The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.

The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php.

The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.

WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. .

The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order.

Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the '<' and '>' characters have &lt; and &gt; representations.

The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.

The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.

The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature.

The Ninja Forms plugin before 3.2.14 for WordPress has XSS.

Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.

The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-applicant-matches-email.php.

The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.