Tommaso Gregori

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Groovy Libraries Plugin versions prior to 797.v90ea a 9b e45a 0 **Description** The plugin does not prohibit symbolic links in shared libraries. This allows attackers who can control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. **Recommendations** Update to a version later than 797.v90ea a 9b e45a 0.

**Name of the Vulnerable Software and Affected Versions** Password Reset with Code for WordPress REST API plugin versions prior to 0.0.17 **Description** The plugin does not employ cryptographically secure algorithms for generating One-Time Password (OTP) codes, which could allow for account takeovers. **Recommendations** Update the Password Reset with Code for WordPress REST API plugin to version 0.0.17 or later.

**Name of the Vulnerable Software and Affected Versions** Qwizcards | online quizzes and flashcards WordPress plugin versions through 3.9.4 **Description** The WordPress plugin does not properly sanitize and escape the ` stylesheet` parameter before outputting it, leading to a Reflected Cross-Site Scripting issue. This could potentially be used against users with high privileges, such as administrators. **Recommendations** Update Qwizcards | online quizzes and flashcards WordPress plugin to a version later than 3.9.4.

Name of the Vulnerable Software and Affected Versions: Hostel WordPress plugin versions prior to 1.1.5.8 Description: The Hostel WordPress plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. This could be used against high privilege users, such as administrators. Recommendations: Update the Hostel WordPress plugin to version 1.1.5.8 or later.

**Name of the Vulnerable Software and Affected Versions** Broadstreet WordPress plugin versions prior to 1.51.8 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 1.51.8, update to version 1.51.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gearside Developer Dashboard WordPress plugin versions 1.0.72 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a `parameter` is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For Gearside Developer Dashboard WordPress plugin versions 1.0.72 and earlier, update to a version that properly sanitises and escapes parameters to prevent Reflected Cross-Site Scripting. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.