CVE-2020-9392: WordPress plugin vulnerability

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table. References www.wordfence.com/blog/2020/02/multiple-vulnerabilities-patched-in-pricing-table-by-supsystic-plugin/

CVE-2020-9371: WordPress plugin vulnerability

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML. References packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 wordpress.org/plugins/appointment-booking-calendar/#developers wpvulndb.com/vulnerabilities/10110 www.hotdreamweaver.com/support/view.php?id=815925