Security

While conducting a comprehensive evaluation of the User Private Files plugin, a significant security vulnerability was identified – “Insecure Direct Object References (IDOR).” This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “Subscribers,” provided that a page with the plugin’s shortcode exists on the website or by “Contributors” when creating a page with the plugin.

During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.

During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.