Thuramoemyint

**Name of the Vulnerable Software and Affected Versions** Yasr – Yet Another Stars Rating WordPress plugin versions <= 2.9.9 **Description** A Cross-Site Scripting (XSS) issue was found, related to the `source` parameter. **Recommendations** For Yasr – Yet Another Stars Rating WordPress plugin versions <= 2.9.9, update to a version higher than 2.9.9 to resolve the issue. As a temporary workaround, consider restricting access to the `source` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web WordPress plugin versions prior to 1.5.68 Description: The issue is related to Reflected Cross-Site Scripting (XSS) via the `bwg album breadcrumb 0` and `shortcode id` GET parameters passed to the `bwg frontend data` AJAX action. Recommendations: For versions prior to 1.5.68, update to version 1.5.68 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bwg frontend data` AJAX action to minimize the risk of exploitation. Avoid using the `bwg album breadcrumb 0` and `shortcode id` parameters in the affected AJAX action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin versions prior to 1.5.69 **Description** The issue concerns Reflected Cross-Site Scripting (XSS) problems. The vulnerability can be exploited via the `gallery id`, `tag`, `album id`, and ` id` GET parameters passed to the "bwg frontend data" AJAX action. This action is accessible to both unauthenticated and authenticated users. **Recommendations** For versions prior to 1.5.69, update to version 1.5.69 or later to resolve the issue. As a temporary workaround, consider restricting access to the "bwg frontend data" AJAX action to minimize the risk of exploitation. Avoid using the `gallery id`, `tag`, `album id`, and ` id` parameters in the affected AJAX endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery Pro WordPress plugin versions prior to 3.1.11 **Description** The issue concerns the eCommerce module of the NextGEN Gallery Pro WordPress plugin. It involves an action that calls `get cart items` via `photocrati ajax`, allowing the injection of malicious JavaScript through the `settings[shipping address][name]`. **Recommendations** For versions prior to 3.1.11, update to version 3.1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the `photocrati ajax` endpoint to minimize the risk of exploitation. Avoid using the `settings[shipping address][name]` variable in the affected API endpoint until the issue is resolved.