Villu Orav

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache plugin for WordPress versions up to, and including, 2.8.1 **Description** The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `is w3tc admin page` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption, as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications. It is estimated that over 1 million WordPress sites are exposed to attacks, risking unauthorized access to sensitive information. **Recommendations** For W3 Total Cache plugin for WordPress versions up to, and including, 2.8.1: Update to the latest version of the plugin to protect your website from unauthorized data access and potential performance degradation. As a temporary workaround, consider disabling the `is w3tc admin page` function until a patch is available. Restrict access to the plugin's nonce value to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache plugin for WordPress versions 2.8.1 and earlier **Description** The issue allows unauthenticated attackers to view potentially sensitive information in the exposed log file, which may contain `nonce` values that can be used in further CSRF attacks. This is possible through the publicly exposed debug log file. Note that the debug feature must be enabled for this to be a concern, and it is disabled by default. **Recommendations** For versions 2.8.1 and earlier, as a temporary workaround, consider disabling the debug feature until a patch is available. Restrict access to the debug log file to minimize the risk of exploitation. Avoid using the W3 Total Cache plugin with the debug feature enabled until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache plugin for WordPress versions up to, and including, 2.8.1 **Description** The issue allows unauthorized modification of data due to a missing capability check on several functions. This enables unauthenticated attackers to deactivate the plugin, as well as activate and deactivate plugin extensions. **Recommendations** For versions up to, and including, 2.8.1, update to a version later than 2.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functions to prevent unauthorized modification until a patch is available.

**Name of the Vulnerable Software and Affected Versions** InfiniteWP Client plugin for WordPress versions up to, and including, 1.13.0 **Description** The issue allows unauthenticated attackers to read .txt files outside of the intended directory via the `historyID` parameter of the ~/debug-chart/index.php file. This makes it possible for attackers to access sensitive information. **Recommendations** For versions up to, and including, 1.13.0, consider disabling access to the ~/debug-chart/index.php file or restricting the use of the `historyID` parameter until a patch is available. Avoid using the `historyID` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WPForms versions 1.8.4 through 1.9.2.1 **Description** The issue is related to a missing capability check in the `wpforms is admin page` function, which allows authenticated attackers with Subscriber-level access and above to refund payments and cancel subscriptions. This affects WPForms plugin for WordPress, potentially impacting over 6 million websites. The vulnerability can be exploited by authenticated users to perform unauthorized Stripe refunds and subscription cancellations. **Recommendations** For WPForms versions 1.8.4 through 1.9.2.1, update to version 1.9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `wpforms is admin page` function to prevent unauthorized modifications. Additionally, restrict access to the Stripe payment system to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: All-in-One WP Migration and Backup plugin for WordPress versions up to, and including, 7.86 Description: The issue allows unauthenticated attackers to view potentially sensitive information, such as full paths, contained in publicly exposed log files. This is possible due to Sensitive Information Exposure in the plugin. Recommendations: For versions up to, and including, 7.86, update to a version that fixes the Sensitive Information Exposure issue to prevent unauthenticated attackers from viewing sensitive information. As a temporary workaround, consider restricting access to the publicly exposed log files until a patch is available.

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.14.1 Description: The issue is related to unauthorized access and deletion of data due to a missing capability check on the `handle request` function. This allows authenticated attackers with Subscriber-level access and above to read attachment paths and delete attachment files. Recommendations: For versions up to, and including, 3.14.1, update to a version higher than 3.14.1 to resolve the issue. As a temporary workaround, consider restricting access to the `handle request` function until a patch is available. Additionally, restrict access to attachment files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.13.0 Description: The issue is related to unauthorized access of data due to a missing capability check on the `setup wizard` function. This allows unauthenticated attackers to read the setup wizard administrative pages. Recommendations: For versions up to, and including, 3.13.0, update to a version higher than 3.13.0 to resolve the issue. As a temporary workaround, consider disabling the `setup wizard` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions prior to 3.13.1 Description: The issue allows unauthorized modification of data due to a missing capability check on the `handle request` function. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. Recommendations: For versions prior to 3.13.1, update to version 3.13.1 or later to resolve the issue. As a temporary workaround, consider disabling the `handle request` function or the Events beta feature until a patch is available. Restrict access to event ticket settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GiveWP versions 3.14.1 and earlier **Description** The GiveWP plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input from the `give title` parameter. This vulnerability allows unauthenticated attackers to inject a PHP Object, and the presence of a POP chain enables them to execute code remotely and delete arbitrary files. The issue affects over 100,000 WordPress sites, and the estimated number of potentially affected devices worldwide is not explicitly stated, but it is mentioned that 173K+ services are found on a specific website nearly every year. There are reports of real-world incidents where this issue was exploited, but specific details are not provided. **Recommendations** To resolve the issue for GiveWP versions 3.14.1 and earlier, update to version 3.14.2 or later. As a temporary workaround, consider disabling the `give title` parameter in the affected API endpoint until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `give title` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Redux Framework plugin for WordPress versions 4.4.12 through 4.4.17 **Description** The issue arises from missing authorization and capability checks on the `Redux Color Scheme Import` function, allowing unauthenticated attackers to upload JSON files. This can lead to stored cross-site scripting attacks. In rare cases, when the `wp filesystem` fails to initialize, it can also result in Remote Code Execution. **Recommendations** For versions 4.4.12 through 4.4.17, update to a version that includes the necessary authorization and capability checks for the `Redux Color Scheme Import` function to prevent unauthenticated JSON file uploads. As a temporary workaround, consider disabling the `Redux Color Scheme Import` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dokan Pro plugin for WordPress versions up to, and including, 3.10.3 **Description** The issue allows unauthenticated attackers to perform SQL Injection via the `code` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 3.10.3, update to a version later than 3.10.3 to resolve the issue. As a temporary workaround, consider restricting access to the `code` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin versions up to, and including, 6.3.2 **Description** The issue is related to a missing capability check on several functions in the wdt ajax actions.php file, which allows unauthenticated attackers to manipulate data tables. This affects the premium version of the plugin. **Recommendations** For versions up to, and including, 6.3.2, update to a version higher than 6.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the wdt ajax actions.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** wpDataTables (Premium) versions up to and including 6.3.1 **Description** The issue is related to insufficient protection of SQL query structure, allowing remote attackers to execute arbitrary SQL queries via the `id key` parameter of the `wdt delete table row` AJAX action. This vulnerability can be exploited to extract sensitive information from the database. It is estimated that around 70,000 WordPress sites are potentially affected. **Recommendations** For versions up to and including 6.3.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the `wdt delete table row` AJAX action to minimize the risk of exploitation. Avoid using the `id key` parameter in the affected AJAX endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS Pro plugin for WordPress (affected versions not specified) **Description** The issue concerns unauthorized access, modification, and loss of data due to a missing capability check on the `get calendar materials` function. Additionally, the plugin is vulnerable to SQL Injection via the `year` parameter of this function, resulting from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows authenticated attackers with subscriber-level permissions and above to append additional SQL queries, potentially extracting sensitive information from the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS plugin for WordPress versions prior to 2.8.0 is not specified, however, the versions up to and including 2.7.0 are affected. **Description** The issue allows unauthorized access, modification, and loss of data due to a missing capability check on multiple functions. This enables unauthenticated attackers to add, modify, or delete data. **Recommendations** For versions up to and including 2.7.0, update to a version later than 2.7.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS Pro plugin for WordPress versions prior to 2.7.1 **Description** The issue allows unauthorized access, modification, and loss of data due to a missing capability check on multiple functions. This enables unauthenticated attackers to add, modify, or delete user meta and plugin options. **Recommendations** For versions prior to 2.7.1, update to version 2.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive functions and data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tutor LMS Pro plugin for WordPress versions up to, and including, 2.7.0 **Description** The issue allows for unauthorized access, modification, and loss of data due to a missing capability check on the `authenticate` function. This enables authenticated attackers with subscriber-level permissions and above to gain control of an existing administrator account. **Recommendations** For versions up to, and including, 2.7.0, update to a version that includes a fix for the missing capability check in the `authenticate` function to prevent unauthorized access and modification of data. As a temporary workaround, consider restricting access to the `authenticate` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress versions 1.2.5 and earlier **Description** The issue is related to a Denial of Service vulnerability. This vulnerability is due to direct access of the `backuply/restore ins.php` file, which allows unauthenticated attackers to make excessive requests, resulting in the server running out of resources. **Recommendations** For versions 1.2.5 and earlier, consider disabling direct access to the `backuply/restore ins.php` file as a temporary workaround until a patch is available. Restrict access to this file to minimize the risk of exploitation.