Zhuxuan Wu

**Name of the Vulnerable Software and Affected Versions** The Booking for Appointments and Events Calendar – Amelia plugin for WordPress versions up to, and including, 1.2.19 **Description** The issue allows unauthenticated attackers to retrieve the full path of the web application, which can aid other attacks. The information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website. The `wpAmeliaApiCall` function is involved in this issue. **Recommendations** For versions up to, and including, 1.2.19, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the `wpAmeliaApiCall` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Download Manager plugin for WordPress versions up to and including 3.3.08 Description: The issue allows authenticated attackers with Author-level access or higher to overwrite certain file types outside the original directory via the `wpdm newfile` action, potentially causing a denial of service. This is a result of a Directory Traversal vulnerability. Recommendations: For Download Manager plugin for WordPress versions up to and including 3.3.08, update to a version later than 3.3.08 to resolve the issue. As a temporary workaround, consider restricting access to the `wpdm newfile` action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Any23 versions prior to 2.5 **Description** An XML external entity (XXE) injection issue was discovered in the Any23 StreamUtils.java file. This is a web security issue that allows an attacker to interfere with an application's processing of XML data, potentially enabling them to view files on the application server filesystem and interact with back-end or external systems accessible by the application. **Recommendations** For versions prior to 2.5, update to version 2.5 or later to resolve the issue. As a temporary workaround, consider restricting the processing of XML data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Any23 versions prior to 2.5 **Description** A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file. This issue allows a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities. **Recommendations** For versions prior to 2.5, update to version 2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the YAMLExtractor.java file until a patch is available.