Shivam Rai

**Name of the Vulnerable Software and Affected Versions** SVG Support WordPress plugin versions prior to 2.3.20 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of escaping in the `CSS Class to target` setting before it is outputted in an attribute. This can occur even when the `unfiltered html` capability is disallowed. **Recommendations** For versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `CSS Class to target` setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NEX-Forms WordPress plugin versions prior to 8.4.3 **Description** The issue concerns the lack of CSRF checks when editing a form and the failure to escape some settings and form fields before outputting them in attributes. This could allow attackers to make a logged-in admin edit arbitrary forms with Cross-Site Scripting payloads in them, potentially enabling high-privilege users to perform Cross-Site Scripting attacks. **Recommendations** For versions prior to 8.4.3, update to version 8.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to form editing capabilities to minimize the risk of exploitation. Avoid using the plugin's form editing feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Video Lessons Manager WordPress plugin versions prior to 1.7.2 Video Lessons Manager Pro WordPress plugin versions prior to 3.5.9 **Description** The issue concerns the improper sanitization and escaping of values when updating settings, potentially allowing high-privilege users to perform Cross-Site Scripting attacks. **Recommendations** For Video Lessons Manager WordPress plugin versions prior to 1.7.2, update to version 1.7.2 or later. For Video Lessons Manager Pro WordPress plugin versions prior to 3.5.9, update to version 3.5.9 or later.

**Name of the Vulnerable Software and Affected Versions** Forminator WordPress plugin versions prior to 1.15.4 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of the email field label, even when the unfiltered html is disallowed. **Recommendations** For versions prior to 1.15.4, update to version 1.15.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the email field label to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Quiz Tool Lite WordPress plugin versions 2.3.15 and earlier **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization in multiple input fields used for creating or managing quizzes and other setting options, even when the unfiltered html capability is disallowed. **Recommendations** For versions 2.3.15 and earlier, update to a version later than 2.3.15 to resolve the issue. As a temporary workaround, consider restricting access to the quiz management and setting options to minimize the risk of exploitation. Avoid using the vulnerable input fields in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Qwizcards – online quizzes and flashcards WordPress plugin versions prior to 3.62 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to improper sanitization and escaping of some settings, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 3.62, update to version 3.62 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Restaurant Menu by MotoPress WordPress plugin versions prior to 2.4.2 **Description** The issue concerns a lack of proper sanitization or escaping of inputs when creating new menu items, potentially allowing high-privilege users to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue. As a temporary workaround, consider restricting the creation of new menu items to trusted users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Modern Events Calendar Lite WordPress plugin versions prior to 5.22.3 **Description** The issue arises from the plugin's failure to properly sanitize or escape values set by users with access to adjust settings within wp-admin. This could potentially lead to security issues, although specific details about the nature of these issues are not provided. **Recommendations** For versions prior to 5.22.3, update to version 5.22.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings adjustment feature within wp-admin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Reactions Lite WordPress plugin versions prior to 1.3.6 **Description** The issue allows users with sufficient access to inject XSS payloads within /wp-admin/ pages due to improper input sanitization within wp-admin pages. **Recommendations** For WP Reactions Lite WordPress plugin versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin versions prior to 1.6.57 Description: The issue is related to the plugin not sanitizing and escaping some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. Recommendations: For versions prior to 1.6.57, update to version 1.6.57 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LearnPress WordPress plugin versions prior to 4.1.3.1 **Description** The issue concerns the improper sanitization or escaping of various inputs within course settings. This could allow high privilege users to perform Cross-Site Scripting attacks when the `unfiltered html` capability is disallowed. **Recommendations** For versions prior to 4.1.3.1, update to version 4.1.3.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: The Tutor LMS WordPress plugin versions prior to 1.9.9 Description: The issue allows high privilege users to perform Cross-Site Scripting attacks due to the plugin not escaping some of its settings before outputting them in attributes, even when the unfiltered html capability is disallowed. Recommendations: For versions prior to 1.9.9, update to version 1.9.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Appointment Hour Booking WordPress plugin versions prior to 1.3.17 **Description** The issue arises from the plugin's failure to properly sanitize values when creating new calendars. This can lead to potential security risks. **Recommendations** For versions prior to 1.3.17, update to version 1.3.17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Chained Quiz WordPress plugin versions prior to 1.2.7.2 **Description** The issue arises from the plugin's failure to properly sanitize or escape inputs in its settings. This can lead to potential security risks. **Recommendations** For versions prior to 1.2.7.2, update to version 1.2.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Quiz And Survey Master WordPress plugin versions prior to 7.3.2 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the Quiz Url Slug setting not being escaped before outputting it in some pages, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 7.3.2, update to version 7.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Quiz Url Slug setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Modern Events Calendar Lite WordPress plugin versions prior to 5.22.2 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the plugin not escaping some of its settings before outputting them in attributes, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 5.22.2, update to version 5.22.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.