Sean Murphy

**Name of the Vulnerable Software and Affected Versions** Custom Searchable Data Entry System plugin for WordPress versions up to and including 1.7.1 **Description** The Custom Searchable Data Entry System plugin for WordPress is susceptible to unauthenticated database wiping. This is due to a missing capability check and insufficient validation within the `ghazale sds delete entries table row()` function. This allows unauthenticated attackers to completely wipe database tables, such as `wp users`. **Recommendations** Update the Custom Searchable Data Entry System plugin for WordPress to a version newer than 1.7.1.

**Name of the Vulnerable Software and Affected Versions** HT Mega – Absolute Addons For Elementor plugin for WordPress versions up to, and including, 2.7.6 **Description** The issue is related to Stored Cross-Site Scripting via the `block css` and `inner css` parameters due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.7.6, update to version 2.7.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `block css` and `inner css` parameters to minimize the risk of exploitation. Additionally, restrict Contributor-level access and above to prevent authenticated attackers from injecting arbitrary web scripts.

**Name of the Vulnerable Software and Affected Versions** NitroPack plugin for WordPress versions up to, and including, 1.17.0 **Description** The issue arises from a missing capability check in the `nitropack rml notification` function, allowing authenticated attackers with subscriber access or higher to update arbitrary transients. These transients can only be updated to integers, not arbitrary values. **Recommendations** For versions up to, and including, 1.17.0, update to a version higher than 1.17.0 to resolve the issue. As a temporary workaround, consider restricting access to the `nitropack rml notification` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NitroPack plugin for WordPress versions prior to 1.17.1 **Description** The issue is related to a missing capability check on the 'nitropack dismiss notice forever' AJAX action. This allows authenticated attackers with subscriber-level access and above to update arbitrary options to a fixed value of '1', potentially activating certain options, such as enabling user registration, or modifying options in a way that leads to a denial of service condition. **Recommendations** For versions prior to 1.17.1, update to version 1.17.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'nitropack dismiss notice forever' AJAX action to prevent exploitation until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** MainWP Child plugin versions prior to 5.3 **Description** The MainWP Child plugin for WordPress is vulnerable to privilege escalation due to a missing authorization check on the `register site` function when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. The vulnerability only affects sites that have MainWP Child installed, have not yet connected to the MainWP Dashboard, and do not have the unique security ID feature enabled. **Recommendations** For versions prior to 5.2: Update to version 5.3 to fully resolve the issue. For version 5.2.1: Although a partial patch is included, it is recommended to update to version 5.3 for the complete patch. As a temporary workaround, consider disabling the `register site` function until a patch is available. Restrict access to the MainWP Child plugin to minimize the risk of exploitation. Avoid using the plugin in an unconfigured state until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PostX plugin for WordPress versions up to, and including, 4.1.16 **Description** The issue is related to a missing capability check on the `install required plugin callback` function, allowing authenticated attackers with Subscriber-level access and above to install and activate arbitrary plugins. This can potentially lead to remote code execution if another vulnerable plugin is installed and activated. **Recommendations** For versions up to, and including, 4.1.16, update to a version higher than 4.1.16 to resolve the issue. As a temporary workaround, consider restricting access to the `install required plugin callback` function to prevent unauthorized plugin installation and activation. Additionally, restrict the ability of users with Subscriber-level access and above to install and activate plugins to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Th Shop Mania versions prior to 1.4.9 **Description** The Th Shop Mania theme for WordPress has a vulnerability due to a missing capability check on the `th shop mania install and activate callback()` function. This allows authenticated attackers with Subscriber-level access and above to install arbitrary plugins, which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation. **Recommendations** For Th Shop Mania versions prior to 1.4.9, update to the latest version to secure your site. As a temporary workaround, consider disabling the `th shop mania install and activate callback()` function until a patch is available. Restrict access to the notification system to minimize the risk of exploitation. Avoid using the vulnerable function to install plugins until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Top Store theme for WordPress versions up to, and including, 1.5.4 **Description** The issue is related to unauthorized arbitrary plugin installation due to a missing capability check on the `top store install and activate callback()` function. This allows authenticated attackers, with subscriber-level access and above, to install arbitrary plugins, which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution. **Recommendations** For versions up to, and including, 1.5.4, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the `top store install and activate callback()` function to minimize the risk of exploitation. Additionally, restrict the installation of arbitrary plugins to prevent potential elevation of privileges and remote code execution.

**Name of the Vulnerable Software and Affected Versions** Mapster WP Maps plugin for WordPress versions up to, and including, 1.5.0 **Description** The issue allows unauthorized modification of data, potentially leading to privilege escalation, due to an insufficient capability check on the `mapster wp maps set option from js()` function. This enables authenticated attackers with contributor-level access or higher to update arbitrary options on the WordPress site, which can be used to gain administrative user access. **Recommendations** For Mapster WP Maps plugin for WordPress versions up to, and including, 1.5.0, update to a version higher than 1.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the `mapster wp maps set option from js()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress versions up to, and including, 2.1.0 **Description** The issue is related to a missing capability check on the `install and activate plugin from external()` function, which is part of the install-active-plugin REST API endpoint. This allows unauthenticated attackers to install and activate arbitrary plugins or upload arbitrary files disguised as plugins. **Recommendations** For versions up to, and including, 2.1.0, update to a version higher than 2.1.0 to resolve the issue. As a temporary workaround, consider disabling the `install and activate plugin from external()` function until a patch is available. Restrict access to the install-active-plugin REST API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hunk Companion plugin for WordPress versions prior to 1.9.0 WP Query Console versions (affected versions not specified) **Description** The Hunk Companion plugin for WordPress has a flaw allowing unauthorized plugin installation and activation. This is due to a missing capability check on the `/wp-json/hc/v1/themehunk-import` API endpoint. Unauthenticated attackers can exploit this to install and activate arbitrary plugins, potentially leading to remote code execution if another vulnerable plugin is already installed. Recent campaigns have actively targeted this and other vulnerabilities in WordPress plugins, with over 8.7 million exploitation attempts blocked by Wordfence. Attackers have been observed installing malicious plugins via platforms like GitHub. The WP Query Console plugin, which has not been updated in seven years, is also being exploited due to a code injection flaw, enabling attackers to execute commands on the target website. Approximately 90% of the 10,000 installations of Hunk Companion are still running a vulnerable version. **Recommendations** Update Hunk Companion to version 1.9.0 or later. Remove WP Query Console from your WordPress installation.

**Name of the Vulnerable Software and Affected Versions** Forminator plugin for WordPress versions up to, and including, 1.29.1 **Description** The issue allows unauthenticated attackers to extract the HubSpot integration developer API key, making unauthorized changes to the plugin's HubSpot integration possible. This can also lead to the exposure of personally identifiable information from plugin users using the HubSpot integration. The vulnerability is related to the `class-forminator-addon-hubspot-wp-api.php` file. **Recommendations** For versions up to, and including, 1.29.1: Patch immediately and rotate any exposed credentials. As a temporary workaround, consider restricting access to the `class-forminator-addon-hubspot-wp-api.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Email Log plugin for WordPress versions up to, and including, 2.4.8 **Description** The issue allows unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. This is possible when the action the attacker wishes to execute has a nonce check, and the nonce is known to the attacker. Additionally, the absence of a capability check is required for this issue to be exploited. The `check nonce` function is involved in this issue. **Recommendations** For versions up to, and including, 2.4.8, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Check & Log Email plugin for WordPress versions up to, and including, 1.0.9 **Description** The issue allows unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. This is possible when the action the attacker wishes to execute has a nonce check, and the nonce is known to the attacker. Additionally, the absence of a capability check is required for this to occur. The `check nonce` function is involved in this process. **Recommendations** For versions up to, and including, 1.0.9, update to a version that fixes the Unauthenticated Hook Injection issue. As a temporary workaround, consider disabling the `check nonce` function until a patch is available. Restrict access to sensitive actions that rely on nonce checks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to, and including, 7.8.3 **Description** The issue allows unauthenticated attackers to extract sensitive data, including personally identifiable information (PII), due to hardcoded API keys. **Recommendations** For versions up to, and including, 7.8.3, consider disabling the plugin until a patch is available to prevent sensitive information exposure. Restrict access to sensitive data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AMP for WP – Accelerated Mobile Pages plugin for WordPress versions up to, and including, 1.0.93.1 **Description** The issue is related to unauthorized loss of data due to a missing capability check on the `amppb remove saved layout data` function. This allows authenticated attackers with contributor access and above to delete arbitrary posts on the site. **Recommendations** For versions up to, and including, 1.0.93.1, consider disabling the `amppb remove saved layout data` function until a patch is available to prevent unauthorized data loss. Restrict access to the function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Royal Elementor Kit theme for WordPress versions up to, and including, 1.0.116 **Description** The issue arises from a missing capability check on the `dismissed handler` function, allowing authenticated attackers with subscriber access or higher to update arbitrary transients to true. **Recommendations** For versions up to, and including, 1.0.116, update to a version higher than 1.0.116 to resolve the issue. As a temporary workaround, consider restricting access to the `dismissed handler` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress versions prior to 6.1.1 **Description** The issue allows unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the "instant-images/license" API endpoint. This makes it possible for authors and higher to update arbitrary options. **Recommendations** For versions up to, and including, 6.1.0, update to version 6.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "instant-images/license" API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ColorMag theme for WordPress versions up to, and including, 3.1.2 **Description** The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the `plugin action callback()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins. Approximately 8,904 devices are potentially affected, mainly distributed in the United States, Germany, and other countries. **Recommendations** For ColorMag theme for WordPress versions up to, and including, 3.1.2, update to a version higher than 3.1.2 to resolve the issue. As a temporary workaround, consider disabling the `plugin action callback()` function until a patch is available. Restrict access to plugin installation and activation features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress versions up to, and including, 2.8.7 **Description** The issue is related to Stored Cross-Site Scripting via the `device` header due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.8.7, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `device` header to minimize the risk of exploitation.