The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS.

The cforms2 plugin before 10.5 for WordPress has XSS.

An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.

The cforms2 plugin before 10.2 for WordPress has XSS.

In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS.

The wp-retina-2x plugin before 5.2.3 for WordPress has XSS.

The time-sheets plugin before 1.5.2 for WordPress has multiple XSS issues.

The time-sheets plugin before 1.5.0 for WordPress has XSS via the old timesheet list.

The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the return value of add_query_arg.

The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation.

The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs.

The memphis-documents-library plugin before 3.0 for WordPress has XSS via $_REQUEST.

The reflex-gallery plugin before 1.4.3 for WordPress has XSS.

The tubepress plugin before 1.6.5 for WordPress has XSS.

The give plugin before 2.4.7 for WordPress has XSS via a donor name.

The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens.

The newstatpress plugin before 1.2.5 for WordPress has multiple stored XSS issues.

The gnucommerce plugin before 1.4.2 for WordPress has XSS.

The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS.

The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::add_siteurl method, a different vulnerability than CVE-2012-2633.