Ren Voza

**Name of the Vulnerable Software and Affected Versions** WP Travel Pro versions prior to 10.6.1 **Description** The plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This occurs via the '/wp-json/wp-travel/v1/travel-guide/{user id}' REST API endpoint because the `check permission()` callback unconditionally returns true and the `Database::delete()` method passes the `user id` variable directly to `wp delete user()` without performing role validation. **Recommendations** Update to a version later than 10.6.0. As a temporary workaround, restrict access to the '/wp-json/wp-travel/v1/travel-guide/{user id}' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Account Switcher versions prior to 1.0.3 **Description** The Account Switcher plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to escalate privileges to any user account, including Administrator. This occurs because the 'rememberLogin' REST API endpoint uses a loose comparison for secret validation and fails to verify that the secret is non-empty. If a target user has not used the Remember me feature, the `asSecret` user meta is empty, allowing an attacker to provide an empty `secret` parameter to bypass validation and trigger `wp set auth cookie()` for the target user. Furthermore, all REST routes utilize `permission callback => ' return true'`, which bypasses necessary capability checks. **Recommendations** Update the plugin to a version later than 1.0.2. As a temporary workaround, restrict access to the 'rememberLogin' REST API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FOX – Currency Switcher Professional for WooCommerce versions prior to 1.4.6 **Description** The plugin is susceptible to unauthorized data loss because the `admin head()` function lacks a proper capability check. Authenticated users with Contributor-level access or higher can delete the entire multi-currency configuration by accessing any wp-admin page with the `woocs reset` parameter. The absence of nonce verification also allows this action to be performed via Cross-Site Request Forgery (CSRF)—a technique where an attacker tricks a victim into performing an action they did not intend—against administrators. Furthermore, Subscriber-level users may exploit this if the site configuration permits them access to wp-admin pages. **Recommendations** Update the plugin to a version later than 1.4.5.

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

**Name of the Vulnerable Software and Affected Versions** App Builder – Create Native Android & iOS Apps On The Flight versions prior to 5.6.1 **Description** An Insecure Direct Object Reference (IDOR) exists due to missing authorization validation in the `upload avatar()` function. The `/wp-json/app-builder/v1/upload-avatar` endpoint accepts an attacker-controlled `user id` parameter from the POST request body and updates user meta without verifying if the authenticated requester has permission to modify the target account. This allows authenticated attackers with Subscriber-level access or higher to overwrite the profile avatar of any user, including administrators. **Recommendations** Update to a version later than 5.6.0. As a temporary workaround, restrict access to the `/wp-json/app-builder/v1/upload-avatar` endpoint or disable the `upload avatar()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** AcyMailing versions 9.11.0 through 10.8.1 **Description** A missing capability check on the 'wp ajax acymailing router' AJAX handler allows authenticated attackers with Subscriber-level access or higher to access admin-only controllers, including configuration management. This flaw enables the activation of the autologin feature and the creation of a malicious newsletter subscriber with an injected `cms id` pointing to any user, allowing the attacker to authenticate as that user, including administrators. **Recommendations** Update to version 10.8.2.

**Name of the Vulnerable Software and Affected Versions** Woocommerce Custom Product Addons Pro versions prior to 5.4.2 **Description** The Woocommerce Custom Product Addons Pro plugin for WordPress is susceptible to Remote Code Execution. This occurs because of inadequate sanitization and validation of user-supplied field values before they are passed to PHP's `eval()` function. The `sanitize values()` method removes HTML tags but does not escape single quotes or prevent PHP code injection. This allows unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with a custom pricing formula (pricingType: "custom" with {this.value}). The vulnerable code resides in the `process custom formula()` function within the includes/process/price.php file. **Recommendations** Versions prior to 5.4.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** Master Addons for Elementor Premium plugin for WordPress versions up to and including 2.1.3 **Description** The Master Addons for Elementor Premium plugin for WordPress is susceptible to Remote Code Execution via the `JLTMA Widget Admin::render preview` function. This is due to a missing capability check, allowing authenticated attackers with Subscriber-level access or higher to execute code on the server. **Recommendations** Versions prior to 2.1.4 should be updated.

**Name of the Vulnerable Software and Affected Versions** Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) versions through 4.9.54 **Description** The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress has an issue with file type validation. Specifically, the `uni cpo upload file` function allows unauthenticated attackers to upload arbitrary files to the server. This could potentially lead to remote code execution. **Recommendations** Update to a version later than 4.9.54.