The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site…

The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages,…

The Simple Post Notes WordPress plugin before 1.7.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site…

The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead…

The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to…

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high…

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset…

The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could…

The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available…

The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin’s discount…