The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of…

The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener…

The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard,…

The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a…

The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server…

The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege…

The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page,…

The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which…

The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not…

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any…