Und3Sc0N0C1D0

**Name of the Vulnerable Software and Affected Versions** Videos sync PDF version 1.7.4 **Description** An authenticated attacker can inject malicious scripts through the plugin options panel. This occurs due to unsanitized input in the `nom`, `pdf`, `mp4`, `webm`, and `ogg` parameters. By using payloads such as autofocus onfocus event handlers, an attacker can execute arbitrary JavaScript when administrators view or edit video settings. This is a stored cross-site scripting issue, where the malicious script is permanently stored on the server and executed in the browser of the victim. **Recommendations** As a temporary workaround, restrict access to the plugin options panel or avoid modifying the `nom`, `pdf`, `mp4`, `webm`, and `ogg` parameters until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress 3dady real-time web stats plugin version 1.0 **Description** A stored cross-site scripting issue allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads into the `dady input text` or `dady2 input text` fields within the plugin options panel to execute arbitrary code when the page is viewed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Acronis Cyber Protect 16 versions before build 37391 **Description** A self cross-site scripting (XSS) vulnerability exists in the storage nodes search field. This issue allows for the execution of malicious scripts within the context of the affected application. **Recommendations** For Acronis Cyber Protect 16 versions before build 37391, update to build 37391 or later to resolve the issue. As a temporary workaround, consider restricting access to the storage nodes search field until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Acronis Cyber Protect 16 versions prior to build 37391 **Description** A stored cross-site scripting (XSS) vulnerability exists in the unit name, allowing for potential exploitation. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For Acronis Cyber Protect 16 versions prior to build 37391, update to a version after build 37391 to resolve the issue. As a temporary workaround, consider restricting access to the unit name field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Acronis Cyber Protect 15 versions before build 35979 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability in the protection plan name, which can be exploited by a remote attacker to perform cross-site scripting attacks. This vulnerability is associated with the failure to take measures to protect the structure of web pages. **Recommendations** For Acronis Cyber Protect 15 versions before build 35979, update to a version after build 35979 to resolve the issue. As a temporary workaround, consider restricting access to the protection plan name feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Platform (affected versions not specified) **Description** The issue allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML, due to incorrect input neutralization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Call Now Accessibility Button WordPress plugin versions prior to 1.1 **Description** The issue allows high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization of some settings. This can occur even when the unfiltered html capability is disallowed, such as in a multisite setup. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Aajoda Testimonials WordPress plugin versions prior to 2.2.2 **Description** The issue is related to the lack of sanitization and escaping of some settings in the Aajoda Testimonials WordPress plugin, which could allow high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed, for example, in a multisite setup. The vulnerability may allow a remote attacker to conduct cross-site scripting attacks. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Platform (affected versions not specified) **Description** The issue allows a remote adversary with a valid SolarWinds Platform account to inject HTML by appending URL parameters. This is due to the Incorrect Input Neutralization Vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chat Bubble WordPress plugin versions prior to 2.3 **Description** The issue allows unauthenticated attackers to set Stored Cross-Site Scripting payloads in some contact parameters, which will trigger when an admin views the related contact message. This is due to the plugin not sanitising and escaping these parameters. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the contact message viewing functionality for admins until the update is applied.

**Name of the Vulnerable Software and Affected Versions** related-posts-for-wp versions prior to 2.1.3 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which affects the GitHub repository barrykooij/related-posts-for-wp. **Recommendations** For versions prior to 2.1.3, update to version 2.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Multi-Scheduler plugin version 1.0.0 **Description** The issue concerns a Cross-Site Request Forgery (CSRF) vulnerability in the forms presented by the plugin, which can lead to the deletion of records, such as users, when a specific ID is known. **Recommendations** For version 1.0.0, consider disabling the forms presented by the Multi-Scheduler plugin until a patch is available to prevent potential exploitation of the CSRF vulnerability.