Stiofan Oconnor

**Name of the Vulnerable Software and Affected Versions** The FooGallery – Responsive Photo Gallery plugin versions up to and including 2.4.29 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `default gallery title size` parameter. This allows authenticated attackers with gallery and album creator roles to inject arbitrary web scripts in pages, which will execute when a user accesses the injected page. **Recommendations** For versions up to and including 2.4.29, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting the gallery and album creator roles to trusted users only, and monitor page content for any signs of script injection.

**Name of the Vulnerable Software and Affected Versions** FooGallery – Responsive Photo Gallery plugin versions prior to 2.4.30 **Description** The issue allows authenticated attackers with granted access and above to update arbitrary post and page content due to missing validation on a user-controlled key (`img id`) in the `foogallery attachment modal save` AJAX action. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact. **Recommendations** For versions prior to 2.4.30, update to version 2.4.30 or later to resolve the issue. As a temporary workaround, consider setting the Gallery Creator Role to 'Editor' or higher to minimize the risk of exploitation. Restrict access to the `foogallery attachment modal save` AJAX action to prevent unauthorized updates to post and page content.

**Name of the Vulnerable Software and Affected Versions** W2S – Migrate WooCommerce to Shopify plugin for WordPress versions up to, and including, 1.2.1 **Description** The issue allows authenticated attackers with Subscriber-level access and above to read the contents of arbitrary files on the server via the 'viw2s view log' AJAX action. This can potentially expose sensitive information. **Recommendations** For versions up to, and including, 1.2.1, update to a version higher than 1.2.1 to resolve the issue. As a temporary workaround, consider disabling the `viw2s view log` AJAX action until a patch is available. Restrict access to the plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress versions up to, and including, 1.3.2 **Description** The issue is related to unauthorized access due to a missing capability check on the `save addon key license()` function. This allows authenticated attackers with Subscriber-level access and above to update arbitrary options to a value of a valid license key. **Recommendations** For versions up to, and including, 1.3.2, update to a version that includes a fix for the missing capability check in the `save addon key license()` function. As a temporary workaround, consider restricting access to the `save addon key license()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress versions up to, and including, 1.3.2 **Description** The issue is related to unauthorized access due to a missing capability check on the `youzify offer banner()` function. This allows authenticated attackers with Subscriber-level access and above to update arbitrary site options to a value of one. **Recommendations** For versions up to, and including, 1.3.2, update to a version higher than 1.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the `youzify offer banner()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sandbox plugin for WordPress versions up to and including 0.4 **Description** The issue is related to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages through the `debug` parameter. This can occur if an attacker tricks a user into performing an action, such as clicking on a link. **Recommendations** For versions up to and including 0.4, consider disabling the `debug` parameter to minimize the risk of exploitation until a patch is available. Restrict access to areas where the Sandbox plugin is used to reduce the potential for attackers to inject scripts.

**Name of the Vulnerable Software and Affected Versions** The Sandbox plugin for WordPress versions up to, and including, 0.4 **Description** The issue arises from a missing capability check on the `export download` action, allowing authenticated attackers with Subscriber-level access and above to download a complete copy of a sandbox environment. This environment can contain sensitive information, such as the `wp-config.php` file. **Recommendations** For versions up to, and including, 0.4, consider disabling the `export download` action until a patch is available to prevent unauthorized access. Restrict access to the sandbox environment to minimize the risk of exploitation. Avoid using the `export download` action in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin versions up to, and including, 3.1.5 **Description** The issue is related to a missing capability check on the `form save action()` function, allowing authenticated attackers with subscriber-level access and above to update the registration form. This enables them to make the default registration role an administrator, subsequently allowing the attacker to register an account as an administrator on the site. **Recommendations** For versions up to, and including, 3.1.5, update to a version that includes a fix for the missing capability check on the `form save action()` function. As a temporary workaround, consider restricting access to the `form save action()` function to prevent unauthorized updates to the registration form.

**Name of the Vulnerable Software and Affected Versions** Malware Scanner plugin versions up to, and including, 4.7.2 Web Application Firewall plugin versions up to, and including, 2.1.1 **Description** The issue is related to a missing capability check on the `mo wpns init()` function, which allows unauthenticated attackers to escalate their privileges to that of an administrator. This makes it possible for attackers to gain administrative privileges to the site. **Recommendations** For Malware Scanner plugin versions up to, and including, 4.7.2, update to a version later than 4.7.2 to resolve the issue. For Web Application Firewall plugin versions up to, and including, 2.1.1, update to a version later than 2.1.1 to resolve the issue. As a temporary workaround, consider disabling the `mo wpns init()` function until a patch is available.