An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.

Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.

HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

The twitter-plugin plugin before 2.55 for WordPress has XSS.

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.

The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS.

The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.

The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.

The simple-membership plugin before 3.5.7 for WordPress has XSS.

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS.

The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.