Xiahao@Webray.Com.Cn Inc

**Name of the Vulnerable Software and Affected Versions** youForms for WordPress plugin versions 1.0.0 through 1.0.5 **Description** The issue allows high privilege users, such as editors and admins, to perform Cross-Site Scripting attacks. This is possible because the Button Text field of the plugin's Templates does not properly sanitise or escape input, even when the unfiltered html capability is disallowed. **Recommendations** For youForms for WordPress plugin versions 1.0.0 through 1.0.5, update to a version later than 1.0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Availability Calendar WordPress plugin versions prior to 1.2.2 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization or escaping of Category Names before outputting them in pages or posts where the associated shortcode is embedded. This is possible even when the unfiltered html is disallowed. **Recommendations** For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `Category Names` feature in the Availability Calendar WordPress plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Availability Calendar WordPress plugin versions prior to 1.2.1 **Description** The issue arises from the failure to escape the `category` attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection problem. This can be exploited by any user able to add shortcode to posts or pages, such as those with contributor or higher privileges. **Recommendations** For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to add shortcodes to posts or pages to only trusted users until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** WP Mapa Politico Espana WordPress plugin versions prior to 3.7.0 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the plugin not sanitizing or escaping some of its settings before outputting them in attributes. This is possible even when the unfiltered html is disallowed. **Recommendations** For versions prior to 3.7.0, update to version 3.7.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Highlight WordPress plugin versions prior to 0.9.3 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization in the CustomCSS setting, even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 0.9.3, update to version 0.9.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the CustomCSS setting to minimize the risk of exploitation.