Yuki Haruma

**Name of the Vulnerable Software and Affected Versions** Acato Branded Social Images versions 1.1.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For Acato Branded Social Images versions 1.1.0 and earlier, update to a version that fixes the Missing Authorization issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Display custom fields in the frontend – Post and User Profile Fields versions 1.2.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. This can lead to unauthorized access due to missing security checks. **Recommendations** For Display custom fields in the frontend – Post and User Profile Fields versions 1.2.0 and earlier, consider restricting access to custom fields in the frontend until a proper authorization mechanism is implemented. As a temporary workaround, review and manually configure access control security levels to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NervyThemes SKU Label Changer For WooCommerce versions 3.0 and earlier **Description** The issue is related to a Missing Authorization vulnerability. This vulnerability affects NervyThemes SKU Label Changer For WooCommerce, allowing unauthorized access. **Recommendations** For versions 3.0 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Imran Sayed Headless CMS versions n/a through 2.0.3 **Description** The issue is related to a Missing Authorization vulnerability. **Recommendations** For versions n/a through 2.0.3, update to a version later than 2.0.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** File Manager plugin for WordPress versions up to, and including, 7.2.1 **Description** The issue is related to Sensitive Information Exposure due to insufficient randomness in backup filenames, which are generated using a timestamp plus 4 random digits. This allows unauthenticated attackers to extract sensitive data, including site backups, in configurations where the .htaccess file does not block access to the directory. **Recommendations** For versions up to, and including, 7.2.1, update to a version later than 7.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the backup directory by configuring the .htaccess file to block unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Foxskav Easy Bet versions 1.0.2 and earlier **Description** The issue is related to an Improper Neutralization of Special Elements used in an SQL Command, also known as 'SQL Injection'. This allows attackers to inject malicious SQL code, potentially leading to unauthorized access or modification of data. **Recommendations** For versions 1.0.2 and earlier, update to a version that fixes the SQL Injection vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cleverwise Daily Quotes versions 3.2 and earlier **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, potentially leading to the execution of malicious scripts stored on the server. **Recommendations** For versions 3.2 and earlier, update to a version that includes a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Marios Alexandrou Enhanced Plugin Admin plugin versions <= 1.16 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For Marios Alexandrou Enhanced Plugin Admin plugin versions <= 1.16, update to a version higher than 1.16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Robin Phillips Mobile Banner plugin versions 1.5 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For Robin Phillips Mobile Banner plugin versions 1.5 and earlier, update to a version later than 1.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LOKALYZE CALL ME NOW plugin versions <= 3.0 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions <= 3.0, update to a version higher than 3.0 to resolve the issue. At the moment, there is no information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** JoomSky JS Job Manager plugin versions <= 2.0.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For JoomSky JS Job Manager plugin versions <= 2.0.0, update to a version greater than 2.0.0 to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as token-based validation, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Faraz Quazi Floating Action Button plugin versions 1.2.1 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions 1.2.1 and earlier, update to a version later than 1.2.1 to resolve the issue. As a temporary workaround, consider implementing CSRF token validation to prevent unauthorized requests. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Brett Shumaker Simple Staff List plugin versions 2.2.3 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability can be exploited by authenticated users with editor or higher privileges. **Recommendations** For versions 2.2.3 and earlier, update to a version later than 2.2.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XootiX Side Cart Woocommerce (Ajax) plugin versions prior to 2.3 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** David Artiss Plugins List plugin versions <= 2.5 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin or higher privileges. **Recommendations** For David Artiss Plugins List plugin versions <= 2.5, update to a version higher than 2.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** All My Web Needs Logo Scheduler plugin versions 1.2.0 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects authenticated administrators. This vulnerability allows for malicious scripts to be stored on the server and executed when accessed by other users, potentially leading to unauthorized actions or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions 1.2.0 and earlier, update to a version later than 1.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's administrative interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dave's WordPress Live Search plugin versions prior to 4.8.1 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 4.8.1, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** M Williams Cab Grid plugin versions prior to 1.5.16 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions prior to 1.5.16, update to version 1.5.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Slider Revolution plugin versions prior to 1.0.0 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability. This type of vulnerability allows an attacker to inject malicious scripts into a website, which can then be executed by other users. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For versions prior to 1.0.0, update to a version that contains a fix for this issue. If no specific fix is provided for the version, consider disabling the plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPRADAR Woocommerce Tip/Donation plugin versions <= 1.2 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects authenticated users with shop manager or higher privileges. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to unauthorized access or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For PHPRADAR Woocommerce Tip/Donation plugin versions <= 1.2, update to a version higher than 1.2 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.