Yangshengcheng@Webray.Com.Cn Inc

**Name of the Vulnerable Software and Affected Versions** You Shang WordPress plugin versions 1.0.1 and earlier **Description** The issue arises from the You Shang WordPress plugin not escaping its qrcode links settings, resulting in Stored Cross-Site Scripting issues. These issues can manifest in frontend posts and the plugin's settings page, depending on the payload used. **Recommendations** For You Shang WordPress plugin versions 1.0.1 and earlier, update to a version that properly escapes qrcode links settings to prevent Stored Cross-Site Scripting issues. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Donate With QRCode WordPress plugin versions prior to 1.4.5 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) attack. The plugin does not sanitise or escape its QRCode Image setting, allowing any authenticated user, or unauthenticated user via a CSRF vector, to update the setting and perform an attack. The lack of CSRF and capability checks in place when saving the setting enables any authenticated user, including those with low privileges such as subscribers, to update the setting. **Recommendations** For versions prior to 1.4.5, update to version 1.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the QRCode Image setting to minimize the risk of exploitation. Additionally, restrict the ability of low-privileged users, such as subscribers, to update settings that could potentially be used for XSS attacks.