Truoc Phan

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions up to, and including, 5.3 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The `data` parameter is specifically vulnerable to this type of attack. **Recommendations** For versions up to, and including, 5.3, consider disabling the `data` parameter in the affected API endpoint until a patch is available. Restrict access to the tagDiv Composer plugin to minimize the risk of exploitation. Avoid using the `data` parameter in pages that execute user-supplied input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** tagDiv Opt-In Builder plugin for WordPress versions up to, and including, 1.7 **Description** The issue is related to time-based SQL Injection via the `subscriptionCouponId` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.7, consider disabling the `subscriptionCouponId` parameter until a patch is available to prevent exploitation. Restrict access to the SQL queries to minimize the risk of sensitive information extraction. Avoid using the `subscriptionCouponId` parameter in existing queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions prior to 5.3 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation within the `td ajax get views` AJAX action. This allows unauthenticated attackers to inject malicious web scripts via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link. **Recommendations** For versions prior to 5.3, update to version 5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `td ajax get views` AJAX action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions up to, and including, 5.3 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The `account id` and `account username` parameters are vulnerable to this issue. **Recommendations** For versions up to, and including, 5.3, consider disabling the `account id` and `account username` parameters in the affected plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the parameters `account id` and `account username` in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LadiApp versions n/a through 4.4 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting'. This allows for Stored XSS. **Recommendations** For versions n/a through 4.4, update to a version that contains a fix for this issue, as the current version is affected by the Stored XSS vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Hotel Booking plugin for WordPress versions up to, and including, 2.1.2 **Description** The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `update review()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For WP Hotel Booking plugin for WordPress versions up to, and including, 2.1.2: Update the plugin to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `update review()` function until a patch is available. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions up to, and including, 5.0 **Description** The issue arises from insufficient input sanitization and output escaping within the `on ajax check envato code` function, allowing unauthenticated attackers to inject arbitrary web scripts in pages via the `envato code[]` parameter. This can be exploited if an attacker tricks a user into performing a specific action, such as clicking on a link. **Recommendations** For versions up to, and including, 5.0, consider disabling the `on ajax check envato code` function until a patch is available. Restrict access to the `envato code[]` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions up to, and including, 5.0 **Description** The issue is related to Reflected Cross-Site Scripting via the `envato code[]` parameter due to insufficient input sanitization and output escaping within the `on ajax register forum user` function. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 5.0, consider disabling the `on ajax register forum user` function until a patch is available. Restrict access to the `envato code[]` parameter to minimize the risk of exploitation. Avoid using the `envato code[]` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tagDiv Opt-In Builder plugin versions up to, and including, 1.4.4 **Description** The issue concerns a Blind SQL Injection vulnerability via the `couponId` parameter of the "recreate stripe subscription" REST API endpoint. This vulnerability is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.4.4, consider disabling the `recreate stripe subscription` REST API endpoint or restricting access to the `couponId` parameter until a patch is available. Additionally, restrict administrator-level privileges to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tagDiv Opt-In Builder plugin versions up to, and including, 1.4.4 **Description** The issue is related to Blind SQL Injection via the `subscriptionCouponId` parameter through the "create stripe subscription" REST API endpoint. This occurs due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. Authenticated attackers with administrator-level privileges can append additional SQL queries to extract sensitive information from the database. **Recommendations** For versions up to, and including, 1.4.4, update to a version that includes a fix for this issue to prevent Blind SQL Injection attacks. As a temporary workaround, consider restricting access to the "create stripe subscription" REST API endpoint and limiting the use of the `subscriptionCouponId` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.15.2 **Description** The issue is due to the use of loose comparison in the `verify id token` function, making it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires Firebase to be configured on the website and the user to have set up Firebase for their account. **Recommendations** For versions up to, and including, 4.15.2, consider disabling the `verify id token` function until a patch is available to prevent authentication bypass. Restrict access to the plugin's functionality that relies on Firebase configuration to minimize the risk of exploitation. Avoid using email addresses or phone numbers associated with @flutter.io in user accounts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WooCommerce - Social Login plugin for WordPress versions up to 2.7.5 **Description** The issue is due to the use of loose comparison of the activation code in the `woo slg confirm email user` function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the `userID`. The email module must be enabled for this issue to occur. **Recommendations** For WooCommerce - Social Login plugin for WordPress versions up to 2.7.5, consider disabling the `woo slg confirm email user` function until a patch is available to prevent authentication bypass. Additionally, restrict access to the email module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.14.7 **Description** The issue is due to insufficient verification on the `phone` parameter of the `firebase sms login` and `firebase sms login v2` functions. This allows unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled. **Recommendations** For versions up to, and including, 4.14.7, update to a version later than 4.14.7 to resolve the issue. As a temporary workaround, consider disabling the `firebase sms login` and `firebase sms login v2` functions until a patch is available. Restrict access to the `phone` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.44 **Description** The issue is due to insufficient verification of the `API key`, allowing unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the `username`. This enables them to perform various administrative tasks. The vulnerability was partially fixed in version 0.1.0.44 but remained exploitable via Cross-Site Request Forgery. **Recommendations** For versions up to, and including, 0.1.0.44, consider disabling the API key verification temporarily until a complete fix is available. Restrict access to administrative tasks to minimize the risk of exploitation. Avoid using the `API key` for authentication until the issue is fully resolved. As a temporary workaround, monitor for Cross-Site Request Forgery attempts and implement additional security measures to prevent such attacks.

**Name of the Vulnerable Software and Affected Versions** The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.8.9 **Description** The issue is due to a lack of validation on user-supplied data in the 'pm upload image' AJAX action, allowing authenticated attackers with Subscriber-level access and above to update their user capabilities to Administrator. **Recommendations** For versions up to, and including, 5.8.9, update to a version higher than 5.8.9 to resolve the issue. As a temporary workaround, consider disabling the 'pm upload image' AJAX action until a patch is available. Restrict access to the AJAX endpoint to minimize the risk of exploitation. Avoid using the 'pm upload image' action in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Smush plugin for WordPress (affected versions not specified) **Description** The issue is related to a missing capability check on the `delete resmush list()` function, allowing authenticated attackers with minimal permissions, such as a subscriber, to delete the resmush list for Nextgen or the Media Library. This enables unauthorized deletion of the resmush list. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.38 **Description** The issue is related to missing authorization checks on the REST API calls, allowing unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options, and create administrator accounts. **Recommendations** For versions up to, and including, 0.1.0.38, update to a version that includes the necessary authorization checks for REST API calls to prevent arbitrary option updates. As a temporary workaround, consider restricting access to the REST API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer plugin for WordPress versions up to, and including, 4.8 **Description** The issue is related to Stored Cross-Site Scripting via the plugin's button shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerable code is specifically tied to the tagDiv Newspaper theme and may not be present if another theme is installed. **Recommendations** For versions up to, and including, 4.8, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the button shortcode feature until a patch is available. Restrict contributor-level access and above to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tagDiv Composer versions prior to 4.4 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability that allows Cross-Site Scripting (XSS) in tagDiv Composer. **Recommendations** For versions prior to 4.4, update to version 4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** InspireUI MStore API versions 4.0.6 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions 4.0.6 and earlier, update to a version later than 4.0.6 to resolve the issue. As a temporary workaround, consider restricting access to sensitive database operations to minimize the risk of exploitation.