Tomasz Swiadek

**Name of the Vulnerable Software and Affected Versions** URL Shortify WordPress plugin versions prior to 1.7.9.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.7.9.1, update to version 1.7.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** User Activity Log Pro WordPress plugin versions prior to 2.3.4 **Description** The issue is related to the improper escaping of recorded User-Agents in the user activity logs dashboard. This may allow visitors to conduct Stored Cross-Site Scripting attacks. **Recommendations** For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the user activity logs dashboard until the update is applied.

**Name of the Vulnerable Software and Affected Versions** DoLogin Security WordPress plugin versions prior to 3.7.1 **Description** The issue concerns the DoLogin Security WordPress plugin, which does not restrict access to a widget showing IPs of failed logins to low-privileged users. This could potentially allow unauthorized access to sensitive information. **Recommendations** For versions prior to 3.7.1, update to version 3.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the widget that displays failed login IPs to high-privileged users only.

**Name of the Vulnerable Software and Affected Versions** user-activity-log-pro WordPress plugin versions prior to 2.3.4 **Description** The issue allows an attacker to manipulate the client IP address value by exploiting the plugin's retrieval of IP addresses from potentially untrusted headers. This can be used to hide the source of malicious traffic. **Recommendations** For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality that retrieves client IP addresses until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** DoLogin Security WordPress plugin versions prior to 3.7 **Description** The issue allows IP spoofing by using headers such as the X-Forwarded-For to retrieve the IP address of the request. **Recommendations** For versions prior to 3.7, update to version 3.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Activity Log WordPress plugin versions prior to 2.8.8 **Description** The issue allows an attacker to manipulate the client IP address by exploiting the plugin's retrieval of IP addresses from potentially untrusted headers. This can be used to hide the source of malicious traffic. **Recommendations** For versions prior to 2.8.8, update to version 2.8.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DoLogin Security WordPress plugin versions prior to 3.7 **Description** The issue arises from improper sanitization of IP addresses from the X-Forwarded-For header, allowing attackers to conduct Stored XSS attacks through the WordPress login form. **Recommendations** For versions prior to 3.7, update to version 3.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** URL Shortify WordPress plugin versions prior to 1.7.6 **Description** The issue allows an unauthenticated attacker to inject malicious javascript into the plugin's admin panel with statistics of the created short link, due to improper escaping of the referer header value. **Recommendations** For versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Activity Log WordPress plugin versions prior to 1.6.7 **Description** The issue allows an attacker to manipulate the client IP address value retrieved by the plugin, potentially hiding the source of malicious traffic. This is due to the plugin retrieving client IP addresses from potentially untrusted headers. **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality that retrieves client IP addresses until a patch is applied.