The wp-polls plugin before 2.72 for WordPress has SQL injection.

The feed-them-social plugin before 1.7.0 for WordPress has possible shortcode execution in the Facebook Feeds load more button.

The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.

The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs.

The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.

The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload.

The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution.

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.

The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

The ultimate-faqs plugin before 1.8.22 for WordPress has XSS.

The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.

The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.

The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.

The buddyforms plugin before 2.2.8 for WordPress has SQL injection.

The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.

The anycomment plugin before 0.0.33 for WordPress has XSS.

The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.

The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.