Xu-Liang Liao

Name of the Vulnerable Software and Affected Versions: The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin versions up to and including 1.5.7 Description: The issue is related to Cross-Site Request Forgery, which occurs due to a missing nonce check in the `save theme` function found in the `~/includes/admin/coundown theme page.php` file. This allows attackers to inject arbitrary web scripts. Recommendations: For versions up to and including 1.5.7, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `save theme` function until a patch is available. Restrict access to the `~/includes/admin/coundown theme page.php` file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Shopping Cart & eCommerce Store WordPress plugin versions up to and including 5.1.0 Description: The issue is related to Cross-Site Request Forgery, allowing attackers to inject arbitrary web scripts via the `save currency settings` function found in the ~/admin/inc/wp easycart admin initial setup.php file. Recommendations: For versions up to and including 5.1.0, update to a version later than 5.1.0 to resolve the issue. As a temporary workaround, consider disabling the `save currency settings` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: WP Fusion Lite versions up to and including 3.37.18 Description: The issue allows attackers to inject arbitrary web scripts via the `startdate` parameter in the ~/includes/admin/logging/class-log-table-list.php file, enabling Reflected Cross-Site Scripting attacks. Recommendations: For versions up to and including 3.37.18, update to a version later than 3.37.18 to resolve the issue. As a temporary workaround, consider restricting access to the ~/includes/admin/logging/class-log-table-list.php file or avoiding the use of the `startdate` parameter until a patch is available.

Name of the Vulnerable Software and Affected Versions: WP Fusion Lite versions up to and including 3.37.18 Description: The issue allows attackers to perform Cross-Site Request Forgery via the `show logs section` function found in the ~/includes/admin/logging/class-log-handler.php file, which enables them to drop all logs for the plugin. Recommendations: For versions up to and including 3.37.18, as a temporary workaround, consider disabling the `show logs section` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Poll Maker WordPress plugin versions up to and including 3.2.8 Description: The issue allows attackers to inject arbitrary web scripts via the `mcount` parameter found in the ~/admin/partials/settings/poll-maker-settings.php file, enabling Reflected Cross-Site Scripting attacks. Recommendations: For versions up to and including 3.2.8, update to a version later than 3.2.8 to resolve the issue. As a temporary workaround, consider restricting access to the ~/admin/partials/settings/poll-maker-settings.php file to minimize the risk of exploitation. Avoid using the `mcount` parameter in the affected file until the issue is resolved.