Sho Sakata

**Name of the Vulnerable Software and Affected Versions** DX Share Selection plugin for WordPress versions up to, and including 1.4 **Description** The issue is due to missing nonce protection on the `dxss admin page()` function found in the ~/dx-share-selection.php file, making it possible for unauthenticated attackers to inject malicious web scripts into the page. This can happen if an attacker can trick a site's administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including 1.4, consider disabling the `dxss admin page()` function until a patch is available to prevent exploitation. Restrict access to the ~/dx-share-selection.php file to minimize the risk of malicious script injection. Avoid performing actions that could be triggered by an attacker, such as clicking on suspicious links, to reduce the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AnyMind Widget plugin for WordPress versions up to, and including 1.1 **Description** The issue is due to missing nonce protection on the `createDOMStructure()` function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including 1.1, consider disabling the `createDOMStructure()` function until a patch is available to prevent exploitation. Restrict access to the ~/anymind-widget-id.php file to minimize the risk of malicious script injection. Avoid performing actions that could be triggered by an attacker, such as clicking on suspicious links, to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** ToolBar to Share plugin for WordPress versions up to, and including, 2.0 **Description** The issue is due to missing nonce validation on the `plugin toolbar comparte` page, making it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request. This can happen if attackers can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 2.0, update to a version that includes nonce validation on the `plugin toolbar comparte` page to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the `plugin toolbar comparte` page to minimize the risk of exploitation.