Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter.

Cross-site scripting (XSS) vulnerability in the new_Twitter_sign_button function in nextend-Twitter-connect.php in the Nextend Twitter Connect plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. NOTE: this may overlap CVE-2015-4413.

The EZPZ One Click Backup (ezpz-one-click-backup) plugin 12.03.10 and earlier for WordPress allows remote attackers to execute arbitrary commands via the cmd parameter to functions/ezpz-archive-cmd.php.

The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check.

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.

Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection page to wp-admin/options-general.php.

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.

Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.

An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.

The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.

Cross-site scripting (XSS) vulnerability in class-s2-list-table.php in the Subscribe2 plugin before 10.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ip parameter.

Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.

The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature.

Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in wp-admin/options-general.php.