Vijay

**Name of the Vulnerable Software and Affected Versions** WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More versions prior to 1.10.0.2 **Description** The plugin is subject to insufficient verification of data authenticity. The PayPal Commerce webhook endpoint processes unauthenticated JSON webhook payloads without verifying the HMAC-SHA256 webhook signature, which is required to ensure the request originated from PayPal. The system only checks if the `event type` is whitelisted before sending attacker-controlled resource data to handlers that update payment records. This allows unauthenticated attackers with a valid `subscription id` to forge PayPal webhook events and modify subscription payment records, such as changing the `subscription status` to active to reactivate a cancelled or suspended subscription. **Recommendations** Update to a version later than 1.10.0.1.

**Name of the Vulnerable Software and Affected Versions** Click to Chat – WA Widget versions prior to 4.39 **Description** The plugin is subject to Stored Cross-Site Scripting. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the `CCW Shortcode::shortcode()` function insufficiently escapes the `num` parameter within the `[chat]` shortcode. While `esc attr()` is applied, the resulting HTML entities are decoded by browsers when placed inside HTML event-handler attributes, such as the `onclick` attribute in style template files (e.g., 'sc-style-1.php'). This allows a payload to break out of the JavaScript `window.open()` string literal and execute arbitrary code when a user clicks the WhatsApp chat button. **Recommendations** Update the plugin to a version later than 4.38. As a temporary workaround, avoid using the `num` parameter in the `[chat]` shortcode until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WP Scraper plugin for WordPress versions prior to 5.8.2 **Description** The WP Scraper plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) in versions up to and including 5.8.1. This flaw resides within the `wp scraper extract content` function and permits authenticated attackers possessing Administrator-level privileges or higher to initiate web requests to arbitrary locations from the web application. This capability can be leveraged to query and modify information from internal services. In Cloud environments, this issue enables the retrieval of metadata. **Recommendations** Update the WP Scraper plugin to version 5.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** MinimogWP – The High Converting eCommerce WordPress Theme versions prior to 3.9.1 **Description** The MinimogWP – The High Converting eCommerce WordPress Theme for WordPress is susceptible to price manipulation due to an insufficient check on quantity values when modifying quantities in the cart. This allows unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, leading to price changes based on the fractional amount. The issue is mitigated when WooCommerce version 9.8.2 or later is installed. **Recommendations** Update MinimogWP – The High Converting eCommerce WordPress Theme to version 3.9.1 or later. Install WooCommerce version 9.8.2 or later.