Vincent Michel

**Name of the Vulnerable Software and Affected Versions** Target First WordPress Plugin version 2.0 **Description** The issue is related to a critical unauthenticated stored XSS vulnerability. An attacker can modify the licence key value by sending a POST request to any URL with the `weeWzKey` parameter, which is then saved as the `weeID` option without proper sanitization. **Recommendations** For version 2.0, consider disabling the licence key modification functionality until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to any URL that accepts the `weeWzKey` parameter to minimize the risk of exploitation. Avoid using the `weeWzKey` parameter in POST requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings versions prior to 4.1.0.2 **Description** The issue allows authenticated users with `aioseo tools settings` privilege, typically admins, to execute arbitrary code on the host. This is possible because the plugin attempts to unserialize values from uploaded .ini files in the "Tool > Import/Export" section. The embedded Monolog library can be exploited to create a gadget chain, leading to system command execution. **Recommendations** For versions prior to 4.1.0.2, update to version 4.1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Tool > Import/Export" section and the `aioseo tools settings` privilege to minimize the risk of exploitation. Avoid uploading .ini files from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tatsu WordPress plugin versions prior to 3.3.12 **Description** The issue is related to the `add custom font` action in the Tatsu WordPress plugin, which can be used without prior authentication to upload a rogue zip file. This file is uncompressed under the WordPress upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process, making the shell file live long enough on the filesystem to be callable by an attacker. The vulnerability has been exploited in real-world attacks, with over 5.9 million attempts blocked between May 10 and 14. It is estimated that almost 100,000 sites are using the vulnerable plugin, and despite the availability of a fix since April, around 50,000 sites still use the vulnerable version. **Recommendations** For Tatsu WordPress plugin versions prior to 3.3.12, update to version 3.3.13 or later to resolve the issue. As a temporary workaround, consider disabling the `add custom font` action until a patch is available. Restrict access to the upload directory to minimize the risk of exploitation. Avoid using the `add custom font` action in the affected plugin until the issue is resolved.