Tealthcopter

**Name of the Vulnerable Software and Affected Versions** WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress versions up to, and including, 7.3.3 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `src` parameter. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to, and including, 7.3.3, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `src` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress versions up to, and including, 3.4.9 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `icon` parameter. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to, and including, 3.4.9, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `icon` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** C9 Blocks plugin for WordPress versions up to, and including, 1.7.7 **Description** The issue is related to Full Path Disclosure, which occurs due to the presence of a publicly accessible composer-setup.php file with error display enabled. This allows unauthenticated attackers to retrieve the full path of the web application, potentially aiding other attacks. However, the disclosed information is not useful on its own and requires another vulnerability to be present to cause damage to an affected website. **Recommendations** For versions up to, and including, 1.7.7, update to a version that fixes this issue, as the current version contains a vulnerable composer-setup.php file that can disclose the full path of the web application. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress versions up to, and including, 1.6.4 **Description** The issue allows authenticated attackers with Contributor-level access and above to include and execute arbitrary files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The vulnerability is related to Local File Inclusion via several widgets. **Recommendations** For versions up to, and including, 1.6.4, update to a version higher than 1.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable widgets to minimize the risk of exploitation. Additionally, restrict file uploads to only necessary file types and ensure that all uploaded files are properly validated and sanitized to prevent arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** ElementsKit Elementor addons plugin for WordPress version 3.4.0 and earlier **Description** The issue allows unauthenticated attackers to view any item created in Elementor, such as posts, pages, and templates, including drafts, trashed, and private items, due to a missing capability check on the `get megamenu content()` function. **Recommendations** For versions 3.4.0 and earlier, as a temporary workaround, consider disabling the `get megamenu content()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1007 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `wpr filter woo products` function. This allows unauthenticated attackers to inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.7.1007, consider disabling the `wpr filter woo products` function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BigBuy Dropshipping Connector for WooCommerce plugin for WordPress versions up to, and including, 1.9.19 **Description** The vulnerability is due to the `/vendor/cocur/slugify/bin/generate-default.php` file being directly accessible and triggering an error, making it possible for unauthenticated attackers to retrieve the full path of the web application. This information can be used to aid other attacks, but it is not useful on its own and requires another vulnerability to be present for damage to an affected website. **Recommendations** For versions up to, and including, 1.9.19, consider restricting access to the `/vendor/cocur/slugify/bin/generate-default.php` file to minimize the risk of exploitation. As a temporary workaround, consider disabling direct access to this file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WooODT Lite – Delivery & pickup date time location WooCommerce plugin for WordPress versions up to, and including, 2.5.1 **Description** The issue concerns the `/inc/bycwooodt get all orders.php` file being publicly accessible and generating a publicly visible error message. This allows unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website. **Recommendations** For versions up to, and including, 2.5.1, consider restricting access to the `/inc/bycwooodt get all orders.php` file until a patch is available. As a temporary workaround, disabling public access to this file can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brizy – Page Builder plugin for WordPress versions up to, and including, 2.6.4 **Description** The issue is related to the lack of file type validation in the `storeUploads` function, which allows authenticated attackers with Contributor-level access and above to upload arbitrary files on the affected site's server. This may make remote code execution possible. Approximately 80,000 WordPress sites are potentially at risk. **Recommendations** For versions up to, and including, 2.6.4, update to a version higher than 2.6.4 to resolve the issue. As a temporary workaround, consider disabling the `storeUploads` function until a patch is available. Restrict access to the upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AForms Eats plugin for WordPress versions up to, and including, 1.3.1 **Description** The issue is related to Full Path Disclosure, which occurs due to the `/vendor/aura/payload-interface/phpunit.php` file being publicly accessible and displaying error messages. This allows unauthenticated attackers to retrieve the full path of the web application, potentially aiding other attacks. However, the information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website. **Recommendations** For versions up to, and including, 1.3.1, consider restricting access to the `/vendor/aura/payload-interface/phpunit.php` file to minimize the risk of exploitation. As a temporary workaround, disabling public access to this file may help until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jupiter X Core plugin for WordPress versions up to, and including, 4.8.7 **Description** The issue allows authenticated attackers with Contributor-level access and above to read the contents of arbitrary files on the server, which can contain sensitive information, via the inline SVG feature. **Recommendations** For versions up to, and including, 4.8.7, update to a version later than 4.8.7 to resolve the issue. As a temporary workaround, consider disabling the inline SVG feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Storely theme for WordPress versions up to and including 16.6 **Description** The issue allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages. This is due to insufficient input sanitization and output escaping, making it possible for attackers to execute scripts whenever a user accesses an injected page. **Recommendations** For versions up to and including 16.6, update to a version that includes the necessary security fixes to address the insufficient input sanitization and output escaping. As a temporary workaround, consider restricting access to the display name feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JetElements plugin for WordPress versions up to, and including, 2.7.2.1 **Description** The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.7.2.1, update to a version later than 2.7.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable widgets to minimize the risk of exploitation. Additionally, ensure that all user-supplied attributes are properly sanitized and escaped to prevent arbitrary web script injection.

**Name of the Vulnerable Software and Affected Versions** 1003 Mortgage Application plugin for WordPress versions up to, and including, 1.87 **Description** The issue is related to the `/inc/class/fnm/export.php` file being publicly accessible with error logging enabled. This allows unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website. **Recommendations** For versions up to, and including, 1.87, consider disabling public access to the `/inc/class/fnm/export.php` file or disabling error logging as a temporary workaround until a patch is available. Restrict access to the `export.php` file to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Betheeme plugin for WordPress versions up to, and including, 27.6.1 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's custom JS functionality due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 27.6.1, consider disabling the custom JS functionality until a patch is available to prevent exploitation. Restrict access to the plugin's custom JS functionality to minimize the risk of arbitrary web script injection. Avoid using user-supplied attributes in the custom JS functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1006 **Description** The issue is due to missing or incorrect nonce validation on the `wpr filter grid posts()` function, making it possible for unauthenticated attackers to inject malicious web scripts via a forged request. This can happen if attackers can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.7.1006, update to a version that includes the fix for the nonce validation issue in the `wpr filter grid posts()` function. As a temporary workaround, consider restricting access to the `wpr filter grid posts()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress versions up to, and including, 1.1.1 **Description** The issue arises from a missing capability check on the `tp install()` function, allowing unauthenticated attackers to install and activate arbitrary plugins. This can lead to remote code execution if another vulnerable plugin is installed and activated. The vulnerability was partially patched in version 1.1.1. **Recommendations** For versions up to, and including, 1.1.1, consider updating to a version that fully addresses the vulnerability, as version 1.1.1 only partially patches the issue. As a temporary workaround, consider disabling the `tp install()` function until a fully patched version is available. Restrict access to plugin installation and activation features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.5.1 **Description** The issue is related to a missing capability check on the `vcita save user data callback()` function, allowing authenticated attackers with Subscriber-level access and above to inject malicious web scripts and update settings. This vulnerability can be exploited to modify data unauthorizedly. **Recommendations** For versions up to, and including, 4.5.1, update to a version higher than 4.5.1 to resolve the issue. As a temporary workaround, consider disabling the `vcita save user data callback()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NewsMunch theme for WordPress versions up to, and including, 1.0.35 **Description** The issue is related to Stored Cross-Site Scripting via a malicious display name due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.0.35, update to a version later than 1.0.35 to resolve the issue. As a temporary workaround, consider restricting access to the theme's display name feature to minimize the risk of exploitation. Additionally, restrict Contributor-level access and above to trusted users only until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Getwid – Gutenberg Blocks plugin for WordPress versions up to, and including, 2.0.12 **Description** The issue is related to Stored Cross-Site Scripting via the `template-post-custom-field` block due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.0.12, update to a version higher than 2.0.12 to resolve the issue. As a temporary workaround, consider restricting access to the `template-post-custom-field` block until a patch is available.