Vinay Bhuria

**Name of the Vulnerable Software and Affected Versions** Language Bar Flags WordPress plugin versions 1.0.8 and earlier **Description** The issue is related to the lack of CSRF protection when saving settings and the failure to sanitize or escape settings when generating the flag bar in the frontend. This could allow attackers to make a logged-in admin change the settings and set a Cross-Site Scripting payload, which will be executed in the frontend for all users. **Recommendations** For Language Bar Flags WordPress plugin versions 1.0.8 and earlier, consider disabling the plugin until a patch is available to prevent potential exploitation. Restrict access to the plugin's settings to minimize the risk of unauthorized changes. Avoid using the plugin's frontend functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Light Messages WordPress plugin version 1.0 **Description** The issue is related to the lack of a CSRF check when updating settings and the failure to sanitize Message Content, even when unfiltered html is disallowed. This allows an attacker to make a logged-in admin update settings to arbitrary values and set a Cross-Site Scripting payload in the Message Content. The XSS payload can be triggered in the backend only or in both the frontend and backend, depending on the options set. **Recommendations** For version 1.0, consider disabling the plugin's settings update functionality until a patch is available to prevent arbitrary updates and Cross-Site Scripting attacks. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the Message Content field in the plugin's settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Custom Login Redirect WordPress plugin version 1.0.0 **Description** The issue is related to the lack of a CSRF check when saving settings and the failure to sanitise or escape user input before outputting it back in the page. This leads to a Stored Cross-Site Scripting issue, which can be exploited by attackers. **Recommendations** For Custom Login Redirect WordPress plugin version 1.0.0, consider disabling the plugin until a patch is available to prevent potential exploitation. Restrict access to the settings page to minimize the risk of Stored Cross-Site Scripting attacks. Avoid using the plugin until the issue is resolved.