The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.

The wp-piwik plugin before 1.0.5 for WordPress has XSS.

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS.

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS.

The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.

The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.

The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS.

The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS.

The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS.

The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.

The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter.

The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.

The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter.

The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.

The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.

The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz parameter during a Quiz Manage operation.

The quotes-and-tips plugin before 1.20 for WordPress has XSS.