The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to…

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a…

The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform…

The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin…

The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the…

The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even…

The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions (available…

The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed,…

The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some…

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not…