The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.

The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll bar option.

The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.

The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

The ultimate-faqs plugin before 1.8.22 for WordPress has XSS.

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

The anycomment plugin before 0.0.33 for WordPress has XSS.

The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.

The check-email plugin before 0.5.2 for WordPress has XSS.

The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser.

The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors.

The cp-polls plugin before 1.0.5 for WordPress has XSS.

The wp-rollback plugin before 1.2.3 for WordPress has XSS.

The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes list.

GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.

Status Board 1.1.81 has reflected XSS via dashboard.ts.

CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs.

laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS.