Sao

**Name of the Vulnerable Software and Affected Versions** Giulio Ganci Wp Downloads Manager module version 0.2 **Description** The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the `upfile` parameter in the upload.php file, and then accessing it directly. This is a result of an unrestricted file upload vulnerability in the affected module. **Recommendations** For Giulio Ganci Wp Downloads Manager module version 0.2, consider disabling the upload functionality in upload.php until a patch is available to prevent exploitation. Restrict access to the wp-content/plugins/downloads-manager/upload/ directory to minimize the risk of arbitrary code execution. Avoid using the `upfile` parameter in the upload.php file until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PollMentor version 2.0 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter to the "pollmentorres.asp" API endpoint. Recommendations: For PollMentor version 2.0, consider restricting access to the `id` parameter in the "pollmentorres.asp" endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: JV2 Folder Gallery (affected versions not specified) Description: The issue allows remote attackers to read sensitive files via a relative pathname in the `file` parameter. This can be demonstrated by accessing the `config/gallerysetup.php` file. It is noted that this issue might be a result of a directory traversal vulnerability. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.