She11F

**Name of the Vulnerable Software and Affected Versions** WooCommerce PDF Invoice Builder versions prior to 2.0.9 **Description** Improper Control of Generation of Code allows Remote Code Inclusion, enabling an unauthenticated attacker to perform full code injection via remote file inclusion. **Recommendations** Update to a version newer than 2.0.8.

**Name of the Vulnerable Software and Affected Versions** WP Ticket versions prior to 6.0.5 **Description** The WP Ticket plugin for WordPress allows unauthenticated attackers to extract sensitive information from the database. The issue occurs during unauthenticated front-end searches when the plugin hooks the `posts request` filter using the `wp ticket com posts request()` function, which subsequently calls `emd author search results()`. This function processes the `s` query parameter from `$query->query vars['s']` without using `$wpdb->prepare()` or proper escaping, concatenating the raw value into a SQL `LIKE` clause within a UNION sub-SELECT. This lack of sanitization enables the injection of additional SQL queries into existing database requests. **Recommendations** Update to a version later than 6.0.4.

**Name of the Vulnerable Software and Affected Versions** ZAYTECH Smart Online Order for Clover versions prior to 1.6.1 **Description** Improper neutralization of input during web page generation allows for Stored Cross-site Scripting (XSS), a condition where malicious scripts are permanently stored on the target server and then served to other users. **Recommendations** Update to a version later than 1.6.0.

Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5.

**Name of the Vulnerable Software and Affected Versions** ZAYTECH Smart Online Order for Clover versions prior to or equal to 1.6.0 **Description** An issue involving the insertion of sensitive information into sent data allows for the retrieval of embedded sensitive data. **Recommendations** Update ZAYTECH Smart Online Order for Clover to a version later than 1.6.0.

**Name of the Vulnerable Software and Affected Versions** ZAYTECH Smart Online Order for Clover versions prior to 1.6.0 **Description** An authentication bypass exists in ZAYTECH Smart Online Order for Clover, allowing an attacker to bypass authentication mechanisms by using an alternate path or channel. **Recommendations** Update to a version later than 1.6.0.

**Name of the Vulnerable Software and Affected Versions** Geo Mashup versions prior to 1.13.20 **Description** Geo Mashup is subject to Reflected Cross-site Scripting (XSS), which occurs when an application includes untrusted data in a web page without proper validation or encoding, allowing an attacker to execute malicious scripts in the victim's browser. **Recommendations** Update to a version later than 1.13.19.