnerable Software and Affected Versions** Dokan: AI Powered WooCommerce Multivendor Marketplace Solution versions prior to 4.3.2 **Description** Sensitive information exposure occurs via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. The `prepare reviews for response()` method includes reviewer email addresses, usernames, and user IDs in the API response. This allows unauthenticated attackers to extract the email addresses, usernames, and user IDs of all customers who have left reviews on any vendor's store. This issue requires the Pro version of the plugin to be installed and activated, with store reviews enabled. **Recommendations** Update to a version later than 4.3.1. As a temporary workaround, disable store reviews or restrict access to the '/dokan/v1/stores/{id}/reviews' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master versions prior to 11.1.1 **Description** Insufficient input sanitization allows for arbitrary shortcode execution. The issue occurs because user-submitted quiz answer text is processed by `sanitize text field()` and `htmlspecialchars()`, which remove HTML tags but fail to encode or remove shortcode brackets. When quiz results are displayed, the plugin uses the `do shortcode()` function on the output, executing any injected shortcodes. Unauthenticated attackers can use this to inject shortcodes such as '[qsm result id=X]' to access other users' quiz submissions without authorization, as the `qsm result` shortcode does not perform authorization checks. **Recommendations** Update to a version later than 11.1.0.

**Name of the Vulnerable Software and Affected Versions** Smartsupp – live chat, AI shopping assistant and chatbots versions prior to 3.9.2 **Description** The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping of the `code` parameter. Authenticated attackers with Subscriber-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update Smartsupp – live chat, AI shopping assistant and chatbots to version 3.9.2 or later.

**Name of the Vulnerable Software and Affected Versions** GDPR Cookie Consent plugin for WordPress versions up to and including 4.1.2 **Description** The plugin is susceptible to unauthorized data access because of a missing capability check on the `/gdpr/v1/settings` API endpoint. This allows unauthenticated attackers to retrieve sensitive plugin settings, including API tokens, email addresses, account IDs, and site keys. **Recommendations** Update the GDPR Cookie Consent plugin to a version later than 4.1.2.

**Name of the Vulnerable Software and Affected Versions** Web Accessibility by accessiBe versions up to and including 2.11 **Description** The Web Accessibility by accessiBe plugin for WordPress is susceptible to exposure of sensitive information. This occurs because the `accessibe render js in footer()` function logs the complete plugin options array to the browser console on public pages without appropriate restrictions. This allows unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled. **Recommendations** Versions prior to 2.11 should be updated to a newer version that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** Popup Builder – Create highly converting, mobile friendly marketing popups. versions prior to 4.4.3 **Description** The Popup Builder plugin for WordPress is susceptible to authorization bypass. This occurs because the plugin generates predictable unsubscribe tokens using deterministic data. An unauthenticated attacker can unsubscribe arbitrary subscribers from mailing lists by brute-forcing the unsubscribe token, provided they know the victim's email address. **Recommendations** Versions prior to 4.4.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** ACF Photo Gallery Field versions prior to 3.1 **Description** The ACF Photo Gallery Field plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check within the `acf photo gallery edit save` function. Authenticated attackers with subscriber-level access or higher can modify the title, caption, and custom metadata of media attachments. **Recommendations** Update ACF Photo Gallery Field to version 3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Mesmerize Companion versions up to and including 1.6.158 **Description** The Mesmerize Companion plugin for WordPress is susceptible to unauthorized access and modification of data. This is due to a missing capability check within the `openPageInCustomizer` and `openPageInDefaultEditor` functions. Authenticated attackers with subscriber-level access or higher, on websites utilizing the Mesmerize theme, can exploit this to perform actions such as marking pages as maintainable, altering page template metadata, and modifying the default editor flag without appropriate authorization. **Recommendations** Update Mesmerize Companion to a version newer than 1.6.158.

**Name of the Vulnerable Software and Affected Versions** myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program versions up to and including 2.9.7.1 **Description** The software does not properly verify user authorization, allowing authenticated attackers with Subscriber-level access or higher to retrieve sensitive user information. Specifically, attackers can access user IDs, display names, and email addresses of all users on the site through the `get bank accounts` API endpoint. Passwords are not exposed. **Recommendations** Versions prior to 2.9.7.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress versions through 2.9.7 **Description** The software does not properly verify user authorization, allowing unauthenticated attackers to perform actions without proper access. Specifically, attackers can approve withdrawal requests, modify user point balances, and manipulate the payment processing system. This is achieved through the `cashcred pay now` API endpoint. **Recommendations** Update to version 2.9.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** Colibri Page Builder plugin for WordPress versions prior to 1.0.336 **Description** The Colibri Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'colibri loop' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the Colibri Page Builder plugin to version 1.0.336 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress Application Passwords plugin versions up to and including 0.1.3 **Description** The Application Passwords plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied URLs. Specifically, the `reject url` parameter is vulnerable. This allows attackers to embed javascript: URI schemes within the `reject url` parameter. Successful exploitation requires tricking a user into clicking a malicious link, which then executes arbitrary web scripts when the user clicks the "No, I do not approve of this connection" button. The API endpoint involved is not explicitly mentioned. The vulnerable parameter is `reject url`. **Recommendations** Update WordPress Application Passwords plugin to a version later than 0.1.3.

**Name of the Vulnerable Software and Affected Versions** XCloner versions prior to 4.8.3 **Description** The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `Xcloner Remote Storage:save()` function. This allows unauthenticated attackers to add or modify an FTP backup configuration through a forged request if they can trick a site administrator into performing an action, such as clicking a link. Successful exploitation enables an attacker to configure an attacker-controlled FTP site for backup storage and potentially exfiltrate sensitive site data. **Recommendations** Versions prior to 4.8.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** WebP Express versions prior to 0.25.9 **Description** The WebP Express plugin for WordPress is susceptible to information disclosure through improperly randomized config file names when used with NGINX. This allows unauthenticated attackers to extract configuration data. The plugin does not properly randomize the name of the config file, enabling direct access. **Recommendations** Update the WebP Express plugin to a version newer than 0.25.9.

**Name of the Vulnerable Software and Affected Versions** The Visualizer: Tables and Charts Manager for WordPress plugin versions prior to 3.11.13 **Description** The software is susceptible to SQL Injection through the `query` parameter. Insufficient escaping of user-supplied input and inadequate SQL query preparation allow authenticated attackers with Contributor-level access or higher to inject additional SQL queries into existing ones. This can lead to the extraction of sensitive information from the database. Version 3.11.13 raises the minimum user-level required for exploitation to administrator. **Recommendations** Update to version 3.11.13 or later.

**Name of the Vulnerable Software and Affected Versions** UiPress lite versions prior to 3.5.09 **Description** The UiPress lite plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check within the `uip save site option()` function, allowing authenticated attackers with Subscriber-level access or higher to alter arbitrary plugin settings. Other AJAX actions are also affected. **Recommendations** Update UiPress lite to version 3.5.09 or later.

**Name of the Vulnerable Software and Affected Versions** Directorist versions up to and including 8.5.2 **Description** The Directorist plugin for WordPress is susceptible to unauthorized access. A missing capability check on the `directorist prepare listings export file` and `directorist type slug change` AJAX actions allows authenticated attackers with Subscriber-level access or higher to export listing details and modify the directory slug. The affected AJAX actions are: `directorist prepare listings export file` and `directorist type slug change`. **Recommendations** Update Directorist to a version later than 8.5.2.

**Name of the Vulnerable Software and Affected Versions** Quiz Maker plugin for WordPress versions up to and including 6.7.0.80 **Description** The Quiz Maker plugin for WordPress is affected by a sensitive information exposure issue. The plugin exposes quiz answers through the `ays quiz check answer` API endpoint without proper authorization checks. The endpoint validates a nonce, but this nonce is publicly available to all site visitors through the `quiz maker ajax public` localized script data. This allows unauthenticated attackers to extract sensitive data, including quiz answers for any quiz question. **Recommendations** Update the Quiz Maker plugin to a version beyond 6.7.0.80.

**Name of the Vulnerable Software and Affected Versions** VK All in One Expansion Unit plugin for WordPress versions prior to 9.112.1 **Description** The software is susceptible to Stored Cross-Site Scripting through the `vkExUnit cta url` and `vkExUnit cta button text` parameters. This is caused by a logic error in the CTA save function, where sanitization callbacks are read from an incorrect variable, preventing sanitization from being applied. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. **Recommendations** Update the VK All in One Expansion Unit plugin to version 9.112.1 or later.

**Name of the Vulnerable Software and Affected Versions** VK All in One Expansion Unit plugin for WordPress versions prior to 9.112.1 **Description** The software is susceptible to Stored Cross-Site Scripting through the ` veu custom css` parameter. Insufficient input sanitization and output escaping on the user-supplied Custom CSS value allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts execute when a user accesses an injected page. **Recommendations** Update the VK All in One Expansion Unit plugin to a version later than 9.112.1.