Savphill

**Name of the Vulnerable Software and Affected Versions** PluginOps Landing Page Builder versions through 1.5.3.3 **Description** The software contains a flaw related to improper input handling during web page generation, specifically a Stored Cross-site Scripting issue. This impacts the `page-builder-add` component. The issue allows for the injection of malicious scripts. **Recommendations** Update PluginOps Landing Page Builder to a version later than 1.5.3.3.

**Name of the Vulnerable Software and Affected Versions** Extend Themes Colibri Page Builder versions prior to 1.0.334 **Description** The Colibri Page Builder software contains a flaw related to improper input handling during web page generation, which can lead to Cross-site Scripting (XSS). This allows for the injection of malicious scripts into web pages. The issue is identified as Stored XSS, meaning the malicious script is persistently stored on the target server. **Recommendations** Update Extend Themes Colibri Page Builder to version 1.0.334 or later.

**Name of the Vulnerable Software and Affected Versions** Woostify versions through 2.4.2 **Description** The software contains a flaw due to improper handling of user-supplied data when creating web pages, leading to a potential Cross-site Scripting (XSS) issue. This allows for the injection of malicious scripts into web pages viewed by other users. The issue is a Stored XSS, meaning the malicious script is permanently stored on the target server. **Recommendations** Update Woostify to a version later than 2.4.2.

**Name of the Vulnerable Software and Affected Versions** WordPress versions through 6.8.2 **Description** A flaw exists in Automattic WordPress that allows for Stored Cross-site Scripting (XSS). An attacker with Author or higher user privileges can exploit this issue. The vulnerability stems from improper neutralization of input during web page generation. **Recommendations** Update WordPress to a version later than 6.8.2.

Name of the Vulnerable Software and Affected Versions: Blocksy versions through 2.1.6 Description: Improper neutralization of input during web page generation allows for Stored Cross-Site Scripting (XSS). Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blocksy versions 2.0.97 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For Blocksy versions 2.0.97 and earlier, update to a version later than 2.0.97 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WebToffee WordPress Backup & Migration versions 1.5.3 and earlier **Description** The issue allows the retrieval of embedded sensitive data due to the insertion of sensitive information into log files. **Recommendations** For versions 1.5.3 and earlier, update to a version that fixes this issue to prevent sensitive information from being logged. As a temporary workaround, consider restricting access to log files to minimize the risk of sensitive data exposure.

**Name of the Vulnerable Software and Affected Versions** ILLID Advanced Woo Labels versions n/a through 2.14 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For versions n/a through 2.14, update to a version later than 2.14 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NiteoThemes CMP – Coming Soon & Maintenance versions through 4.1.13 **Description** The issue is related to an Unrestricted Upload of File with Dangerous Type, allowing the use of malicious files. This can potentially lead to remote code execution (RCE) exploits. **Recommendations** For versions through 4.1.13, update to a version later than 4.1.13 to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary and safe file types until a patch is available. Avoid using the plugin until the issue is resolved, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Proposals versions prior to 2.3 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable features in WP Proposals until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TablePress – Tables in WordPress made easy plugin versions up to, and including, 3.0.4 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages via the `table-name` parameter. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.0.4, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `table-name` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WooCommerce versions prior to 9.7.0 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This enables an attacker to inject malicious scripts into the website, potentially affecting user sessions. **Recommendations** For versions prior to 9.7.0, update to version 9.7.0 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Document Block – Upload & Embed Docs versions 1.1.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability in the EmbedPress Document Block – Upload & Embed Docs. This vulnerability affects the ability to properly authorize access, potentially leading to unauthorized actions. **Recommendations** For versions 1.1.0 and earlier, update to a version that includes the fix for the Missing Authorization vulnerability, as no specific workaround or mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PPOM for WooCommerce versions n/a through 33.0.8 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For PPOM for WooCommerce versions n/a through 33.0.8, update to a version later than 33.0.8 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Icegram versions through 3.1.31 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. **Recommendations** For versions through 3.1.31, update to a version later than 3.1.31 to resolve the issue. At the moment, there is no information about other mitigation measures for this specific issue.

**Name of the Vulnerable Software and Affected Versions** WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels versions prior to 4.7.2 **Description** The issue is related to improper neutralization of input during web page generation, allowing stored Cross-site Scripting (XSS) attacks. This affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes, and Shipping Labels. **Recommendations** For versions prior to 4.7.2, update to version 4.7.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable components until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Popup Maker versions through 1.20.2 **Description** The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting (XSS). This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or control. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions through 1.20.2, update to a version later than 1.20.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Desk Flexible PDF Coupons (affected versions not specified) **Description** The issue is related to improper neutralization of input during web page generation, which allows for stored Cross-site Scripting (XSS). This means an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised pages. The estimated number of potentially affected devices worldwide is not available. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Htaccess File Editor versions 1.0.19 and earlier **Description** The issue allows for the insertion of sensitive information into externally-accessible files or directories, exploiting incorrectly configured access control security levels. **Recommendations** For Htaccess File Editor versions 1.0.19 and earlier, update to a version later than 1.0.19 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail versions n/a through 2.1.4 **Description** The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting. This allows for Stored XSS. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions n/a through 2.1.4, update to a version later than 2.1.4 to resolve the issue. At the moment, there is no information about additional mitigation measures.