Trung Hieu

**Name of the Vulnerable Software and Affected Versions** LotekMedia Popup Form plugin for WordPress versions up to and including 1.0.6 **Description** The LotekMedia Popup Form plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the plugin settings. An authenticated attacker with Administrator-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the frontend of the site where the popup is displayed. **Recommendations** Update the LotekMedia Popup Form plugin to a version beyond 1.0.6.

**Name of the Vulnerable Software and Affected Versions** WordPress Calendar plugin versions prior to 1.3.17 **Description** The Calendar plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the `event desc` parameter. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page, provided an administrator has enabled lower privilege users to manage calendar events through the plugin settings. **Recommendations** Update the Calendar plugin to version 1.3.17 or later.