Rezaduty

**Name of the Vulnerable Software and Affected Versions** 8Degree Themes Coming Soon Landing Page and Maintenance Mode WordPress Plugin versions 2.2.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows for broken access control and the retrieval of embedded sensitive data. Users are urged to update to the latest version to mitigate risks. **Recommendations** Update the 8Degree Themes Coming Soon Landing Page and Maintenance Mode WordPress Plugin to the latest version to secure the WordPress site. As a temporary workaround, consider restricting access to sensitive data until the plugin is updated.

**Name of the Vulnerable Software and Affected Versions** Limit Login Attempts (Spam Protection) plugin for WordPress versions up to, and including, 5.3 **Description** The issue arises from insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the `X-Forwarded-For` header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. **Recommendations** For Limit Login Attempts (Spam Protection) plugin for WordPress versions up to, and including, 5.3, update to a version later than 5.3 to resolve the issue. As a temporary workaround, consider restricting access to the `X-Forwarded-For` header to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress Visitors plugin for WordPress version 1.0 **Description** The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the nm vistior page. **Recommendations** For version 1.0, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the nm vistior page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Limit Login Attempts Plus plugin for WordPress versions up to, and including, 1.1.0 **Description** The issue arises from insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. This allows attackers to supply the `X-Forwarded-For` header with a different IP Address that will be logged, potentially bypassing settings that block specific IP addresses or countries from logging in. **Recommendations** For versions up to, and including, 1.1.0, consider disabling the IP Address logging feature until a patch is available, or restrict access to the login functionality to minimize the risk of exploitation. Avoid relying solely on the `X-Forwarded-For` header for IP Address information.

**Name of the Vulnerable Software and Affected Versions** Security, Antivirus, Firewall – S.A.F plugin for WordPress versions up to, and including, 2.3.5 **Description** The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the `X-Forwarded-For` header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in. **Recommendations** For Security, Antivirus, Firewall – S.A.F plugin for WordPress versions up to, and including, 2.3.5, consider updating to a version that addresses the IP Address Spoofing issue. As a temporary workaround, consider restricting the use of the `X-Forwarded-For` header to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Web Application Firewall plugin for WordPress versions up to, and including, 2.1.2 **Description** The issue arises from insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can exploit this by supplying the `X-Forwarded-For` header with a different IP Address, which will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. **Recommendations** For versions up to, and including, 2.1.2, consider updating to a version that addresses this issue, as the current version allows attackers to manipulate the IP address logged by the system, potentially bypassing security restrictions. As a temporary workaround, consider restricting access to the `X-Forwarded-For` header to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The IP Vault – WP Firewall plugin for WordPress versions up to, and including, 1.1 **Description** The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the `X-Forwarded-For` header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. **Recommendations** For versions up to, and including, 1.1, consider restricting access to the `X-Forwarded-For` header to minimize the risk of exploitation. As a temporary workaround, review and update the request logging and login restrictions settings to account for potential IP address spoofing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress versions up to, and including, 2.1 **Description** The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the `X-Forwarded-For` header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in. **Recommendations** For versions up to, and including, 2.1, consider restricting access to the `X-Forwarded-For` header to minimize the risk of exploitation. As a temporary workaround, review and adjust the IP address logging and login restriction settings to account for potential spoofing.

**Name of the Vulnerable Software and Affected Versions** NetBox versions up to 3.7.0 **Description** A problematic issue has been found in the processing of the file /core/config-revisions of the component Home Page Configuration. The manipulation with the input `<h1 onload=alert(1)>`test`</h1>` leads to cross site scripting. The attack may be initiated remotely. The real existence of this vulnerability is still doubted at the moment. **Recommendations** For versions up to 3.7.0, as a temporary workaround, consider restricting access to the /core/config-revisions file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Popup Maker – Popup for opt-ins, lead gen, & more versions 1.17.1 and earlier **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. This can potentially lead to unauthorized access to confidential data. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions 1.17.1 and earlier, update to a version later than 1.17.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** File Manager – 100% Free & Open Source File Manager Plugin for WordPress versions n/a through 5.2.7 **Description** The issue is related to Deserialization of Untrusted Data, which affects the File Manager plugin for WordPress. **Recommendations** For versions n/a through 5.2.7, update to a version later than 5.2.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin versions <= 2.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin versions <= 2.1, update to a version higher than 2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** chronoengine.Com Chronoforms plugin versions prior to 7.0.9 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 7.0.9, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Logaster Logo Generator plugin versions prior to 1.4 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 1.4, update to version 1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Basic Elements plugin versions prior to 5.2.15 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a web application. **Recommendations** For WP Basic Elements plugin versions prior to 5.2.15, update to version 5.2.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin versions <= 3.98.7 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This means an attacker can trick a user into performing unintended actions on a web application that the user is authenticated to. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions <= 3.98.7, update to a version higher than 3.98.7 to resolve the issue. At the moment, there is no information about other mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickFunnels plugin versions <= 3.1.1 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This means an attacker can trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For ClickFunnels plugin versions <= 3.1.1, update to a version higher than 3.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP-Advanced-Search plugin versions 3.3.8 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue affects the WP-Advanced-Search plugin. This allows an attacker to perform unintended actions on a user's account. **Recommendations** For versions 3.3.8 and earlier, update to a version later than 3.3.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** dev.Xiligroup.Com - MS plugin versions 1.12.03 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For dev.Xiligroup.Com - MS plugin versions 1.12.03 and earlier, update to a version later than 1.12.03 to resolve the issue. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** The Hide My WP Ghost – Security Plugin plugin for WordPress versions up to, and including, 5.0.18 **Description** The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the `X-Forwarded-For` header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in. **Recommendations** For versions up to, and including, 5.0.18, consider restricting the use of the `X-Forwarded-For` header until a patch is available. As a temporary workaround, review and update request logging and login restriction settings to minimize the risk of exploitation.