Veshraj Ghimire

**Name of the Vulnerable Software and Affected Versions** Booknetic WordPress plugin versions prior to 4.1.5 **Description** The issue concerns a lack of CSRF check when creating Staff accounts, which could allow attackers to make logged-in admins add arbitrary Staff members via a CSRF attack. This could potentially be exploited by attackers to add unauthorized staff members. **Recommendations** For versions prior to 4.1.5, update to version 4.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Staff account creation feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.11 Mattermost versions 9.5.x through 9.5.2 Mattermost versions 9.6.x through 9.6.0 **Description** The issue arises from the failure to limit the size of a request path that includes user inputs, allowing an attacker to cause excessive resource consumption, possibly leading to a denial of service (DoS) via sending large request paths. This affects the Mattermost server, specifically the request path handling. **Recommendations** For versions 8.1.x through 8.1.11, update to a version later than 8.1.11 to resolve the issue. For versions 9.5.x through 9.5.2, update to a version later than 9.5.2 to resolve the issue. For versions 9.6.x through 9.6.0, update to a version later than 9.6.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dokan WordPress plugin versions prior to 3.6.4 **Description** The issue allows vendors to inject arbitrary javascript in product reviews, potentially leading to stored XSS attacks against other users, including site administrators. **Recommendations** For versions prior to 3.6.4, update to version 3.6.4 or later to resolve the issue. As a temporary workaround, consider disabling the product review feature until a patch is available. Restrict access to product reviews to minimize the risk of exploitation. Avoid allowing vendors to inject arbitrary javascript in product reviews until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.2.3 **Description** The issue is related to Cross Site Request Forgery (CSRF) at the "/ccm/system/dialogs/file/delete/1/submit" API endpoint. This allows for unauthorized actions to be performed. **Recommendations** For versions prior to 9.2.3, update to version 9.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ccm/system/dialogs/file/delete/1/submit" API endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 8.5.14 Concrete CMS versions 9 prior to 9.2.3 **Description** The issue allows Cross Site Request Forgery (CSRF) via the "ccm/calendar/dialogs/event/delete/submit" API endpoint. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential. **Recommendations** For Concrete CMS versions prior to 8.5.14, update to version 8.5.14 or later. For Concrete CMS versions 9 prior to 9.2.3, update to version 9.2.3 or later. As a temporary workaround, consider restricting access to the "ccm/calendar/dialogs/event/delete/submit" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.2.2 **Description** The issue allows an attacker to force an admin user to delete server report logs on a web application to which they are currently authenticated via the API endpoint "/ccm/system/dialogs/logs/delete all/submit". This is a Cross Site Request Forgery (CSRF) issue. **Recommendations** For Concrete CMS versions 9.0.0 through 9.2.2, update to version 9.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ccm/system/dialogs/logs/delete all/submit" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS (previously concrete5) versions 9.0 through 9.1.3 Concrete CMS (previously concrete5) versions prior to 9.2 **Description** The issue is related to Stored XSS on Saved Presets on search. This means that an attacker can store malicious scripts in the search presets, which can then be executed when other users access these presets. **Recommendations** For versions 9.0 through 9.1.3, update to version 9.2 or later to resolve the issue. For versions prior to 9.2, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the search presets feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS (previously concrete5) versions 8.5.12 and below Concrete CMS (previously concrete5) versions 9.0 through 9.1.3 **Description** The issue concerns stored XSS on API Integrations via the `name` parameter. This allows for potential exploitation through malicious input in the `name` parameter of API Integrations. **Recommendations** For Concrete CMS (previously concrete5) versions 8.5.12 and below, update to version 9.2 or later to resolve the issue. For Concrete CMS (previously concrete5) versions 9.0 through 9.1.3, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider restricting input for the `name` parameter in API Integrations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS (previously concrete5) versions 9.0 through 9.1.3 Concrete CMS (previously concrete5) versions prior to 9.2 **Description** The issue is related to Stored XSS on Tags on uploaded files. This allows for malicious code to be stored and executed when a user interacts with the affected tags. **Recommendations** For versions 9.0 through 9.1.3, update to version 9.2 or later to resolve the issue. For versions prior to 9.2, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to uploaded files and their associated tags until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost (affected versions not specified) **Description** The issue allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Private Message WordPress plugin versions prior to 1.0.6 **Description** The issue allows any authenticated users to access private messages belonging to other users by tampering with the ID, as the plugin does not ensure that private messages to be accessed belong to the user making the requests. **Recommendations** For versions prior to 1.0.6, update to version 1.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to private messages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Superio WordPress theme (affected versions not specified) **Description** The issue concerns the Superio WordPress theme, which does not properly sanitise and escape certain parameters. This could allow users with a role as low as a subscriber to perform Cross-Site Scripting attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Workreap WordPress theme versions prior to 2.6.4 **Description** The issue allows any user to delete any post by knowing or guessing the id, due to the lack of verification that an addon service belongs to the user issuing the request or that it is an addon service when processing the workreap addons service remove action. **Recommendations** For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the workreap addons service remove action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Workreap WordPress theme versions prior to 2.6.3 **Description** The issue affects the notifications feature, allowing unauthorized access to any user's notification, whether employer or freelancer, due to the notification ID being brute-forceable. **Recommendations** For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the notifications feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Sensei LMS WordPress plugin versions prior to 4.5.2 **Description** The issue allows any authenticated user to send messages to arbitrary private conversations via an IDOR attack, as the plugin does not ensure that the sender of a private message is either the teacher or the original sender. However, attackers are not able to see responses or messages between the teacher and student. **Recommendations** For versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to private conversations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sensei LMS WordPress plugin versions prior to 4.5.0 **Description** The issue allows unauthenticated users to access private messages sent to teachers due to improper permissions set in one of its REST endpoints. **Recommendations** For versions prior to 4.5.0, update to version 4.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable REST endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Discy WordPress theme versions prior to 5.0 **Description** The issue allows any logged-in users, with privileges as low as Subscriber, to change theme options by sending a crafted POST request to the "discy update options" action due to a lack of authorization checks. This can be exploited by sending a crafted POST request. **Recommendations** For versions prior to 5.0, update to version 5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "discy update options" action to prevent unauthorized changes to theme options.

**Name of the Vulnerable Software and Affected Versions** Ask me WordPress theme versions prior to 6.8.2 **Description** The issue arises from the improper sanitization and escaping of several fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues. **Recommendations** For versions prior to 6.8.2, update to version 6.8.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WPQA Builder WordPress plugin versions prior to 5.5 **Description** The issue concerns a lack of authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site. This affects the WPQA Builder WordPress plugin, which is a companion to the Discy and Himer. **Recommendations** For WPQA Builder WordPress plugin versions prior to 5.5, update to version 5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WPQA Builder WordPress plugin versions prior to 5.4 **Description** The issue is related to a Reflected Cross-Site Scripting attack. It occurs because a parameter on the reset password form is not properly sanitised and escaped, allowing for malicious actions. This affects the WPQA Builder WordPress plugin, which is used as a companion for the Discy and Himer. **Recommendations** For versions prior to 5.4, update to version 5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the reset password form until a patch is applied. Avoid using the vulnerable parameter in the reset password form until the issue is resolved.