Supanat Konprom

**Name of the Vulnerable Software and Affected Versions** Auto Image Attributes From Filename With Bulk Updater versions prior to 4.10 **Description** The plugin for WordPress is subject to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping within the attachment metadata. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 4.9.

**Name of the Vulnerable Software and Affected Versions** Spectra Gutenberg Blocks – Website Builder for the Block Editor versions prior to 2.19.26 **Description** Authenticated attackers with Contributor-level access and above can achieve Remote Code Execution on the server. This is possible through a two-block payload embedded in post content. The first block registers a fake `uagb/`-prefixed block type with an attacker-specified `render callback`, and the second block of the same fake type triggers the invocation of that callback via the `call user func()` function during sequential block rendering in the same page request. This issue has been exploited in the wild. **Recommendations** Update to a version newer than 2.19.25.

**Name of the Vulnerable Software and Affected Versions** GenerateBlocks versions prior to 2.2.1 **Description** The plugin is subject to Insecure Direct Object Reference (IDOR), a flaw where an application provides direct access to objects based on user-supplied input. The issue exists in the '/wp-json/generateblocks/v1/dynamic-tag-replacements' REST endpoint, which fails to perform object-level authorization checks. While the endpoint verifies the `edit posts` capability, it does not confirm if the user has permission to access the specific post or data referenced by the `id` parameters. Consequently, authenticated attackers with Contributor-level access or higher can extract sensitive information from arbitrary posts, such as author email addresses and non-protected post meta values, by manipulating dynamic tag payloads. **Recommendations** Update to a version later than 2.2.0. Restrict access to the '/wp-json/generateblocks/v1/dynamic-tag-replacements' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Verification by PickPlugins versions prior to 2.0.47 **Description** The User Verification by PickPlugins plugin for WordPress allows unauthenticated attackers to log in as any user with a verified email address, including administrators. This occurs because the `user verification form wrap process otpLogin()` function uses a loose PHP comparison operator to validate One-Time Password (OTP) codes, enabling bypass by submitting a "true" OTP value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Store Locator versions prior to 2.2.262 **Description** Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. This is achieved via the `wpsl address` post meta value, enabling the injection of arbitrary web scripts that execute when a user accesses an affected page and opens an injected map marker info window. **Recommendations** Update to a version newer than 2.2.261.

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Name of the Vulnerable Software and Affected Versions Customer Reviews for WooCommerce plugin for WordPress versions up to and including 5.103.0 Description The Customer Reviews for WooCommerce plugin for WordPress is susceptible to authentication bypass. This occurs because the `create review permissions check()` function uses strict equality (`===`) when comparing the user-supplied `key` parameter to the order's `ivole secret key` meta value, without verifying that the stored key is non-empty. When no review reminder email has been sent, `ivole secret key` is not set, resulting in an empty string being returned. An attacker can provide `key: ""` to match this empty value and bypass the permission check. This allows unauthenticated attackers to submit, modify, and inject product reviews via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default because `ivole enable moderation` defaults to "no". Recommendations Versions prior to 5.103.1 should be updated. As a temporary workaround, consider disabling the `POST /ivole/v1/review` API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Import and export users and customers plugin for WordPress versions prior to 1.29.8 **Description** An issue allows unauthenticated attackers to escalate privileges to Administrator by submitting a crafted registration request that sets the `wp capabilities` meta key. This occurs because the `save extra user profile fields()` function does not properly restrict which user meta keys can be updated via profile fields, and the `get restricted fields()` method fails to include sensitive meta keys like `wp capabilities`. Exploitation is only possible if the "Show fields in profile" setting is enabled and a CSV file containing a `wp capabilities` column header has been previously imported. **Recommendations** Update the plugin to a version later than 1.29.7. As a temporary workaround, disable the "Show fields in profile" setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProfilePress versions prior to 4.16.11 **Description** The ProfilePress plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is a result of a lack of ownership validation on the `change plan sub id` parameter within the `process checkout()` function. The `ppress process checkout` AJAX handler accepts a user-controlled subscription ID for plan upgrades, loads the subscription record, and cancels or expires it without verifying the subscription belongs to the requesting user. This allows authenticated attackers with Subscriber-level access or higher to cancel and expire any other user's active subscription using the `change plan sub id` parameter during checkout, resulting in immediate loss of paid access for victims. **Recommendations** Update ProfilePress to version 4.16.11 or later.