The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution.

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.

The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

The ultimate-faqs plugin before 1.8.22 for WordPress has XSS.

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.

The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.

The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.

The buddyforms plugin before 2.2.8 for WordPress has SQL injection.

The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.

The anycomment plugin before 0.0.33 for WordPress has XSS.

The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.

The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.

The check-email plugin before 0.5.2 for WordPress has XSS.

The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser.

The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors.