Ulyses Saicha

**Name of the Vulnerable Software and Affected Versions** King Addons for Elementor versions through 51.1.49 **Description** The King Addons for Elementor plugin for WordPress is susceptible to unauthenticated disclosure of API keys. The plugin adds API keys to the HTML source code through the `render full form` function, potentially allowing unauthenticated attackers to extract Mailchimp, Facebook, and Google API keys and secrets. This requires a Premium license to be installed. Reports indicate offensive activities targeting this issue. **Recommendations** Versions prior to and including 51.1.49 should be updated.

**Name of the Vulnerable Software and Affected Versions** Two Factor (2FA) Authentication via Email plugin for WordPress versions up to and including 1.9.8 **Description** The Two Factor (2FA) Authentication via Email plugin for WordPress is susceptible to a bypass of the two-factor authentication mechanism. The `SS88 2FAVE::wp login()` function only enforces 2FA if the `token` HTTP GET parameter is not defined. This allows an attacker to bypass 2FA by providing any value, including an empty one, in the `token` parameter during login. **Recommendations** Update the Two Factor (2FA) Authentication via Email plugin for WordPress to a version later than 1.9.8.

Name of the Vulnerable Software and Affected Versions: The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress versions up to, and including, 7.0.12 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages by tricking a user into performing an action, such as clicking on a link, using the `tiktok user id` parameter. Recommendations: For versions up to, and including, 7.0.12, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Reflected Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `tiktok user id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WPC Smart Quick View for WooCommerce plugin for WordPress versions up to, and including, 4.0.2 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 4.0.2, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting administrator-level permissions and ensuring that unfiltered html is enabled to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ElementsKit Elementor addons plugin for WordPress versions up to, and including, 3.0.3 **Description** The issue is related to Stored Cross-Site Scripting via the progress bar element attributes due to insufficient input sanitization and output escaping. This allows authenticated attackers with editor-level access to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue primarily affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 3.0.3, update to a version later than 3.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the progress bar element attributes to minimize the risk of exploitation. Additionally, restricting editor-level access and enabling unfiltered html can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** WP 2FA – Two-factor authentication for WordPress plugin versions up to, and including, 2.5.0 **Description** The issue is due to missing or incorrect nonce validation on the `send backup codes email` function, making it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request. This can be achieved by tricking a site administrator or other registered user into performing an action, such as clicking on a link. The nonce check is only executed if a nonce is set, and by omitting a nonce from the request, the check can be bypassed. **Recommendations** For versions up to, and including, 2.5.0, update to a version that includes the fix for the missing or incorrect nonce validation on the `send backup codes email` function. As a temporary workaround, consider restricting access to the `send backup codes email` function until a patch is available. Additionally, be cautious when clicking on links from unknown sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP 2FA – Two-factor authentication for WordPress plugin versions up to, and including, 2.5.0 **Description** The issue is related to Insecure Direct Object Reference. It affects the `send backup codes email` function due to missing validation on a user-controlled key. This allows subscriber-level attackers to email arbitrary users on the site. **Recommendations** For versions up to, and including, 2.5.0, consider disabling the `send backup codes email` function until a patch is available to prevent exploitation. Restrict access to this function to minimize the risk of attackers emailing arbitrary users on the site.

**Name of the Vulnerable Software and Affected Versions** My Sticky Bar plugin for WordPress versions up to, and including, 2.6.6 **Description** The issue is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php, making it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. The CSV file is exported to a public location and can be downloaded during a short window of time before it is automatically deleted by the export function. **Recommendations** For versions up to, and including, 2.6.6, update to a version that includes the fix for the missing or incorrect nonce validation issue. As a temporary workaround, consider restricting access to the mystickymenu-contact-leads.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress versions up to, and including, 2.8.7 **Description** The issue is related to a type juggling problem on the `connect-app` REST endpoint, allowing unauthenticated attackers to reset the API key and view logs, including password reset emails, which can lead to site takeover. The vulnerability is associated with weaknesses in the authorization procedure, enabling remote attackers to gain unauthorized access to protected information. With over 300,000 active installations, this vulnerability poses a significant risk. **Recommendations** For versions up to, and including, 2.8.7, update to a version higher than 2.8.7 to resolve the issue. As a temporary workaround, consider restricting access to the `connect-app` REST endpoint until a patch is available. Additionally, restrict access to the API key used to authenticate to the mailer to minimize the risk of exploitation. Avoid using the API key in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Essential Addons For Elementor plugin for WordPress versions up to, and including, 5.8.1 **Description** The issue allows unauthenticated attackers to obtain a site's MailChimp API key due to the plugin adding the API key to the source code of any page running the MailChimp block. This affects sites running the premium version of the plugin with the Mailchimp block enabled on a page. **Recommendations** For versions up to, and including, 5.8.1, reset any MailChimp API keys if the MailChimp block is enabled as the API key may have been compromised.

**Name of the Vulnerable Software and Affected Versions** The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.70 **Description** The issue allows unauthenticated attackers to obtain a site's MailChimp API key due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for attackers to compromise the API key. **Recommendations** For versions up to, and including, 1.3.70, reset any MailChimp API keys if the MailChimp block is enabled, as the API key may have been compromised. Consider disabling the MailChimp block until a patch is available to prevent further exploitation.