Thanh Nam Tran

**Name of the Vulnerable Software and Affected Versions** SurveyJS: Drag & Drop WordPress Form Builder plugin versions up to and including 1.12.17 **Description** The issue allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server due to a missing capability check on the callback function of the `SurveyJS DeleteFile` class. This can lead to remote code execution when a critical file, such as `wp-config.php`, is deleted. The function is also vulnerable to Cross-Site Request Forgery. **Recommendations** For versions up to and including 1.12.17, consider disabling the `SurveyJS DeleteFile` class until a patch is available to prevent arbitrary file deletion. Restrict access to the callback function of the `SurveyJS DeleteFile` class to minimize the risk of exploitation. Avoid using the `SurveyJS DeleteFile` class in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ELEX WordPress HelpDesk & Customer Ticketing System plugin versions up to, and including, 3.2.6 **Description** The issue is related to a missing capability check on the `eh crm agent add user` AJAX action, allowing authenticated attackers with Subscriber-level access and above to create new administrative user accounts. This makes it possible for attackers to escalate privileges. **Recommendations** For ELEX WordPress HelpDesk & Customer Ticketing System plugin versions up to, and including, 3.2.6, consider disabling the `eh crm agent add user` AJAX action until a patch is available to prevent authenticated attackers from creating new administrative user accounts. Restrict access to administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Hotel Booking plugin for WordPress versions up to and including 2.1.5 **Description** The issue allows unauthorized modification of data due to a missing capability check when adding rooms. This makes it possible for unauthenticated attackers to add rooms with custom prices. **Recommendations** For versions up to and including 2.1.5, update to a version higher than 2.1.5 to resolve the issue. As a temporary workaround, consider restricting access to the room addition feature until a patch is available. Avoid using the custom price feature in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Essential WP Real Estate plugin for WordPress versions up to, and including, 1.1.3 **Description** The issue is caused by a missing capability check on the `cl delete listing func()` function, allowing unauthorized access. This makes it possible for unauthenticated attackers to delete arbitrary pages and posts. **Recommendations** For versions up to, and including, 1.1.3, update to a version that includes a fix for the missing capability check on the `cl delete listing func()` function. As a temporary workaround, consider disabling the `cl delete listing func()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MDTF – Meta Data and Taxonomies Filter plugin for WordPress versions up to, and including, 1.3.3.5 **Description** The issue arises from insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with Contributor-level access and above to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database via the `key` attribute of the `mdf value` shortcode. **Recommendations** For versions up to, and including, 1.3.3.5, consider disabling the `mdf value` shortcode until a patch is available to prevent exploitation of the SQL Injection vulnerability. Restrict access to the `mdf value` shortcode to minimize the risk of exploitation. Avoid using the `key` attribute in the `mdf value` shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** School Management System – SakolaWP plugin for WordPress versions up to and including 1.0.8 **Description** The issue is due to the registration function not properly limiting what roles a user can register as, making it possible for unauthenticated attackers to register as an administrative user. This allows attackers to escalate privileges. **Recommendations** For versions up to and including 1.0.8, update to version 1.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the registration function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP BASE Booking of Appointments, Services and Events plugin for WordPress versions up to, and including, 4.9.2 **Description** The issue is related to unauthorized access of data due to a missing capability check on the `export db` function. This allows authenticated attackers with Subscriber-level access and above to expose sensitive information from the database, such as the hashed administrator password. **Recommendations** For WP BASE Booking of Appointments, Services and Events plugin for WordPress versions up to, and including, 4.9.2, consider disabling the `export db` function until a patch is available to prevent unauthorized data exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPC Shop as a Customer for WooCommerce plugin for WordPress versions prior to 1.2.9 **Description** The issue affects the WPC Shop as a Customer for WooCommerce plugin for WordPress, allowing account takeover and privilege escalation. This is due to the `generate key` function not producing a sufficiently random value. Authenticated attackers with Subscriber-level access and above can log in as site administrators if they have triggered the `ajax login()` function, which generates a unique key for login. **Recommendations** For versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. As a temporary workaround, consider disabling the `ajax login()` function until a patch is available. Restrict access to the `generate key` function to minimize the risk of exploitation. Avoid using the `ajax login()` function in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CRM WordPress Plugin – RepairBuddy versions up to 3.8120 **Description** The issue arises from the plugin not properly validating a user's identity before updating their email through the `wc update user data` AJAX action. This allows authenticated attackers with subscriber-level access and above to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. **Recommendations** For versions up to 3.8120, update to a version above 3.8120 to resolve the issue. As a temporary workaround, consider restricting access to the `wc update user data` AJAX action until a patch is available. Restrict access to the plugin's user management features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Timetics - AI-powered Appointment Booking Calendar and Online Scheduling Plugin versions up to, and including, 1.0.27 **Description** The issue concerns a missing capability check on the "/wp-json/timetics/v1/customers/" REST API endpoint. This allows authenticated attackers with Timetics Customer access and above to delete arbitrary users, resulting in unauthorized loss of data. **Recommendations** For versions up to, and including, 1.0.27, update to a version higher than 1.0.27 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/timetics/v1/customers/" endpoint until a patch is available. Restrict Timetics Customer access and above to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress versions up to, and including, 3.2.21 **Description** The issue is related to unauthorized access due to a missing capability check on the `wpc update user meta option()` function. This allows authenticated attackers with Subscriber-level access and above to update arbitrary user's metadata. By setting `wp capabilities` to 0, an attacker can block an administrator from accessing their site. **Recommendations** For versions up to, and including, 3.2.21, update to a version that includes a fix for the missing capability check in the `wpc update user meta option()` function. As a temporary workaround, consider restricting access to the `wpc update user meta option()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress versions up to, and including, 4.1.11 Description: The issue concerns a Directory Traversal vulnerability, which allows unauthenticated attackers to read the contents of arbitrary files on the server. This can potentially expose sensitive information. The vulnerability is exploited via the `download log` function. Recommendations: For versions up to, and including, 4.1.11, update to a version later than 4.1.11 to resolve the issue. As a temporary workaround, consider restricting access to the `download log` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Login with phone number plugin for WordPress versions up to, and including, 1.7.49 **Description** The issue is due to a lack of validation and missing capability check on user-supplied data in the `lwp update password action` function. This allows authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40, but the login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49. **Recommendations** For versions up to 1.7.39, update to a version above 1.7.49 to fully resolve the issue. For versions 1.7.40 - 1.7.49, ensure the login with phone number pro plugin is not installed or used, and update to a version above 1.7.49 to fully resolve the issue. As a temporary workaround, consider disabling the `lwp update password action` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: The Tutor LMS Pro plugin for WordPress versions up to, and including, 2.7.2 Description: The issue allows authenticated attackers with subscriber-level access and above to perform administrative actions on the site, such as deleting comments, posts, or users, and viewing notifications. This is due to missing capability checks on multiple functions like `treport quiz atttempt delete` and `tutor gc class action`. Recommendations: For versions up to, and including, 2.7.2, update to a version that includes the necessary capability checks to prevent unauthorized administrative actions. As a temporary workaround, consider restricting access to the vulnerable functions `treport quiz atttempt delete` and `tutor gc class action` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FundEngine plugin for WordPress versions up to, and including, 1.7.0 **Description** The issue is due to the plugin not properly verifying user meta updated through the `update user meta` function. This allows authenticated attackers, with subscriber-level access and above, to update their user meta, which can be leveraged to update their capabilities to gain administrator access. **Recommendations** For versions up to, and including, 1.7.0, update to a version that includes the fix for this issue to prevent privilege escalation. As a temporary workaround, consider restricting access to the `update user meta` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress versions up to, and including, 3.13.0 Description: The issue is related to Insecure Direct Object Reference, which occurs due to missing validation on a user-controlled key in the `handleRequest` function. This allows authenticated attackers with GiveWP Worker-level access and above to delete and update arbitrary posts. Recommendations: For versions up to, and including, 3.13.0, update to a version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `handleRequest` function to minimize the risk of arbitrary post deletion and updates.

**Name of the Vulnerable Software and Affected Versions** JSON API User plugin for WordPress versions up to, and including, 3.9.3 **Description** The issue is due to improper controls on custom user meta fields, making it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed. **Recommendations** For versions up to, and including, 3.9.3, update to a version later than 3.9.3 to resolve the issue. As a temporary workaround, consider disabling the custom user meta fields feature until a patch is available. Restrict access to the user registration process to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.7.1 Description: The issue allows authenticated attackers with Instructor-level access and above to delete arbitrary quiz attempts due to missing validation on a user-controlled key in the `attempt delete` function. This is possible because of an Insecure Direct Object Reference. Recommendations: For versions up to, and including, 2.7.1, update to a version that includes a fix for the missing validation in the `attempt delete` function to prevent arbitrary quiz attempt deletion. As a temporary workaround, consider restricting access to the `attempt delete` function for users with Instructor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Download Manager plugin for WordPress versions up to, and including, 3.2.93 **Description** The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the `wpdm modal login form` shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.2.93, update to a version later than 3.2.93 to resolve the issue. As a temporary workaround, consider restricting access to the `wpdm modal login form` shortcode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin versions up to, and including, 3.2.0.1 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `import form action` function. This enables authenticated attackers with contributor-level permissions and above to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator. **Recommendations** For versions up to, and including, 3.2.0.1, consider disabling the `import form action` function until a patch is available to prevent unauthorized data modification. Restrict access to the registration form import feature to minimize the risk of exploitation. Avoid using the default user role of administrator in imported registration forms until the issue is resolved.