Ryan Kozak

**Name of the Vulnerable Software and Affected Versions** MDJM Event Management plugin for WordPress versions prior to 1.7.8.4 **Description** The plugin allows arbitrary file upload because it does not perform validation on the file type, extension, or MIME type of uploaded files. This issue occurs within the `mdjm send comm email()` function. Authenticated attackers with administrator-level access or higher can exploit this to upload executable files, potentially leading to remote code execution. **Recommendations** Update the plugin to a version later than 1.7.8.3. As a temporary workaround, restrict access to the `mdjm send comm email()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kalrav AI Agent versions prior to 2.3.4 **Description** The Kalrav AI Agent plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation in the `kalrav upload file` AJAX action. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. The `kalrav upload file` action is the component responsible for handling file uploads. **Recommendations** Versions prior to 2.3.4 should be updated.

**Name of the Vulnerable Software and Affected Versions** g-FFL Cockpit plugin for WordPress versions up to and including 1.7.1 **Description** The g-FFL Cockpit plugin for WordPress is susceptible to exposure of sensitive information. This occurs through the `/server status` API endpoint, where a lack of appropriate capability checks allows unauthenticated attackers to extract server information. **Recommendations** Update the g-FFL Cockpit plugin to a version newer than 1.7.1.

**Name of the Vulnerable Software and Affected Versions** g-FFL Cockpit plugin for WordPress versions up to and including 1.7.1 **Description** The g-FFL Cockpit plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to IP-based authorization that can be spoofed within the `handle enqueue only()` function. This allows unauthenticated attackers to delete arbitrary products. **Recommendations** Update the g-FFL Cockpit plugin to a version later than 1.7.1.

**Name of the Vulnerable Software and Affected Versions** Flex QR Code Generator plugin for WordPress versions up to and including 1.2.6 **Description** The Flex QR Code Generator plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation. This occurs in the `update qr code()` function. Unauthenticated attackers can exploit this to upload arbitrary files to the server, potentially leading to remote code execution. **Recommendations** Update the Flex QR Code Generator plugin to a version later than 1.2.6.

**Name of the Vulnerable Software and Affected Versions** Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress versions prior to 7.10.1322 **Description** The software is susceptible to a Cross-Site Request Forgery issue. This is due to inadequate or missing nonce validation within the `uploadImage()` function. An unauthenticated attacker could potentially upload arbitrary files, leading to possible remote code execution if they can successfully deceive a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Versions prior to 7.10.1322 should be updated. As a temporary workaround, consider restricting access to the `uploadImage()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP Directory Kit versions prior to 1.4.5 **Description** The WP Directory Kit plugin for WordPress has a flaw in its authentication process. Specifically, versions up to and including 1.4.4 are susceptible to authentication bypass due to a weak token generation mechanism within the `wdk generate auto login link` function. This allows unauthenticated attackers to gain administrative access and potentially take full control of a site by exploiting the auto-login endpoint with a predictable token. **Recommendations** Update WP Directory Kit to version 1.4.5 or later. As a temporary workaround, consider disabling the auto-login feature if it is not essential. Restrict access to the auto-login endpoint.

**Name of the Vulnerable Software and Affected Versions** MxChat – AI Chatbot for WordPress plugin versions prior to 2.5.5 **Description** The MxChat – AI Chatbot for WordPress plugin for WordPress is susceptible to a sensitive information disclosure. Unauthenticated attackers can potentially extract session values through upload filenames, which could then be used to access conversation data. **Recommendations** Update the MxChat – AI Chatbot for WordPress plugin to a version later than 2.5.5.

**Name of the Vulnerable Software and Affected Versions** CIBELES AI plugin for WordPress versions through 1.10.8 **Description** The CIBELES AI plugin for WordPress has a flaw that allows unauthorized file uploads. This is due to a missing check for appropriate permissions within the `actualizador git.php` file. An attacker could exploit this to download arbitrary GitHub repositories and overwrite plugin files on the server, potentially leading to remote code execution. **Recommendations** Update the CIBELES AI plugin to a version newer than 1.10.8.

**Name of the Vulnerable Software and Affected Versions** AI Feeds plugin for WordPress versions through 1.0.11 **Description** The AI Feeds plugin for WordPress is susceptible to arbitrary file uploads because of a missing capability check in the `actualizador git.php` file. This allows unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected server, potentially leading to remote code execution. **Recommendations** Update the AI Feeds plugin to a version newer than 1.0.11.

**Name of the Vulnerable Software and Affected Versions** AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress versions up to and including 1.0.1 **Description** The software contains a flaw that allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server. This is due to inadequate validation of file paths provided by users in the `lqdai update post` API endpoint and the use of the `file get contents()` function with user-controlled URLs lacking protocol restrictions within the `insert image()` function. This could expose sensitive information contained in those files. **Recommendations** Versions prior to and including 1.0.1 should be updated. As a temporary workaround, restrict access to the `lqdai update post` API endpoint. Avoid using user-controlled URLs with the `file get contents()` function.

**Name of the Vulnerable Software and Affected Versions** S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress versions through 1.7.8 **Description** The software is susceptible to arbitrary file uploads because of a lack of file type validation within the `storeFile()` function. This allows attackers with Editor-level access or higher to upload any file type onto the server, potentially leading to remote code execution. **Recommendations** Update the S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress to a version later than 1.7.8.

**Name of the Vulnerable Software and Affected Versions** WPBookit versions up to and including 1.0.6 **Description** The WPBookit plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to a missing capability check on the `save custome code()` function, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts will execute whenever a user accesses an injected page via the `css code` parameter. **Recommendations** Update WPBookit to a version later than 1.0.6.

**Name of the Vulnerable Software and Affected Versions** Alex Reservations: Smart Restaurant Booking plugin for WordPress versions up to and including 2.2.3 **Description** The Alex Reservations: Smart Restaurant Booking plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation. This issue affects the `/wp-json/srr/v1/app/upload/file` API endpoint. Authenticated attackers with Administrator-level access or higher can upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Versions up to and including 2.2.3 should be updated to a newer, fixed version if available.

**Name of the Vulnerable Software and Affected Versions** StoreEngine versions up to and including 1.5.0 **Description** The StoreEngine WordPress plugin is susceptible to a path traversal issue. This allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. The issue is related to the `file download()` function. **Recommendations** Update StoreEngine to a version beyond 1.5.0.

**Name of the Vulnerable Software and Affected Versions** StoreEngine versions up to and including 1.5.0 **Description** The StoreEngine WordPress plugin is susceptible to arbitrary file uploads due to the absence of file type validation within the `import()` function. This allows authenticated attackers possessing Subscriber-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Update StoreEngine to a version beyond 1.5.0.

**Name of the Vulnerable Software and Affected Versions** Make Connector versions prior to 1.5.11 **Description** The Make Connector plugin for WordPress is susceptible to arbitrary file uploads due to inadequate file type validation within the `upload media` function. This allows authenticated attackers with Administrator-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. **Recommendations** Update Make Connector to version 1.5.11 or later.

Name of the Vulnerable Software and Affected Versions: Download Plugin versions up to, and including, 2.2.8 Description: The issue is related to missing file type validation in the `dpwap plugin locInstall` function, allowing authenticated attackers with Administrator-level access and above to upload arbitrary files on the affected site's server. This could potentially make remote code execution possible. Recommendations: For versions up to, and including, 2.2.8, consider disabling the `dpwap plugin locInstall` function until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation. Avoid using the Download Plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WPCenter AiBud WP versions 1.8.5 and earlier Description: The issue affects WPCenter AiBud WP, allowing an unrestricted upload of a file with a dangerous type, which enables uploading a web shell to a web server. Recommendations: For versions 1.8.5 and earlier, update to a version that fixes this issue, as no specific workaround is provided in the given information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress versions up to, and including, 0.9.116 Description: The issue is related to arbitrary file uploads due to missing file type validation in the `wpvivid upload import files` function. This allows authenticated attackers with Administrator-level access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible. Note that uploaded files are only accessible on WordPress instances running on the NGINX web server. Recommendations: For versions up to, and including, 0.9.116, update to a version that includes a fix for the missing file type validation in the `wpvivid upload import files` function. As a temporary workaround, consider restricting access to the file upload functionality to minimize the risk of exploitation. Additionally, restrict access to the uploaded files on NGINX servers to prevent potential remote code execution.