v3xx

Name of the Vulnerable Software and Affected Versions: Blocksy versions 2.0.22 and earlier Description: A Cross-Site Request Forgery (CSRF) issue allows unauthorized actions to be performed on behalf of a user. This can be exploited by an attacker to perform actions without the user's knowledge or consent. The issue affects the Blocksy software, allowing for Cross-Site Request Forgery. Recommendations: For versions 2.0.22 and earlier, update to a version later than 2.0.22 to resolve the issue. At the moment, there is no information about additional mitigation measures for this issue.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions n/a through 7.6.3 **Description** The issue is related to a Missing Authorization vulnerability in wpDiscuz, which allows exploiting incorrectly configured access control security levels. **Recommendations** For versions n/a through 7.6.3, update to a version later than 7.6.3 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** JS Help Desk – Best Help Desk & Support Plugin versions n/a through 2.7.1 **Description** The issue affects the JS Help Desk plugin, allowing exploitation of incorrectly configured access control security levels due to a missing authorization vulnerability. This vulnerability exploits broken access control, potentially risking unauthorized access. **Recommendations** Update to the latest version to secure your site and mitigate risks associated with broken access control.

**Name of the Vulnerable Software and Affected Versions** JS Help Desk – Best Help Desk & Support Plugin versions prior to 2.7.1 **Description** The issue affects the JS Help Desk – Best Help Desk & Support Plugin, allowing exploitation of incorrectly configured access control security levels due to a missing authorization vulnerability. This vulnerability enables unauthenticated settings changes. **Recommendations** For versions prior to 2.7.1, update to version 2.7.1 or later to secure your site. As a temporary workaround, consider restricting access to settings changes until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Code4Life Database for CF7 versions 1.2.4 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. **Recommendations** For Code4Life Database for CF7 versions 1.2.4 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YMC Filter & Grids versions 2.8.33 and earlier **Description** The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by ACLs. **Recommendations** For YMC Filter & Grids versions 2.8.33 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cooked Pro versions prior to 1.8.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Cross Site Request Forgery. This problem involves CSRF attacks. **Recommendations** For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider implementing CSRF token validation to prevent unauthorized requests. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cooked Pro versions prior to 1.8.0 **Description** The issue is related to an Unrestricted Upload of File with Dangerous Type, which affects the Cooked Pro software. This allows for the upload of files with potentially dangerous types without proper restrictions. **Recommendations** For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary and safe file types until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Cooked Pro versions prior to 1.8.0 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, where an attacker can inject malicious scripts into a website, potentially affecting users who access the compromised page. **Recommendations** For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable features in Cooked Pro until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cooked plugin for WordPress versions up to, and including, 1.8.0 **Description** The issue is related to Persistent Cross-Site Scripting (XSS) via the `[cooked-timer]` shortcode due to insufficient input sanitization and output escaping. This allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. **Recommendations** For Cooked plugin for WordPress versions up to, and including, 1.8.0, upgrade to release version 1.8.1 to address the issue.

**Name of the Vulnerable Software and Affected Versions** YMC Filter & Grids versions through 2.9.2 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions through 2.9.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cooked plugin for WordPress versions up to, and including, 1.7.15.4 **Description** The issue is related to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the AJAX action handler. This could allow an attacker to trick users into performing unintended actions under their current authentication. The problem has been addressed in release version 1.8.0. **Recommendations** For versions up to, and including, 1.7.15.4, upgrade to release version 1.8.0 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action handler until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Cooked plugin for WordPress versions up to, and including, 1.7.15.4 **Description** The issue is related to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the AJAX action handler. This could allow an attacker to trick users into performing unintended actions under their current authentication. The problem has been addressed in release version 1.8.0. **Recommendations** For versions up to, and including, 1.7.15.4, upgrade to release version 1.8.0 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action handler until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Cooked plugin for WordPress versions up to, and including, 1.7.15.4 **Description** The issue is related to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the AJAX action handler. This could allow an attacker to trick users into performing unintended actions under their current authentication. **Recommendations** For versions up to, and including, 1.7.15.4, upgrade to release version 1.8.0 to address the issue. As a temporary workaround, consider restricting access to the AJAX action handler until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Cooked plugin for WordPress versions up to, and including, 1.7.15.4 **Description** The Cooked plugin for WordPress is vulnerable to HTML Injection due to insufficient input sanitization and output escaping. This issue allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. **Recommendations** For versions up to, and including, 1.7.15.4, upgrade to release version 1.8.0 to address the issue.

**Name of the Vulnerable Software and Affected Versions** Cooked versions up to, and including, 1.7.15.4 **Description** The Cooked plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) issue due to missing or incorrect nonce validation on the AJAX action handler. This could allow an attacker to trick users into performing unintended actions under their current authentication. **Recommendations** For versions up to, and including, 1.7.15.4, upgrade to release version 1.8.0 to address the issue. As a temporary workaround, consider restricting access to the AJAX action handler until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Goya theme for WordPress versions up to, and including, 1.0.8.7 **Description** The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages via the `attra-color`, `attra-size`, and `product-cata` parameters. Attackers can exploit this by tricking a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.0.8.7, consider updating to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting the use of the `attra-color`, `attra-size`, and `product-cata` parameters until a patch is available. Avoid using these parameters in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Cooked Pro recipe plugin for WordPress versions up to, and including, 1.7.15.4 **Description** The issue is related to Persistent Cross-Site Scripting (XSS) via the ` recipe settings[post title]` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. **Recommendations** For versions up to, and including, 1.7.15.4, update to version 1.8.0, which includes the patch for this issue. As a temporary workaround, consider restricting access to the ` recipe settings[post title]` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Adifier System versions prior to 3.1.4 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal', which allows PHP Local File Inclusion in the Adifier System. This can potentially lead to unauthorized access to sensitive files. **Recommendations** For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xtemos WoodMart versions n/a through 7.0.4 **Description** The issue affects the xtemos WoodMart, allowing for Cross-Site Scripting (XSS) due to improper authentication and neutralization of input during web page generation. **Recommendations** For versions n/a through 7.0.4, update to a version later than 7.0.4 to resolve the issue.