Varakorn Chanthasri

**Name of the Vulnerable Software and Affected Versions** WP Customer Reviews versions prior to 3.7.6 **Description** The WP Customer Reviews plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to inadequate input sanitization and output escaping of the `wpcr3 fname` parameter. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute if a user is tricked into performing an action, such as clicking a malicious link. **Recommendations** Update WP Customer Reviews to version 3.7.6 or later.

**Name of the Vulnerable Software and Affected Versions** All In One Image Viewer Block plugin for WordPress versions up to and including 1.0.2 **Description** The All In One Image Viewer Block plugin for WordPress is susceptible to Server-Side Request Forgery due to missing authorization and URL validation. This allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. Attackers could potentially query and modify information from internal services via the `image-proxy` API endpoint. **Recommendations** Update the All In One Image Viewer Block plugin to a version later than 1.0.2.

**Name of the Vulnerable Software and Affected Versions** TableMaster for Elementor versions up to and including 1.3.6 **Description** The TableMaster for Elementor plugin for WordPress is susceptible to Server-Side Request Forgery. This occurs because the plugin does not limit the URLs that can be accessed when importing CSV data from a URL using the Data Table widget. Authenticated attackers with Author-level access or higher can make web requests to arbitrary locations, including localhost and internal network services. Sensitive files, such as `wp-config.php`, can be read through the `csv url` parameter. **Recommendations** Update TableMaster for Elementor to a version later than 1.3.6.

**Name of the Vulnerable Software and Affected Versions** SearchWiz versions prior to 1.0.1 **Description** The SearchWiz plugin for WordPress is susceptible to Stored Cross-Site Scripting through post titles displayed in search results. The issue arises because the plugin utilizes `esc attr()` instead of `esc html()` when displaying post titles, allowing authenticated attackers with contributor-level access or higher to inject malicious web scripts into post titles. These scripts execute when a user performs a search and views the resulting page. The vulnerable component is the handling of post titles in search results. **Recommendations** Update SearchWiz to version 1.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Image Photo Gallery Final Tiles Grid versions prior to 3.6.9 **Description** The Image Photo Gallery Final Tiles Grid plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the 'Custom scripts' setting. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update Image Photo Gallery Final Tiles Grid to version 3.6.9 or later.

**Name of the Vulnerable Software and Affected Versions** Image Gallery – Photo Grid & Video Gallery plugin for WordPress versions up to and including 2.13.3 **Description** The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is susceptible to unauthorized data modification. A missing capability check within the `add images to gallery callback()` function allows authenticated attackers with Author-level access or higher to add images to Modula galleries belonging to other users. **Recommendations** Update to version 2.13.4 or later. As a temporary workaround, restrict access to the `add images to gallery callback()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Eyewear prescription form plugin for WordPress versions through 6.0.1 **Description** The Eyewear prescription form plugin for WordPress is susceptible to unauthorized access. This is caused by a lack of authorization checks on the SubmitCatProductRequest AJAX action. An attacker who is not authenticated can create arbitrary WooCommerce products, defining their names, prices, and category assignments through the 'Name', 'Price', and 'Parent' parameters. The affected API endpoint is SubmitCatProductRequest. The vulnerable parameters are `Name`, `Price`, and `Parent`. **Recommendations** Update the Eyewear prescription form plugin to a version later than 6.0.1.

**Name of the Vulnerable Software and Affected Versions** WPNakama plugin for WordPress versions up to and including 0.6.3 **Description** The WPNakama plugin for WordPress is susceptible to time-based SQL Injection through the `order by` parameter. Insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries allow unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database. The vulnerable parameter is `order by`. **Recommendations** Update the WPNakama plugin to a version newer than 0.6.3.

**Name of the Vulnerable Software and Affected Versions** WPMasterToolKit plugin for WordPress versions prior to 2.13.1 **Description** The WPMasterToolKit plugin for WordPress allows authenticated attackers with Contributor-level access or above to execute arbitrary PHP code on the server. This is possible because the plugin permits Author-level users to create and execute PHP code through the Code Snippets feature without sufficient capability checks. Successful exploitation can lead to remote code execution, privilege escalation, and complete site compromise. **Recommendations** Update the WPMasterToolKit plugin to version 2.13.1 or later.

**Name of the Vulnerable Software and Affected Versions** IDonate – Blood Donation, Request And Donor Management System plugin for WordPress versions up to and including 2.1.15 **Description** The IDonate plugin for WordPress is susceptible to unauthorized data modification. A missing capability check within the `pending blood request action()` function allows unauthenticated attackers to delete arbitrary posts. **Recommendations** Update the IDonate – Blood Donation, Request And Donor Management System plugin to a version later than 2.1.15.