Team Webob

**Name of the Vulnerable Software and Affected Versions** WPFunnels versions 3.0.6 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This enables attackers to inject malicious scripts into web pages. **Recommendations** For versions 3.0.6 and earlier, update to a version later than 3.0.6 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable API endpoints until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Be POPIA Compliant versions 1.2.0 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions 1.2.0 and earlier, update to a version that fixes the SQL Injection vulnerability. As a temporary workaround, consider restricting access to sensitive database queries until a patch is available. Avoid using user-input data directly in SQL commands to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Booking Ultra Pro Appointments Booking Calendar Plugin versions 1.1.8 and earlier **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This means that an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For versions 1.1.8 and earlier, update to a version later than 1.1.8 to resolve the issue. As a temporary workaround, consider restricting access to the plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jetpack CRM plugin versions prior to 5.4.4 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin or higher privileges. **Recommendations** For versions prior to 5.4.4, update to version 5.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Repute InfoSystems ARMember plugin versions prior to 4.0.1 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This means that an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of user sessions. **Recommendations** For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Booqable Rental Software Booqable Rental plugin versions <= 2.4.15 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects users with admin+ authentication. This type of vulnerability allows an attacker to inject malicious scripts into the website, which can then be executed by other users. **Recommendations** For versions <= 2.4.15, update to a version higher than 2.4.15 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Charitable Donations & Fundraising Team Donation Forms by Charitable plugin versions <= 1.7.0.10 **Description** The issue is an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This means that an attacker can inject malicious scripts into the website, potentially allowing them to steal user data or take control of user sessions. **Recommendations** For versions <= 1.7.0.10, update to a version higher than 1.7.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the donation forms until a patch is available. Avoid using the vulnerable plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantraBrain Yatra versions through 2.1.14 **Description** The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting (XSS). This is a type of attack where an attacker can inject malicious scripts into a website, potentially affecting users who visit the site. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions through 2.1.14, update to a version later than 2.1.14 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amin A.Rezapour Product Specifications for Woocommerce plugin versions 0.6.0 and earlier **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This allows for malicious scripts to be injected into a website, potentially leading to unauthorized actions. **Recommendations** For versions 0.6.0 and earlier, update to a version later than 0.6.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Umair Saleem Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin versions <= 0.1 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This allows for malicious scripts to be injected into the website, potentially leading to unauthorized actions. **Recommendations** For Umair Saleem Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin versions <= 0.1, update to a version higher than 0.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSB Brands plugin versions prior to 1.1.8 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin or higher privileges. **Recommendations** For versions prior to 1.1.8, update to version 1.1.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RexTheme Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin versions <= 3.1.5 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This means that an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For RexTheme Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin versions <= 3.1.5, update to a version higher than 3.1.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pakpobox alfred24 Click & Collect plugin versions <= 1.1.7 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin+ privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices worldwide is not available. **Recommendations** For Pakpobox alfred24 Click & Collect plugin versions <= 1.1.7, update to a version higher than 1.1.7 to resolve the issue. At the moment, there is no information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Olive Design WP-OliveCart plugin versions prior to 1.1.4 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects users with admin+ authentication. **Recommendations** For Olive Design WP-OliveCart plugin versions prior to 1.1.4, update to version 1.1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Le Van Toan Woocommerce Vietnam Checkout plugin versions prior to 2.0.5 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability. This means that an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of user sessions. **Recommendations** For versions prior to 2.0.5, update to version 2.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin versions prior to 1.62.0 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. This allows an attacker to inject malicious scripts into the application. **Recommendations** For versions prior to 1.62.0, update to version 1.62.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** this.Functional CTT Expresso para WooCommerce plugin versions <= 3.2.11 **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This type of vulnerability allows an attacker to inject malicious scripts into the website, which can then be executed by other users, potentially leading to unauthorized actions or data theft. The estimated number of potentially affected devices and details about real-world incidents where this issue was exploited are not provided. **Recommendations** For this.Functional CTT Expresso para WooCommerce plugin versions <= 3.2.11, update to a version higher than 3.2.11 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Blockonomics WordPress Bitcoin Payments – Blockonomics plugin versions <= 3.5.7 **Description** The issue is a Reflected Cross-Site Scripting (XSS) vulnerability. This means an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For Blockonomics WordPress Bitcoin Payments – Blockonomics plugin versions <= 3.5.7, update to a version higher than 3.5.7 to resolve the issue.