Teerachai Somprasong

**Name of the Vulnerable Software and Affected Versions** Alba Board versions prior to 2.1.4 **Description** The plugin fails to properly verify if a user is authorized to perform specific actions, leading to an authorization bypass. This allows authenticated attackers with subscriber-level access or higher to access arbitrary private `alba card` post data, such as titles, descriptions, assignees, due dates, tags, and comments, which should be restricted to Administrators and Editors. Because the handler is registered via the `wp ajax nopriv ` hook and its nonce is exposed to all site visitors through `wp localize script` on pages containing the `[alba board]` shortcode, the issue is also exploitable by unauthenticated users who can access those pages. **Recommendations** Update to a version later than 2.1.3.

**Name of the Vulnerable Software and Affected Versions** My Social Feeds – Social Feeds Embedder versions prior to 1.0.5 **Description** The plugin is subject to sensitive information exposure via the 'ttp get accounts' AJAX action. The `get accounts()` function lacks authorization checks and nonce verification, allowing authenticated attackers with Subscriber-level access or higher to retrieve the full contents of the `ttp tiktok accounts` WordPress option. This includes sensitive TikTok OAuth credentials, specifically `access token` and `refresh token` values from administrator-connected accounts, which can be used to impersonate the site owner when interacting with the TikTok API. **Recommendations** Update the plugin to a version later than 1.0.4. As a temporary workaround, restrict access to the 'ttp get accounts' AJAX action to prevent unauthorized users from calling the `get accounts()` function.

**Name of the Vulnerable Software and Affected Versions** MaxiBlocks Builder versions prior to 2.1.9 **Description** Insufficient file ownership validation in the 'maxi remove custom image size' AJAX action allows authenticated attackers with Author-level access or higher to delete arbitrary media files within the `wp-content/uploads` directory. This includes files uploaded by other users and administrators. **Recommendations** Update to a version newer than 2.1.8.

**Name of the Vulnerable Software and Affected Versions** Age Verification & Identity Verification by Token of Trust versions prior to 3.32.4 **Description** The Age Verification & Identity Verification by Token of Trust plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping within the `description` parameter. Unauthenticated attackers can exploit this to inject arbitrary web scripts into pages, which then execute when a user accesses the affected page. **Recommendations** Update to a version newer than 3.32.3. As a temporary workaround, restrict or avoid using the `description` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress versions up to and including 4.4.3 **Description** The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is susceptible to SQL Injection via the `search` parameter. Insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries allow unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database. **Recommendations** Versions prior to 4.4.4 should be updated.

**Name of the Vulnerable Software and Affected Versions** ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress versions prior to 3.3.3 **Description** The ShopLentor plugin is susceptible to Email Relay Abuse due to insufficient validation of input parameters. Specifically, the `send to`, `product title`, `wlmessage`, and `wlemail` parameters within the `woolentor suggest price action` API endpoint are not properly validated. This allows unauthenticated attackers to leverage the website as an email relay for malicious purposes, such as spam or phishing campaigns. Attackers gain full control over the email subject line, message content, and sender address through CRLF injection within the `wlemail` parameter. **Recommendations** Versions prior to 3.3.3 should be updated to version 3.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** Invoct – PDF Invoices & Billing for WooCommerce versions up to and including 1.6 **Description** The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check in multiple functions. Authenticated attackers with Subscriber-level access or higher can retrieve invoice clients, invoice items, and a list of WordPress users along with their email addresses. **Recommendations** Update Invoct – PDF Invoices & Billing for WooCommerce to a version newer than 1.6.

**Name of the Vulnerable Software and Affected Versions** Magic Import Document Extractor plugin for WordPress versions up to and including 1.0.4 **Description** The software is susceptible to unauthorized data modification because of a missing authorization check within the `ajax sync usage()` function. This allows unauthenticated attackers to alter the plugin’s license status and credit balance. **Recommendations** Update the Magic Import Document Extractor plugin to a version later than 1.0.4.

**Name of the Vulnerable Software and Affected Versions** Magic Import Document Extractor plugin for WordPress versions up to and including 1.0.4 **Description** The software is susceptible to a sensitive information exposure issue. Unauthenticated attackers can extract the site's `magicimport.ai` license key from the page source on any page containing the plugin's shortcode through the `get frontend settings()` function. **Recommendations** Update the Magic Import Document Extractor plugin to a version later than 1.0.4.

**Name of the Vulnerable Software and Affected Versions** The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.5 **Description** The plugin has an authorization bypass due to missing capability checks on the CSV export functionality. This allows unauthenticated attackers to download sensitive form submission data, including personally identifiable information (PII), by accessing the CSV export endpoint. The export key needed for this access is exposed in the publicly accessible page source code. The CSV export handler bypasses user permission filtering, exporting all entries regardless of user roles. **Recommendations** Versions prior to 1.4.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** Integrate Dynamics 365 CRM plugin for WordPress versions prior to 1.1.2 **Description** The Integrate Dynamics 365 CRM plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping on user-supplied attributes allow authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update to version 1.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress versions prior to 4.1116 **Description** The RepairBuddy plugin for WordPress is susceptible to Insecure Direct Object Reference. This is due to the absence of appropriate capability checks within the `wc upload and save signature handler` function. Authenticated attackers possessing Subscriber-level access or higher can upload arbitrary signatures to any order, potentially altering order metadata and causing unauthorized status modifications. **Recommendations** Update to a version newer than 4.1116.

**Name of the Vulnerable Software and Affected Versions** WP-CRM System plugin for WordPress versions up to and including 3.4.5 **Description** The WP-CRM System plugin for WordPress is susceptible to unauthorized access because of absent capability checks within the `wpcrm get email recipients` and `wpcrm system ajax task change status` AJAX functions. This allows authenticated attackers possessing subscriber-level access or higher to enumerate CRM contact email addresses, resulting in potential PII disclosure, and to modify CRM task statuses. **Recommendations** Update the WP-CRM System plugin to a version later than 3.4.5.

**Name of the Vulnerable Software and Affected Versions** iPaymu Payment Gateway for WooCommerce plugin for WordPress versions up to and including 2.0.2 **Description** The iPaymu Payment Gateway for WooCommerce plugin for WordPress is susceptible to missing authentication. This occurs because the plugin does not validate the authenticity of webhook requests through signature verification or origin checks. An unauthenticated attacker can send crafted POST requests to the webhook endpoint to falsely mark WooCommerce orders as paid, without actual payment. Additionally, attackers can enumerate order IDs and obtain valid order keys via GET requests, potentially exposing customer Personally Identifiable Information (PII) such as names, addresses, and purchased products. The vulnerable function is `check ipaymu response`. **Recommendations** Update the iPaymu Payment Gateway for WooCommerce plugin for WordPress to a version later than 2.0.2.