The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS.

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS.

The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs-form-conf arbitrary file upload.

The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.

The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admin/post-new.php text SQL injection.

The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php gcid SQL injection.

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.

The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS.

The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.

The users-ultra plugin before 1.5.63 for WordPress has CSRF via action=package_add_new to wp-admin/admin-ajax.php.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.

The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS.

The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS.

The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval.