Xbz0N

**Name of the Vulnerable Software and Affected Versions** WooCommerce Customers Manager WordPress plugin versions prior to 29.7 **Description** The issue is related to an SQL injection that occurs because a parameter is not properly sanitised and escaped before being used in a SQL statement. This can be exploited by users with a Subscriber+ role. **Recommendations** For versions prior to 29.7, update the WooCommerce Customers Manager WordPress plugin to version 29.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for users with the Subscriber+ role until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin version 1.5.3 **Description** The issue arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries, allowing authenticated attackers with editor access or higher to append additional SQL queries into existing ones. This can potentially lead to unauthorized access to sensitive information from the database. The vulnerability is exploited via multiple JSON parameters in the "/wp-json/burst/v1/data/compare" endpoint, including `browser`, `device`, `page id`, `page url`, `platform`, and `referrer`. **Recommendations** For version 1.5.3, as a temporary workaround, consider disabling access to the "/wp-json/burst/v1/data/compare" endpoint until a patch is available. Restrict access to the affected parameters, including `browser`, `device`, `page id`, `page url`, `platform`, and `referrer`, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EasyNAS version 1.1.0 **Description** A critical vulnerability has been found in the function system of the file /backup.pl, leading to os command injection. The manipulation can be launched remotely, and the exploit has been disclosed to the public. This issue arises due to the lack of measures to neutralize special elements used in the operating system command. As a result, an attacker acting remotely can execute arbitrary commands. **Recommendations** For EasyNAS version 1.1.0, it is recommended to upgrade the affected component to resolve the issue. As a temporary workaround, consider disabling the /backup.pl file until a patch is available. Restrict access to the function system of the file /backup.pl to minimize the risk of exploitation.