Vishal Mohan

Name of the Vulnerable Software and Affected Versions: Inspirational Quote Rotator WordPress plugin version 1.0.0 Description: The issue arises from the plugin's failure to sanitize and escape certain quote fields when adding or editing a quote as an administrator. This leads to Stored Cross-Site scripting issues when the quote is displayed in the "Quotes list", even in cases where the unfiltered html capability is disallowed. Recommendations: For Inspirational Quote Rotator WordPress plugin version 1.0.0, consider disabling the editing functionality of quote fields until a patch is available to prevent potential Stored Cross-Site scripting issues. Restrict access to the "Quotes list" output to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Flex Local Fonts WordPress plugin versions 1.0.0 and earlier Description: The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of escaping in the Class Name field when adding a font. This can occur even when the unfiltered html capability is disallowed. Recommendations: For Flex Local Fonts WordPress plugin versions 1.0.0 and earlier, update to a version that properly escapes the Class Name field to prevent Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Shiny Buttons WordPress plugin versions 1.1.0 and earlier Description: The issue concerns the lack of authorization and CSRF protection when saving a template, specifically through the `wpbtn save template` function hooked to the `init` action. Additionally, the plugin fails to sanitize and escape template data before outputting it in the admin dashboard. This allows unauthenticated users to add malicious templates, leading to Stored Cross-Site Scripting issues. Recommendations: For Shiny Buttons WordPress plugin versions 1.1.0 and earlier, consider disabling the `wpbtn save template` function until a patch is available to prevent exploitation. Restrict access to the template saving functionality to minimize the risk of Stored Cross-Site Scripting issues. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Filter Portfolio Gallery WordPress plugin versions 1.5 and earlier Description: The issue is related to a lack of Cross-Site Request Forgery (CSRF) check when deleting a Gallery. This could allow attackers to make a logged-in admin delete arbitrary Galleries. Recommendations: For Filter Portfolio Gallery WordPress plugin versions 1.5 and earlier, update to a version that includes a CSRF check for gallery deletion to prevent unauthorized modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WP Survey Plus WordPress plugin versions 1.0 and earlier Description: The issue is related to the lack of authorization and CSRF checks in the AJAX actions of the plugin, allowing any user to call them and perform actions such as adding, editing, or deleting surveys. Additionally, the lack of sanitization in the surveys' title can lead to Stored Cross-Site Scripting issues. Recommendations: For WP Survey Plus WordPress plugin versions 1.0 and earlier, consider disabling the AJAX actions until a patch is available. Restrict access to the surveys' title field to minimize the risk of Stored Cross-Site Scripting issues. As a temporary workaround, avoid using the plugin's survey management features until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The Great Quotes WordPress plugin version 1.0.0 Description: The issue concerns the lack of sanitization and escaping of the `Quote` and `Author` fields in the plugin's Quotes, potentially allowing high-privilege users to perform Cross-Site Scripting attacks, even when the `unfiltered html` capability is disallowed. Recommendations: For The Great Quotes WordPress plugin version 1.0.0, update to a version that properly sanitizes and escapes the `Quote` and `Author` fields to prevent Cross-Site Scripting attacks.