Splint3R7

**Name of the Vulnerable Software and Affected Versions** WP e-Customers Beta WordPress plugin version 0.0.1 **Description** The issue concerns a Reflected Cross-Site Scripting problem. It arises because the WP e-Customers Beta WordPress plugin does not properly sanitise and escape a `parameter` before outputting it back in the page. This could be exploited against high privilege users, such as the admin. **Recommendations** For version 0.0.1, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of Reflected Cross-Site Scripting attacks. Avoid using the vulnerable `parameter` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WoWPth plugin versions prior to 2.0 Description: The issue concerns a Reflected Cross-Site Scripting problem. It arises because a parameter is not properly sanitized and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. Recommendations: For WoWPth plugin versions prior to 2.0, update to a version that properly sanitizes and escapes parameters before outputting them back in the page to prevent Reflected Cross-Site Scripting. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WoWPth WordPress plugin versions prior to 2.0 Description: The issue is related to a Reflected Cross-Site Scripting problem, where a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. Recommendations: For WoWPth WordPress plugin versions prior to 2.0, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schedule WordPress plugin version 1.0.0 **Description** The issue concerns a Reflected Cross-Site Scripting vulnerability. It occurs because the Schedule WordPress plugin does not properly sanitise and escape a `parameter` before outputting it back in the page. This could be used against high privilege users, such as the admin. **Recommendations** For version 1.0.0, consider disabling the vulnerable functionality until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the vulnerable `parameter` in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Click Info WordPress plugin versions 2.7.4 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the WP Click Info WordPress plugin does not properly sanitise and escape a `parameter` before outputting it back in the page. This could be used against high privilege users such as admin. **Recommendations** For WP Click Info WordPress plugin version 2.7.4 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Limit Bio WordPress plugin versions 1.0 and earlier Description: The issue arises from the plugin not sanitizing and escaping a `parameter` before outputting it back in the page, leading to a Reflected Cross-Site Scripting. This could be used against high privilege users such as admin. Recommendations: For Limit Bio WordPress plugin version 1.0 and earlier, update to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XV Random Quotes WordPress plugin versions 1.40 and earlier **Description** The issue concerns a Reflected Cross-Site Scripting problem. It arises because a parameter is not properly sanitized and escaped before being output back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For XV Random Quotes WordPress plugin versions 1.40 and earlier, update to a version that properly sanitizes and escapes parameters before outputting them back in the page. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Countdown Timer WordPress plugin version 1.0 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a `parameter` is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For Countdown Timer WordPress plugin version 1.0, consider updating to a newer version that addresses this issue, as the current version does not properly sanitise and escape parameters, leading to potential Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** S3Bubble Media Streaming WordPress plugin versions prior to 8.1 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a `parameter` is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For S3Bubble Media Streaming WordPress plugin versions prior to 8.1, update to version 8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation. Avoid using the vulnerable `parameter` in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SEO Tools WordPress plugin versions 4.0.7 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting problem, where a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For SEO Tools WordPress plugin versions 4.0.7 and earlier, update to a version later than 4.0.7 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Login Control versions prior to 2.0.1 is not specified, however, the version 2.0.0 is mentioned as vulnerable, so we can say: WP Login Control versions 2.0.0 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting, which could be used against high privilege users such as admin. This occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. **Recommendations** For WP Login Control versions 2.0.0 and earlier, update to a version later than 2.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gtbabel WordPress plugin versions prior to 6.6.9 **Description** The issue allows unauthenticated attackers to retrieve a logged-in user's cookies, such as an admin's, by making them open a crafted URL. This is possible because the plugin does not verify that the URL for code analysis belongs to the blog, and the request to analyze the URL includes the user's cookies. **Recommendations** For versions prior to 6.6.9, update to version 6.6.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Email Keep WordPress plugin versions 1.1 and earlier **Description** The Email Keep WordPress plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. **Recommendations** For Email Keep WordPress plugin version 1.1 and earlier, update to a version that fixes the Reflected Cross-Site Scripting issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress Activity O Meter plugin through version 1.0 **Description** The WordPress Activity O Meter plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins. **Recommendations** For WordPress Activity O Meter plugin version 1.0 and earlier, update to a version that addresses this issue, as using an unpatched version poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WooCommerce WordPress plugin versions prior to 9.0.3 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitized and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 9.0.3, update to version 9.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP BASE Booking of Appointments, Services and Events WordPress plugin versions prior to 5.0.0 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP Pricing Table WordPress plugin version 1.1 **Description** The issue is related to a Reflected Cross-Site Scripting problem. This occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For WP Pricing Table WordPress plugin version 1.1, consider updating to a version where this issue is fixed, as the current version does not properly sanitise and escape parameters, leading to potential Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Post Timeline WordPress plugin versions prior to 2.3.10 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 2.3.10, update to version 2.3.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Custom Block Builder WordPress plugin versions prior to 3.8.3 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPMovieLibrary versions prior to 2.1.4.9 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 2.1.4.9, update to version 2.1.4.9 or later to resolve the issue.