Waris Damkham

Name of the Vulnerable Software and Affected Versions The Quick Playground plugin for WordPress versions up to and including 1.3.1 Description The Quick Playground plugin for WordPress is susceptible to Remote Code Execution due to inadequate authorization checks on REST API endpoints. These endpoints expose a sync code and permit arbitrary file uploads. This allows unauthenticated attackers to retrieve the sync code, upload PHP files using path traversal techniques, and ultimately achieve remote code execution on the server. Recommendations Update the Quick Playground plugin to a version later than 1.3.1.

**Name of the Vulnerable Software and Affected Versions** Easy Image Gallery versions prior to 1.5.4 **Description** The Easy Image Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Gallery shortcode post meta field. Insufficient input sanitization and output escaping of user-supplied gallery shortcode values allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update Easy Image Gallery to version 1.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Hr Press Lite versions up to and including 1.0.2 **Description** The Hr Press Lite plugin for WordPress has a flaw that allows unauthorized access to sensitive employee data. This is due to a missing capability check on the `hrp-fetch-employees` AJAX action. Attackers with Subscriber-level access or higher can retrieve sensitive employee information, including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status. The vulnerable component is the `hrp-fetch-employees` AJAX action. **Recommendations** Update Hr Press Lite to a version beyond 1.0.2.

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery versions prior to 4.0.4 **Description** The NextGEN Gallery plugin for WordPress is susceptible to a Local File Inclusion issue. This affects versions up to and including 4.0.3. The issue is triggered through the `template` parameter within gallery shortcodes. Successful exploitation allows authenticated attackers with Author-level access or higher to include and execute arbitrary .php files on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution if .php files can be uploaded and included. The vulnerable parameter is `template`. **Recommendations** Update NextGEN Gallery to version 4.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress versions up to and including 4.4.3 **Description** The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is susceptible to SQL Injection via the `search` parameter. Insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries allow unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database. **Recommendations** Versions prior to 4.4.4 should be updated.

**Name of the Vulnerable Software and Affected Versions** WordPress JS Archive List plugin versions up to and including 6.1.7 **Description** The JS Archive List plugin for WordPress is susceptible to PHP Object Injection through the 'included' shortcode attribute. This occurs because of the deserialization of untrusted input provided through the 'included' parameter of the plugin’s shortcode. Authenticated attackers with Contributor-level access or higher can inject a PHP Object. Currently, no known practical exploitation chain (POP chain) exists within the vulnerable software itself. However, if a POP chain is present through an additional plugin or theme installed on the target system, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code. **Recommendations** Update the JS Archive List plugin to a version newer than 6.1.7.

**Name of the Vulnerable Software and Affected Versions** WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress versions up to and including 1.4.24 **Description** The WowOptin plugin for WordPress is susceptible to unauthorized arbitrary plugin installation. This is due to a missing capability check within the `install and active plugin` function. Authenticated attackers possessing Subscriber-level access or higher can exploit this to install and activate plugins without authorization. **Recommendations** Versions prior to and including 1.4.24 should be updated.

**Name of the Vulnerable Software and Affected Versions** Envira Gallery for WordPress plugin versions up to and including 1.12.3 **Description** The Envira Gallery for WordPress plugin is susceptible to Stored Cross-Site Scripting through the `justified gallery theme` parameter. Insufficient input sanitization and output escaping allow authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update Envira Gallery for WordPress plugin to a version later than 1.12.3

**Name of the Vulnerable Software and Affected Versions** Library Management System versions prior to 3.2.2 **Description** The Library Management System plugin for WordPress is susceptible to SQL Injection due to inadequate input validation and query preparation. Specifically, the `bid` parameter is not properly sanitized, allowing attackers to inject malicious SQL code. This can enable unauthenticated attackers to extract sensitive information from the database by appending additional SQL queries to existing ones. **Recommendations** Update the Library Management System plugin to version 3.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Prodigy Commerce versions prior to 3.2.9 **Description** The Prodigy Commerce plugin for WordPress is susceptible to a Local File Inclusion issue. This allows unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server. Exploitation of this issue can lead to bypassing access controls, obtaining sensitive data, or achieving code execution. The vulnerability is due to insufficient input validation of the `parameters[template name]` parameter. This allows attackers to include and execute PHP code within uploaded files. **Recommendations** Versions prior to 3.2.9 should be updated. As a temporary workaround, consider disabling the Prodigy Commerce plugin until a fix is available. Monitor file uploads for potentially malicious content.

**Name of the Vulnerable Software and Affected Versions** WP Customer Reviews versions prior to 3.7.6 **Description** The WP Customer Reviews plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to inadequate input sanitization and output escaping of the `wpcr3 fname` parameter. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute if a user is tricked into performing an action, such as clicking a malicious link. **Recommendations** Update WP Customer Reviews to version 3.7.6 or later.

**Name of the Vulnerable Software and Affected Versions** WP Event Aggregator plugin for WordPress versions up to and including 1.8.7 **Description** The WP Event Aggregator plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'wp events' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the WP Event Aggregator plugin to a version later than 1.8.7.

**Name of the Vulnerable Software and Affected Versions** midi-Synth plugin for WordPress versions up to and including 1.1.0 **Description** The midi-Synth plugin for WordPress is susceptible to arbitrary file uploads because of a lack of validation for file types and extensions within the 'export' AJAX action. This allows unauthenticated attackers to upload files to the affected server. Successful exploitation, which requires obtaining a valid nonce, could potentially lead to remote code execution. The nonce is exposed in frontend JavaScript, making it easily accessible to attackers. **API Endpoint:** '/export' **Vulnerable Parameter:** No specific parameters are mentioned, but the issue relates to file uploads handled by the 'export' AJAX action. **Vulnerable Function:** The 'export' AJAX action is vulnerable. **Recommendations** Update the midi-Synth plugin to a version newer than 1.1.0. Disable the midi-Synth plugin if an update is not available.

**Name of the Vulnerable Software and Affected Versions** FastDup – Fastest WordPress Migration & Duplicator plugin versions up to 2.7.1 **Description** The FastDup plugin for WordPress is affected by a flaw that allows unauthorized backup creation and download. This is due to a missing capability check on REST API endpoints. Authenticated attackers with Contributor-level access or higher can create and download full-site backup archives, including database exports and configuration files. The affected API endpoints are not explicitly specified, but the issue relates to REST API functionality. The vulnerability allows access to the entire WordPress installation data. **Recommendations** Versions prior to 2.7.1 should be updated to address this issue.

**Name of the Vulnerable Software and Affected Versions** Beaver Builder Page Builder plugin for WordPress versions prior to 2.10.0.6 **Description** The Beaver Builder Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to missing capability checks within the `save global settings()` function and insufficient input sanitization and output escaping. Authenticated attackers with Custom-level access or higher, who have been granted Beaver Builder access, can inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an injected page via the `js` Global Settings parameter. **Recommendations** Update to Beaver Builder Page Builder plugin version 2.10.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** TableMaster for Elementor versions up to and including 1.3.6 **Description** The TableMaster for Elementor plugin for WordPress is susceptible to Server-Side Request Forgery. This occurs because the plugin does not limit the URLs that can be accessed when importing CSV data from a URL using the Data Table widget. Authenticated attackers with Author-level access or higher can make web requests to arbitrary locations, including localhost and internal network services. Sensitive files, such as `wp-config.php`, can be read through the `csv url` parameter. **Recommendations** Update TableMaster for Elementor to a version later than 1.3.6.

**Name of the Vulnerable Software and Affected Versions** LA-Studio Element Kit for Elementor versions through 1.5.6.3 **Description** The LA-Studio Element Kit for Elementor plugin for WordPress is susceptible to unauthorized administrative user creation. This occurs because the `ajax register handle` function does not properly restrict user role assignments during registration. Unauthenticated attackers can exploit this by providing a malicious value for the `lakit bkrole` parameter during the registration process, allowing them to gain administrator access to the site. Reports indicate that approximately 20,000+ WordPress sites globally may be affected. The issue was reportedly introduced by a former employee and allows for full site takeover. The `lakit bkrole` parameter is used in the plugin’s registration handler to manipulate user roles. **Recommendations** Versions through 1.5.6.3 should be updated to version 1.6.0. Audit for rogue administrator users after applying the update.

**Name of the Vulnerable Software and Affected Versions** SearchWiz versions prior to 1.0.1 **Description** The SearchWiz plugin for WordPress is susceptible to Stored Cross-Site Scripting through post titles displayed in search results. The issue arises because the plugin utilizes `esc attr()` instead of `esc html()` when displaying post titles, allowing authenticated attackers with contributor-level access or higher to inject malicious web scripts into post titles. These scripts execute when a user performs a search and views the resulting page. The vulnerable component is the handling of post titles in search results. **Recommendations** Update SearchWiz to version 1.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** ConvertForce Popup Builder plugin for WordPress versions up to and including 0.0.7 **Description** The ConvertForce Popup Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue stems from inadequate input sanitization and output escaping within the Gutenberg block's `entrance animation` attribute. This allows authenticated attackers with Author-level access or higher to inject malicious web scripts into pages. These scripts will then execute when a user accesses the compromised page. The vulnerable parameter is `entrance animation`. **Recommendations** Update the ConvertForce Popup Builder plugin to a version newer than 0.0.7.

**Name of the Vulnerable Software and Affected Versions** My Album Gallery plugin for WordPress versions prior to 1.0.5 **Description** The My Album Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `style css` shortcode attribute. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the My Album Gallery plugin to version 1.0.5 or later.