The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS.

The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility.

The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF.

The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion.

The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789.

The webp-express plugin before 0.14.8 for WordPress has stored XSS.

The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS.

The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF.

The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF.

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

A memory corruption vulnerability exists in the .PSD parsing functionality of ALSee v5.3 ~ v8.39. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in code execution. By persuading a victim to open a specially-crafted .PSD file, an attacker could execute arbitrary code.

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS.

The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF.

The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.

The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS.

The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.

The one-click-ssl plugin before 1.4.7 for WordPress has CSRF.