Thái An

**Name of the Vulnerable Software and Affected Versions** Service Finder Bookings plugin for WordPress versions prior to 6.1 **Description** The Service Finder Bookings plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately verify a user’s identity before allowing updates to user details, such as their email address. Authenticated attackers with subscriber-level access or higher can modify the email addresses of any user, including administrators. This allows attackers to initiate password resets and gain unauthorized access to accounts. **Recommendations** Versions prior to 6.1 should be updated to version 6.1 or later to address this issue.

**Name of the Vulnerable Software and Affected Versions** Noo JobMonster theme for WordPress versions prior to 4.8.1 **Description** The Noo JobMonster theme for WordPress is susceptible to Authentication Bypass due to a flaw in the `check login()` function. This function does not properly verify a user's identity, potentially allowing unauthenticated attackers to bypass standard authentication and gain access to administrative user accounts. Social login must be enabled for a site to be impacted by this issue. **Recommendations** Versions prior to 4.8.1 should be updated to version 4.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** Academy LMS – WordPress LMS Plugin for Complete eLearning Solution versions prior to 3.3.8 **Description** The Academy LMS plugin for WordPress does not properly validate a user's role before allowing user registration through the Social Login addon. This allows unauthenticated attackers to escalate their privileges to Administrator during the registration process. **Recommendations** Update to version 3.3.8 or later.

**Name of the Vulnerable Software and Affected Versions** MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress versions prior to 4.2.9 **Description** The software is susceptible to unauthorized data modification, potentially allowing attackers to escalate privileges. Specifically, a missing capability check within the `wcmlim settings ajax handler` function allows unauthenticated attackers to update arbitrary options on the WordPress site. This can be exploited to modify the default role for registration to administrator and enable user registration, granting attackers administrative access. **Recommendations** Update to version 4.2.9 or later.

Name of the Vulnerable Software and Affected Versions: Goza - Nonprofit Charity WordPress Theme versions through 3.2.2 Description: The Goza - Nonprofit Charity WordPress Theme is susceptible to arbitrary file deletion due to inadequate file path validation within the `alone import pack restore data()` function. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files, such as `wp-config.php`, are deleted. Recommendations: Update Goza - Nonprofit Charity WordPress Theme to a version later than 3.2.2.

Name of the Vulnerable Software and Affected Versions: WPGYM - Wordpress Gym Management System plugin versions prior to 67.7.1 Description: The WPGYM - Wordpress Gym Management System plugin for WordPress is susceptible to Local File Inclusion via the `page` parameter. This allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary files on the server, potentially enabling the execution of PHP code. This can be leveraged to bypass access controls, obtain sensitive data, or achieve code execution, particularly when combined with the ability to upload and include files. Exploitation can also lead to privilege escalation, such as updating the passwords of Super Administrator accounts in Multisite environments. Recommendations: Update the WPGYM - Wordpress Gym Management System plugin to version 67.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** Brave Conversion Engine (PRO) plugin for WordPress versions through 0.7.7 **Description** The Brave Conversion Engine (PRO) plugin for WordPress is susceptible to authentication bypass due to improper restriction of a claimed identity during Facebook authentication. This allows unauthenticated attackers to log in as other users, including administrators. **Recommendations** Update the Brave Conversion Engine (PRO) plugin to a version later than 0.7.7.

**Name of the Vulnerable Software and Affected Versions** MasterStudy LMS Pro versions up to and including 4.7.9 **Description** The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the `install and activate plugin` function. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary files to the affected server, potentially leading to remote code execution. Exploitation is difficult due to timing requirements and environmental factors. **Recommendations** MasterStudy LMS Pro versions prior to and including 4.7.9: Update to a version newer than 4.7.9.

**Name of the Vulnerable Software and Affected Versions** School Management System for Wordpress plugin for WordPress versions prior to 93.1.0 **Description** The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion via the `page` parameter. This allows authenticated attackers with Subscriber-level access and above to include and execute arbitrary files on the server, potentially enabling the execution of PHP code. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. Privilege escalation is possible in Multisite environments by updating Super Administrator passwords. **Recommendations** Update to version 93.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Madara - Core plugin for WordPress versions prior to 2.2.3 **Description** The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the `wp manga delete zip()` function. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files, such as `wp-config.php`, are deleted. **Recommendations** Update the Madara - Core plugin to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** mojomla WPGYM versions through 65.0 **Description** The software is susceptible to a SQL Injection issue due to improper neutralization of special elements used in an SQL command. **Recommendations** Update to a version later than 65.0.

**Name of the Vulnerable Software and Affected Versions** uxper Sala versions n/a through 1.1.3 **Description** A missing authorization issue exists in uxper Sala, allowing access to functionality not properly constrained by Access Control Lists (ACLs). **Recommendations** Update uxper Sala to a version beyond 1.1.3.

**Name of the Vulnerable Software and Affected Versions** uxper Nuss versions n/a through 1.3.3 **Description** A missing authorization issue exists in uxper Nuss, allowing access to functionality not properly constrained by Access Control Lists (ACLs). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** shinetheme Traveler (affected versions not specified) **Description** The software contains a SQL injection flaw due to improper neutralization of special elements used in an SQL command. This allows for potential SQL injection attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alone – Charity Multipurpose Non-profit WordPress Theme versions 7.8.3 and earlier **Description** The Alone WordPress theme contains a critical vulnerability that allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution. The vulnerability resides in the `alone import pack install plugin()` function, which lacks proper capability checks. Attackers can upload arbitrary files, such as PHP webshells disguised as plugins, from remote locations. Over 120,900 exploit attempts have been observed since July 14th. Successful exploitation can result in full site compromise. **Recommendations** Alone – Charity Multipurpose Non-profit WordPress Theme versions prior to 7.8.4 Update to version 7.8.5 or later.

**Name of the Vulnerable Software and Affected Versions** Alone – Charity Multipurpose Non-profit WordPress Theme versions up to and including 7.8.3 **Description** The Alone – Charity Multipurpose Non-profit WordPress Theme is vulnerable to arbitrary file deletion due to insufficient file path validation in the `alone import pack restore data()` function. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files, such as `wp-config.php`, are deleted. **Recommendations** Alone – Charity Multipurpose Non-profit WordPress Theme versions prior to 7.8.4 should be updated.

Name of the Vulnerable Software and Affected Versions: Sala - Startup & SaaS WordPress Theme versions prior to 1.1.5 Description: The issue arises from the theme's failure to properly validate a user's identity before updating their details, such as the `password`. This allows unauthenticated attackers to change arbitrary users' passwords, including those of administrators, and gain access to their accounts. Recommendations: For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to user account management features until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Home Villas | Real Estate WordPress Theme versions up to, and including, 2.8 Description: The issue is related to insufficient file path validation in the `wp rem cs widget file delete` function, allowing authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server. This can lead to remote code execution when specific files, such as `wp-config.php`, are deleted. Recommendations: For versions up to, and including, 2.8, consider disabling the `wp rem cs widget file delete` function until a patch is available to prevent arbitrary file deletion. Restrict access to sensitive files on the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RH - Real Estate WordPress Theme versions prior to 4.4.1 **Description** The issue is related to privilege escalation due to the theme not properly restricting user roles that can be updated as part of the `inspiry update profile()` function. This allows authenticated attackers with subscriber-level access and above to set their role to that of an administrator. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 to fully patch the vulnerability. As a temporary workaround, consider restricting access to the `inspiry update profile()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Advance Seat Reservation Management for WooCommerce plugin for WordPress versions up to, and including, 3.3 **Description** The issue allows for SQL Injection via the `profileId` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 3.3, consider disabling the `profileId` parameter until a patch is available to prevent SQL Injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.