The JobCareer theme before 2.5.1 for WordPress has stored XSS.

The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has XSS.

admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.

The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS.

The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789.

The webp-express plugin before 0.14.8 for WordPress has stored XSS.

The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS.

The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS.

The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS.

The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.

The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter.

The easy-property-listings plugin before 3.4 for WordPress has XSS.

The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS.

The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS.

The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg().

Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().