Yogesh Verma

**Name of the Vulnerable Software and Affected Versions** ZYREX POPUP WordPress plugin versions 1.0 and earlier **Description** The issue allows a high privileged user, such as an Administrator, to upload arbitrary files when creating a popup, even when modifying the file system is disallowed, such as in a multisite install. This is due to the lack of validation of the type of files uploaded. **Recommendations** For ZYREX POPUP WordPress plugin versions 1.0 and earlier, consider disabling the file upload functionality for creating popups until a patch is available. Restrict access to the plugin's upload feature to minimize the risk of exploitation. Avoid using the plugin in multisite installs where file system modification is disallowed until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple Customer Relationship Management System version 1.0 **Description** A SQL injection issue was found in the Profile Update function, specifically via the `name` parameter. **Recommendations** For Simple Customer Relationship Management System version 1.0, consider restricting the use of the `name` parameter in the Profile Update function until a fix is available. Avoid using the `name` parameter in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Art Gallery Management System Project version 1.0 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `fullname` parameter on the enquiry page. This enables attackers to potentially steal user data or take control of user sessions. **Recommendations** For Art Gallery Management System Project version 1.0, consider disabling the enquiry page or restricting access to it until a patch is available. Avoid using the `fullname` parameter in the enquiry page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Art Gallery Management System Project version 1.0 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `message` parameter on the "enquiry page" API endpoint. This enables attackers to potentially steal user data or take control of user sessions. **Recommendations** For Art Gallery Management System Project version 1.0, consider validating and sanitizing user input for the `message` parameter to prevent malicious payloads from being injected. As a temporary workaround, restrict access to the enquiry page until a proper fix is implemented.