Zulu Capwn

**Name of the Vulnerable Software and Affected Versions** Admission AppManager plugin for WordPress version 1.0.0 and earlier **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages by tricking a user into performing an action, such as clicking on a link, via the `q` parameter. **Recommendations** For Admission AppManager plugin for WordPress version 1.0.0 and earlier, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `q` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Slideshow, Image Slider by 2J plugin for WordPress versions up to, and including, 1.3.54 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages. This can be achieved by tricking a user into performing an action, such as clicking on a link, via the `post` parameter. **Recommendations** For versions up to, and including, 1.3.54, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Reflected Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `post` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1 **Description** The Admin side data storage for the Contact Form 7 plugin is vulnerable to SQL Injection via the `form-id` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider restricting access to the `form-id` parameter in the affected API endpoint until a patch is available. Avoid using the `form-id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1 **Description** The Admin side data storage for the Contact Form 7 plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the settings update function. This allows unauthenticated attackers to update the plugin's settings via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.1.1, update to a version that includes the fix for the missing or incorrect nonce validation on the settings update function. As a temporary workaround, consider restricting access to the settings update function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1 **Description** The Admin side data storage is vulnerable to unauthorized modification of data due to a missing capability check on the `zt dcfcf change bookmark()` function. This makes it possible for unauthenticated attackers to alter bookmark statuses. **Recommendations** For versions up to, and including, 1.1.1, consider disabling the `zt dcfcf change bookmark()` function until a patch is available to prevent unauthorized modification of data.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1 **Description** The Admin side data storage for the Contact Form 7 plugin is vulnerable to unauthorized modification of data due to a missing capability check on the `zt dcfcf change status()` function. This allows unauthenticated attackers to alter the message read status of messages. **Recommendations** For versions up to, and including, 1.1.1, update to a version that includes a fix for the missing capability check in the `zt dcfcf change status()` function. As a temporary workaround, consider disabling the `zt dcfcf change status()` function until a patch is available.