Sonicrrrr

**Name of the Vulnerable Software and Affected Versions** Hotel Booking Lite plugin for WordPress versions up to and including 4.11.1 **Description** The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input. Although no known POP chain is present in the vulnerable plugin, the presence of one via an additional plugin or theme could enable attackers to delete arbitrary files, retrieve sensitive data, or execute code. **Recommendations** For Hotel Booking Lite plugin for WordPress versions up to and including 4.11.1, update to a version higher than 4.11.1 to resolve the issue. As a temporary workaround, consider restricting access to untrusted input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ditty plugin for WordPress versions prior to 3.1.38 **Description** The issue allows authenticated attackers with contributor-level access and above to inject a PHP Object via deserialization of untrusted input when adding a new ditty. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present via an additional plugin or theme installed on the target system. **Recommendations** For Ditty plugin for WordPress versions prior to 3.1.38, update to version 3.1.38 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** image-optimizer versions prior to 1.7.3 **Description** The issue allows PHAR deserialization, for example, using the `phar://` protocol in arguments to the `file exists()` function. **Recommendations** For versions prior to 1.7.3, update to version 1.7.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `phar://` protocol in arguments to the `file exists()` function until a patch is applied.