Sélim Lanouar

**Name of the Vulnerable Software and Affected Versions** All-in-One WP Migration Unlimited Extension versions prior to 2.84 **Description** The plugin is affected by missing authorization. The `Ai1wmve Schedules Controller::save` function for the 'admin post ai1wm schedule event save' endpoint does not verify user capabilities before saving schedule data. This allows authenticated attackers with subscriber-level access or higher to create scheduled export jobs and direct backup notifications to email addresses they control. Since these notifications contain the random backup filename, attackers can download full site backups, leading to the exposure of sensitive information. **Recommendations** Update to a version later than 2.83.

**Name of the Vulnerable Software and Affected Versions** Ninja Forms - File Uploads versions prior to 3.3.27 **Description** An issue in the Ninja Forms - File Uploads plugin allows unauthenticated attackers to upload arbitrary files, including PHP backdoors, which can lead to remote code execution and full site takeover. The flaw is caused by missing file type and extension validation for the destination filename in the `NF FU AJAX Controllers Uploads::handle upload()` function. Attackers can bypass source validation by using valid file headers (such as PDF or GIF) and then use path traversal (e.g., `../../`) via a POST request to the endpoint '/wp-admin/admin-ajax.php?action=nf fu upload' to save the file as a .php script in the webroot directory. Approximately 50,000 WordPress sites are estimated to be affected. Real-world exploitation has been observed, with over 118,600 attack attempts blocked by security firewalls. Attackers have used this to deploy web shells and move laterally across compromised networks. **Recommendations** Update to version 3.3.27. As a temporary workaround, disable or remove the File Uploads extension and block uploads at the webserver or WAF level.

**Name of the Vulnerable Software and Affected Versions** File Away plugin for WordPress versions up to, and including, 3.9.9.0.1 **Description** The issue allows unauthorized access to data due to a missing capability check on the `ajax()` function. This enables unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, by leveraging a reversible weak algorithm. **Recommendations** For versions up to, and including, 3.9.9.0.1, update to a version that includes a fix for the missing capability check in the `ajax()` function to prevent unauthorized access. As a temporary workaround, consider disabling the `ajax()` function in the File Away plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** File Away plugin for WordPress versions up to, and including, 3.9.9.0.1 **Description** The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the `upload()` function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For versions up to, and including, 3.9.9.0.1, consider disabling the `upload()` function until a patch is available. Restrict access to the upload functionality to minimize the risk of exploitation. Avoid using the File Away plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPS Hide Login plugin for WordPress versions up to, and including, 1.9.15.2 **Description** The issue is related to a bypass that allows attackers to discover hidden login pages when the `action` parameter is set to `postpass`. This makes it possible for attackers to easily find any login page that may have been hidden by the plugin. **Recommendations** For versions up to, and including, 1.9.15.2, consider disabling the plugin until a patch is available to prevent exploitation. As a temporary workaround, avoid using the `action=postpass` parameter in affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.