The avada theme before 5.1.5 for WordPress has CSRF.

The avada theme before 5.1.5 for WordPress has stored XSS.

The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection.

The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request.

The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter.

The examapp plugin 1.0 for WordPress has SQL injection via the wp-admin/admin.php?page=examapp_UserResult id parameter.

The examapp plugin 1.0 for WordPress has XSS via exam input text fields.

The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.

The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter.

The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php.

The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter.

The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.

An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.

upload_model() in /admini/controllers/system/managemodel.php in DocCms 2016.5.17 allow remote attackers to execute arbitrary PHP code through module management files, as demonstrated by a .php file in a ZIP archive.

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.

In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions.

In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions.

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.

In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.