Yassir Sbai Fahim

**Name of the Vulnerable Software and Affected Versions** E2Pdf WordPress plugin versions prior to 1.20.20 **Description** The issue allows high privilege users to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.20.20, update to version 1.20.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The LMS by Masteriyo WordPress plugin versions prior to 1.6.8 **Description** The issue concerns improper authorization in some of the plugin's REST API endpoints. This allows any students to retrieve email addresses of other students, effectively leaking sensitive user information. **Recommendations** For versions prior to 1.6.8, update to version 1.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable REST API endpoints until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TinyMCE Custom Styles WordPress plugin versions prior to 1.1.4 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.1.4, update to version 1.1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.