Sebastian Kraemer

**Name of the Vulnerable Software and Affected Versions** WP-Stats WordPress plugin versions prior to 2.52 **Description** The issue allows an attacker to make logged-in high-privilege users change settings and set Cross-Site Scripting payloads due to the lack of a CSRF check when saving settings and the failure to escape some settings when outputting them. **Recommendations** For WP-Stats WordPress plugin versions prior to 2.52, update to version 2.52 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IDS RTU 850C devices (affected versions not specified) **Description** A directory traversal issue exists in the NC854 and NC856 modules, allowing remote authenticated users to read arbitrary files. This is possible via unspecified vectors involving an internal web server. For example, it can be used to read a TELNET credentials file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.