The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary…

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which…

The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected…

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any…

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow…

The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a…

The Yoast SEO WordPress plugin before 17.3 discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help…

The WP-Paginate WordPress plugin before 2.1.4 does not sanitise and escape its preset settings, allowing high privilege users such as admin to perform Cross-Site Scripting…

The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in…

The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back…