Youcef Hamdani

**Name of the Vulnerable Software and Affected Versions** FV Flowplayer Video Player versions prior to 7.5.49.7213 **Description** The FV Flowplayer Video Player plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping of comment text. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user visits the affected page. Successful exploitation depends on the administrator enabling the non-default `parse comments` setting (Parse Vimeo and YouTube links) and requires a submitted comment to be approved by an administrator before the payload is delivered. **Recommendations** Update the plugin to a version later than 7.5.49.7212. As a temporary mitigation, disable the `parse comments` (Parse Vimeo and YouTube links) plugin setting.

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filter videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.

**Name of the Vulnerable Software and Affected Versions** WP Blockade versions prior to 0.9.15 **Description** The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the victim's browser. The issue exists in the `render shortcode preview()` function, which processes the `shortcode` parameter from the `$ GET` request. The function uses `stripslashes()` but fails to perform sufficient input sanitization or output escaping before passing the data to `do shortcode()`. If the input is not a valid WordPress shortcode, it is reflected directly into the page. This requires the attacker to be authenticated with at least a Subscriber-level account, as the endpoint is registered via `admin post ` and lacks nonce verification or capability checks. **Recommendations** Update to a version later than 0.9.14. As a temporary workaround, restrict access to the `render shortcode preview()` function or avoid using the `shortcode` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Taqnix versions prior to 1.0.4 **Description** The Taqnix plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a user into performing actions they did not intend to. This occurs because of missing nonce verification in the `taqnix delete my account()` function, specifically where the `check ajax referer()` call is commented out. Unauthenticated attackers can exploit this to force logged-in non-administrator users to delete their own accounts by inducing them to click a malicious link or visit a compromised page. **Recommendations** Update to a version later than 1.0.3. As a temporary workaround, restrict access to the `taqnix delete my account()` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Create DB Tables versions prior to 1.2.2 **Description** The Create DB Tables plugin for WordPress contains an authorization bypass. The plugin registers admin post action hooks for creating tables ('admin post add table') and deleting tables ('admin post delete db table') without implementing capability checks or nonce verification. Consequently, any authenticated user, including those with Subscriber-level access, can access these endpoints. The `cdbt delete db table()` function processes a user-supplied table name from the `db table` variable and executes a DROP TABLE SQL query, which allows the deletion of any database table, including critical WordPress core tables. Similarly, the `cdbt create new table()` function allows the creation of arbitrary database tables. **Recommendations** Update to a version newer than 1.2.1. As a temporary workaround, restrict access to the 'admin post add table' and 'admin post delete db table' endpoints to authorized administrators only.

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax revoke token() function which handles the 'petjeaf disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site.

Name of the Vulnerable Software and Affected Versions PZ Frontend Manager plugin for WordPress versions up to and including 1.0.6 Description The PZ Frontend Manager plugin for WordPress is susceptible to a missing authorization issue. The `pzfm user request action callback()` function, accessible through the `wp ajax pzfm user request action` AJAX endpoint, does not perform adequate capability checks or nonce verification. This function manages user activation, deactivation, and deletion. Specifically, when the `dataType` parameter is set to 'delete', the function calls `wp delete user()` on provided user IDs without verifying sufficient permissions. This allows authenticated attackers with Subscriber-level access or higher to delete arbitrary WordPress users, including administrators, by sending a crafted request to the ''wp ajax pzfm user request action'' endpoint. Recommendations For versions up to and including 1.0.6, update to a newer version that addresses this authorization issue.

Name of the Vulnerable Software and Affected Versions WP Blockade plugin for WordPress versions up to and including 0.9.14 Description The WP Blockade plugin for WordPress is susceptible to a missing authorization issue. The plugin registers an admin post action hook 'wp-blockade-shortcode-render' which maps to the `render shortcode preview()` function. This function does not perform capability checks or nonce verification, allowing authenticated users to execute arbitrary WordPress shortcodes. The function retrieves a user-supplied `shortcode` parameter from the $ GET request, processes it with stripslashes(), and directly executes it using do shortcode(). This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes, potentially leading to information disclosure, privilege escalation, or other impacts depending on the registered shortcodes on the site. Recommendations Versions up to and including 0.9.14: Update to a version beyond 0.9.14.

**Name of the Vulnerable Software and Affected Versions** Sherk Custom Post Type Displays plugin for WordPress versions up to and including 1.2.1 **Description** The Sherk Custom Post Type Displays plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'title' shortcode attribute. This is a result of inadequate input sanitization and output escaping on the 'title' attribute of the 'sherkcptdisplays' shortcode. The `sherkcptdisplays func()` function in includes/SherkCPTDisplaysShortcode.php extracts the 'title' attribute value from shortcode atts() on line 19 and directly incorporates it into an HTML <h2> tag on line 31 without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. **Recommendations** Versions prior to and including 1.2.1 should be updated to a newer, fixed version if available.

**Name of the Vulnerable Software and Affected Versions** Task Manager plugin for WordPress versions through 3.0.2 **Description** The Task Manager plugin for WordPress is susceptible to an issue allowing unauthorized access to files. Attackers with Subscriber-level access or higher can potentially read the contents of arbitrary files on the server through the `callback get text from url()` function. This could expose sensitive information. **Recommendations** Update the Task Manager plugin to a version later than 3.0.2.

**Name of the Vulnerable Software and Affected Versions** WPFAQBlock– FAQ & Accordion Plugin For Gutenberg versions up to and including 1.1 **Description** The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress has a stored cross-site scripting issue. The issue is due to insufficient input sanitization and output escaping on user-supplied attributes in the `class` parameter of the `wpfaqblock` shortcode. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update WPFAQBlock– FAQ & Accordion Plugin For Gutenberg to a version later than 1.1.

**Name of the Vulnerable Software and Affected Versions** WordPress Task Manager plugin versions up to and including 3.0.2 **Description** The Task Manager plugin for WordPress is susceptible to arbitrary shortcode execution through the 'search' AJAX action. This occurs because of missing capability checks within the `callback search()` function and inadequate input validation. Specifically, shortcode syntax can bypass `sanitize text field()` and is then incorporated into a `do shortcode()` call. This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters such as `task id`, `point id`, `categories id`, or `term`. The vulnerable API endpoint is '/wp-admin/admin-ajax.php'. **Recommendations** Update WordPress Task Manager plugin to a version later than 3.0.2.

**Name of the Vulnerable Software and Affected Versions** Outgrow plugin for WordPress versions prior to 2.1 **Description** The Outgrow plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'id' attribute of the 'outgrow' shortcode. This is a result of inadequate input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update the Outgrow plugin to a version later than 2.1.

**Name of the Vulnerable Software and Affected Versions** WordPress Content Syndication Toolkit plugin versions prior to 1.4 **Description** The WordPress Content Syndication Toolkit plugin is susceptible to a Server-Side Request Forgery issue. The plugin registers an unauthenticated proxy endpoint, ''wp ajax nopriv redux p'', which accepts a URL from the `url` GET parameter without validation. This parameter is passed to `wp remote request()`, lacking built-in SSRF protection. The absence of authentication checks, nonce verification, and URL restrictions allows attackers to make web requests to arbitrary locations from the web application, potentially enabling access to internal services, network scanning, and interaction with cloud metadata endpoints. **Recommendations** Update to version 1.4 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress Instant Popup Builder versions up to and including 1.1.7 **Description** The Instant Popup Builder plugin for WordPress is susceptible to Unauthenticated Arbitrary Shortcode Execution. This occurs because the `handle email verification page()` function creates a shortcode string from user-provided `token` and `email` GET parameters and passes it to `do shortcode()` without sufficient sanitization of square bracket characters, and lacks authorization checks. The `sanitize text field()` and `esc attr()` functions do not remove or escape square bracket characters. A malicious `token` value containing a ']' character can prematurely close a shortcode tag, allowing unauthenticated attackers to inject and execute arbitrary registered shortcodes. **Recommendations** Update WordPress Instant Popup Builder to a version later than 1.1.7.

**Name of the Vulnerable Software and Affected Versions** ZoomifyWP Free plugin versions prior to 1.2 **Description** The ZoomifyWP Free plugin for WordPress has a Stored Cross-Site Scripting issue. This is due to insufficient input sanitization and output escaping on user-supplied attributes. Specifically, the 'filename' parameter of the 'zoomify' shortcode is affected. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the ZoomifyWP Free plugin to version 1.2 or later.

**Name of the Vulnerable Software and Affected Versions** The Best-wp-google-map plugin for WordPress versions through 2.1 **Description** The Best-wp-google-map plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue stems from inadequate input sanitization and output escaping within the `google map view` shortcode. Specifically, the `latitude` and `longitudinal` parameters are vulnerable. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page. **Recommendations** Update The Best-wp-google-map plugin for WordPress to a version later than 2.1.

**Name of the Vulnerable Software and Affected Versions** Bold Page Builder versions up to and including 5.5.7 **Description** The Bold Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `bt bb accordion item` shortcode. This is due to inadequate input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the affected page. **Recommendations** Update Bold Page Builder to a version later than 5.5.7.

**Name of the Vulnerable Software and Affected Versions** Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress versions prior to 1.0.3 **Description** The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `buynowplus` shortcode. Insufficient input sanitization and output escaping on shortcode attributes allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress to version 1.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** CM CSS Columns plugin for WordPress versions prior to 1.2.2 **Description** The CM CSS Columns plugin for WordPress is susceptible to Stored Cross-Site Scripting through the `tag` shortcode attribute. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the CM CSS Columns plugin to version 1.2.2 or later.