Th3.D1P4K

**Name of the Vulnerable Software and Affected Versions** The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin versions prior to 2.12.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.12.2, update to version 2.12.2 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Call Now Button WordPress plugin versions prior to 1.4.7 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Sticky Buttons – floating buttons builder plugin for WordPress versions up to, and including, 3.2.2 **Description** The issue is related to Stored Cross-Site Scripting via sticky URLs due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue specifically affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 3.2.2, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting administrator-level access and enabling the unfiltered html capability to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FiboSearch WordPress plugin versions prior to 1.17.0 **Description** The issue is related to the FiboSearch WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 1.17.0, update to version 1.17.0 or later to resolve the issue. As a temporary workaround, consider restricting the `unfiltered html` capability to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Smart Floating / Sticky Buttons WordPress plugin versions prior to 2.5.5 Description: The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of certain parameters before they are outputted in attributes and pages. This can occur even when the unfiltered html capability is disallowed. Recommendations: For versions prior to 2.5.5, update to version 2.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 5.1 through 5.1.1 phpMyAdmin version 5.1.2 is not affected, but all versions prior to 5.1.2 are vulnerable. **Description** An issue was discovered in phpMyAdmin, allowing an attacker to inject malicious code into aspects of the setup script, which can enable XSS or HTML injection. This can potentially allow attackers to manipulate user accounts or bypass two-factor authentication in subsequent authentication sessions. Additionally, weaknesses were identified that allow malicious users to submit malicious information, presenting XSS or HTML injection attacks in the graphical setup page. In some scenarios, sensitive information such as database names can be part of the URL, and error messages during failed logon attempts can reveal the target database server's hostname or IP address. **Recommendations** For phpMyAdmin versions 5.1 through 5.1.1, update to version 5.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the setup script until a patch is available. Avoid using the graphical setup page with untrusted input until the issue is resolved. Enable the cookie parameter "SameSite" when using PHP version 7.3 or newer to enhance security.