Zhangyunpei

**Name of the Vulnerable Software and Affected Versions** Font Awesome 4 Menus WordPress plugin versions prior to 4.7.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 4.7.1, update to version 4.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Seed Social WordPress plugin versions prior to 2.0.4 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Video List Manager WordPress plugin versions 1.7 and earlier **Description** The issue is related to a SQL injection that occurs due to improper sanitization and escaping of a parameter before it is used in a SQL statement. This can be exploited by high-privilege users, such as administrators. **Recommendations** For Video List Manager WordPress plugin versions 1.7 and earlier, update to a version that properly sanitizes and escapes parameters used in SQL statements to prevent SQL injection.

**Name of the Vulnerable Software and Affected Versions** The EU Cookie Law for GDPR/CCPA WordPress plugin versions 3.1.6 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions 3.1.6 and earlier, update to a version later than 3.1.6 to resolve the issue. As a temporary workaround, consider restricting the `unfiltered html` capability to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Multi Step Form WordPress plugin versions prior to 1.7.8 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its form fields. **Recommendations** For versions prior to 1.7.8, update to version 1.7.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's form fields to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 404 to Start WordPress plugin versions 1.6.1 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions 1.6.1 and earlier, consider disabling the plugin until a patch is available to prevent potential Stored Cross-Site Scripting attacks. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the plugin in multisite setups where the unfiltered html capability is disallowed until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WP Social Sharing WordPress plugin versions through 2.2 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and escaped, and the attack can occur even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For WP Social Sharing WordPress plugin versions through 2.2, update to a version that properly sanitises and escapes its settings to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Login for Google Apps WordPress plugin versions prior to 3.4.5 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Kwayy HTML Sitemap WordPress plugin versions prior to 4.0 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Sliderby10Web WordPress plugin versions prior to 1.2.53 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.2.53, update to version 1.2.53 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple Basic Contact Form WordPress plugin versions prior to 20221201 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 20221201, update to version 20221201 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** External Media WordPress plugin versions prior to 1.0.36 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.0.36, update to version 1.0.36 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Jetpack CRM WordPress plugin versions prior to 5.4.3 **Description** The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the lack of sanitization and escaping of its settings. This can occur even when the unfiltered html capability is disallowed. **Recommendations** For versions prior to 5.4.3, update to version 5.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Livemesh Addons for Elementor WordPress plugin versions prior to 7.2.4 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 7.2.4, update to version 7.2.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WPUpper Share Buttons WordPress plugin versions 3.42 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions 3.42 and earlier, update to a version that addresses the sanitization and escaping of settings to prevent Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Uji Countdown WordPress plugin versions prior to 2.3.1 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** The Fancier Author Box by ThematoSoup WordPress plugin versions prior to 1.5 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example in a multisite setup. The problem arises because some settings are not properly sanitised and escaped. **Recommendations** For versions prior to 1.5, update to version 1.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** reCAPTCHA WordPress plugin versions prior to 1.6 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape some of its settings, even when the unfiltered html capability is disallowed, for example in a multisite setup. **Recommendations** For versions prior to 1.6, update to version 1.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to access and modify the plugin's settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Video Thumbnails WordPress plugin versions 2.12.3 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For Video Thumbnails WordPress plugin versions 2.12.3 and earlier, update to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Forms WordPress plugin versions 0.95 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For Google Forms WordPress plugin versions 0.95 and earlier, update to a version that addresses the sanitization and escaping of its settings to prevent Stored Cross-Site Scripting attacks.