Tonn

**Name of the Vulnerable Software and Affected Versions** Sneeit Framework plugin for WordPress versions prior to 8.4 Sneeit Framework versions 8.3 and earlier **Description** The Sneeit Framework plugin for WordPress contains a Remote Code Execution (RCE) issue due to the `sneeit articles pagination callback()` function accepting user input and passing it through `call user func()`. This allows unauthenticated attackers to execute code on the server, potentially enabling them to inject backdoors or create new administrative user accounts. Over 1,700 active installations are estimated to be at risk. This issue is actively being exploited in the wild, with over 131,000 exploit attempts reported. The vulnerability has been leveraged in attacks related to the Frost botnet. The `sneeit articles pagination callback()` function is vulnerable. Attackers can exploit this through crafted AJAX requests. **Recommendations** Versions prior to 8.4: Update to version 8.4 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress Zombify plugin versions up to and including 1.7.5 **Description** The Zombify plugin for WordPress is susceptible to a Path Traversal issue. This is caused by inadequate input validation within the `zf get file by url` function. Authenticated attackers with subscriber-level access or higher can potentially read arbitrary files on the server, including sensitive system files like /etc/passwd, by submitting a crafted request. Exploitation of this issue is dependent on a race condition, as the generated file is immediately deleted. **Recommendations** Update WordPress Zombify plugin to a version later than 1.7.5.

**Name of the Vulnerable Software and Affected Versions** WordPress User Extra Fields versions up to and including 16.7 **Description** The WordPress User Extra Fields plugin is susceptible to arbitrary file deletion. This is due to inadequate file path validation within the `save fields()` function. Authenticated attackers with Subscriber-level access or higher can exploit this to delete arbitrary files on the server. Deletion of critical files, such as `wp-config.php`, could lead to remote code execution. **Recommendations** Versions up to and including 16.7 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the `save fields()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Designer Pro versions up to and including 1.9.26 **Description** The WooCommerce Designer Pro plugin for WordPress is affected by a critical issue allowing arbitrary file uploads. This is due to missing file type validation within the `wcdp save canvas design ajax` function. Unauthenticated attackers can exploit this to upload arbitrary files to the server, potentially leading to remote code execution. Over 5,400 instances are estimated to be vulnerable. The plugin is commonly used with the Pricom - Printing Company & Design Services WordPress theme. **Recommendations** Update WooCommerce Designer Pro to a version newer than 1.9.26.

**Name of the Vulnerable Software and Affected Versions** WooCommerce Designer Pro versions through 1.9.26 **Description** The WooCommerce Designer Pro plugin for WordPress is affected by an arbitrary file deletion issue. Insufficient file path validation in the `wcdp save canvas design ajax` function allows unauthenticated attackers to delete files in arbitrary directories on the server. This could lead to remote code execution, data loss, or site unavailability. **Recommendations** Versions prior to and including 1.9.26 should be updated when a fix is available. As a temporary workaround, consider restricting access to the `wcdp save canvas design ajax` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Spirit Framework plugin for WordPress versions through 1.2.14 **Description** The Spirit Framework plugin for WordPress is susceptible to an authentication bypass. This occurs because the `custom actions()` function does not adequately validate user identity before granting access. This allows unauthenticated attackers to log in as any user, including administrators, if they know the user's username. Reports indicate this issue is being actively exploited. **Recommendations** Versions prior to 1.2.15 are affected. Update to version 1.2.15 or later. As a temporary measure, disable the Spirit Framework plugin until a patch can be applied.

**Name of the Vulnerable Software and Affected Versions** AdForest WordPress Theme versions prior to 6.1.0 **Description** The AdForest theme for WordPress is susceptible to an authentication bypass, allowing unauthorized user access. The theme does not properly verify a user’s identity before authentication, potentially enabling attackers to log in as other users, including administrators, without a password. **Recommendations** Update AdForest to version 6.1.0 or later. Disable the AdForest theme. Restrict access to administrative accounts. Monitor for suspicious login attempts.

Name of the Vulnerable Software and Affected Versions: Event List plugin for WordPress versions up to and including 2.0.4 Description: The Event List plugin for WordPress is susceptible to privilege escalation. This occurs because the plugin does not adequately validate a user’s capabilities before updating their profile within the `el update profile()` function. Authenticated attackers with Subscriber-level access or higher can potentially modify their capabilities to those of an administrator. Recommendations: Event List plugin for WordPress version 2.0.4 and earlier: Update to a version later than 2.0.4.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder – More Than Just a Page Builder plugin for WordPress versions prior to 3.29.1 **Description** The Elementor Website Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting via the `elementor-element` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue only affects sites with 'Element Caching' enabled. **Recommendations** Update Elementor Website Builder – More Than Just a Page Builder plugin for WordPress to version 3.29.1 or later.

**Name of the Vulnerable Software and Affected Versions:** Nokri - Job Board WordPress Theme versions prior to 1.6.4 **Description:** The Nokri - Job Board WordPress Theme is susceptible to privilege escalation, potentially leading to account takeover. The issue stems from insufficient validation of a user’s identity before allowing updates to user details, such as the email address. Authenticated attackers with Subscriber-level access or higher can modify the email addresses of arbitrary users, including administrators, and subsequently reset their passwords to gain unauthorized access to accounts. **Recommendations:** Update Nokri - Job Board WordPress Theme to version 1.6.4 or later.

Name of the Vulnerable Software and Affected Versions: BeeTeam368 Extensions Pro plugin for WordPress versions up to, and including, 2.3.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to perform actions on files outside of the originally intended directory via the `handle live fn()` function. This can be used to delete the `wp-config.php` file, potentially leading to a site takeover. Recommendations: For versions up to, and including, 2.3.4, consider disabling the `handle live fn()` function until a patch is available to prevent exploitation. Restrict access to sensitive files, such as `wp-config.php`, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BeeTeam368 Extensions plugin for WordPress versions up to, and including, 2.3.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to perform actions on files outside of the originally intended directory via the `handle remove temp file()` function. This can be used to delete the `wp-config.php` file, potentially leading to a site takeover. Recommendations: For versions up to, and including, 2.3.4, consider disabling the `handle remove temp file()` function until a patch is available to prevent unauthorized file actions. Restrict access to sensitive files like `wp-config.php` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder Pro plugin for WordPress versions up to, and including, 3.29.0 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `button text` parameter is specifically vulnerable to this type of attack. **Recommendations** For Elementor Website Builder Pro plugin for WordPress versions up to, and including, 3.29.0, update to a version higher than 3.29.0 to resolve the issue. As a temporary workaround, consider restricting access to the `button text` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Edumall theme for WordPress versions up to, and including, 4.2.4 **Description** The issue allows unauthenticated attackers to include and execute arbitrary PHP files on the server via the `template` parameter of the 'edumall lazy load template' AJAX action. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. **Recommendations** For Edumall theme for WordPress versions up to, and including, 4.2.4, consider disabling the 'edumall lazy load template' AJAX action until a patch is available. Restrict access to the `template` parameter to minimize the risk of exploitation. Avoid using the `template` parameter in the affected AJAX action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mayosis Core plugin for WordPress versions up to, and including, 5.4.1 **Description** The issue allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, via the library/wave-audio/peaks/remote dl.php file. This is made possible by an Arbitrary File Read vulnerability in the Mayosis Core plugin for WordPress. **Recommendations** For Mayosis Core plugin for WordPress versions up to, and including, 5.4.1, consider disabling access to the library/wave-audio/peaks/remote dl.php file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vikinger theme for WordPress versions up to, and including, 1.9.30 **Description** The issue is due to insufficient user meta restrictions in the `vikinger user meta update ajax` function, allowing authenticated attackers with Subscriber-level access and above to escalate their privileges to Administrator-level. **Recommendations** For versions up to, and including, 1.9.30, consider disabling the `vikinger user meta update ajax` function as a temporary workaround until a patch is available. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the vulnerable function in the affected WordPress theme until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BM Content Builder plugin for WordPress versions up to, and including, 3.16.2.1 **Description** The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `ux cb tools import item ajax` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. **Recommendations** For BM Content Builder plugin for WordPress versions up to, and including, 3.16.2.1, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `ux cb tools import item ajax` AJAX action until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Configurator Theme Core plugin for WordPress versions up to, and including, 1.4.7 **Description** The issue is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change and escalate their privileges to Administrator. **Recommendations** For versions up to, and including, 1.4.7, update to a version that properly validates user meta fields to prevent privilege escalation. As a temporary workaround, consider restricting access to user meta fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WP RealEstate plugin versions up to, and including, 1.6.26 **Description** The issue is related to insufficient role restrictions in the `process register` function, allowing unauthenticated attackers to register an account with the Administrator role, effectively bypassing authentication and gaining admin access. **Recommendations** For versions up to, and including, 1.6.26, update to a version later than 1.6.26 to resolve the issue. As a temporary workaround, consider disabling the `process register` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BoomBox Theme Extensions plugin for WordPress versions up to, and including, 1.8.0 **Description** The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover. This is due to the plugin not properly validating a user's identity prior to updating their password through the `boombox ajax reset password` function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. **Recommendations** For versions up to, and including, 1.8.0, update to a version higher than 1.8.0 to fix the vulnerability. As a temporary workaround, consider disabling the `boombox ajax reset password` function until a patch is available. Restrict access to the password update process to minimize the risk of exploitation. Avoid using the password update feature in the affected plugin until the issue is resolved.