The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

The WooHoo Newspaper Magazine theme does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Image Hover Effects – WordPress Plugin.This issue affects Image Hover Effects – WordPress Plugin: from n/a through 5.5.

Cross-Site Request Forgery (CSRF) vulnerability in Lukman Nakib Preloader Matrix.This issue affects Preloader Matrix: from n/a through 2.0.1.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolf van Gelder Order Your Posts Manually allows SQL Injection.This issue affects Order Your Posts Manually: from n/a through 2.2.5.

Cross-Site Request Forgery (CSRF) vulnerability in Jules Colle, BDWM Responsive Gallery Grid plugin <= 2.3.10 versions.