The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.

In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not.

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection.

The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.

The posts-in-page plugin before 1.3.0 for WordPress has ic_add_posts template='../ directory traversal.

The corner-ad plugin before 1.0.8 for WordPress has XSS.

The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS.

The advanced-ajax-page-loader plugin before 2.7.7 for WordPress has no protection against the reading of uploaded files when not logged in.

The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users.

The wp-file-upload plugin before 3.0.0 for WordPress has insufficient restrictions on upload of php, js, pht, php3, php4, php5, phtml, htm, html, and htaccess files.

The wp-file-upload plugin before 2.7.1 for WordPress has insufficient restrictions on upload of .js files.

The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files.

The email-newsletter plugin through 20.15 for WordPress has SQL injection.

The cforms2 plugin before 10.5 for WordPress has XSS.

The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.

The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment.

The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion.

The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for WordPress has HTML injection.

The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading.