The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. Zafiyet…

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a…

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber…

The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal…

The WP Tiles WordPress plugin through 1.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where…

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it’s settings pages, allowing an authorized user (admin+)…

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing…

The Scheduled Announcements Widget WordPress plugin before 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post…

The Article Directory WordPress plugin through 1.3 does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators…

The WordPress Amazon S3 Plugin WordPress plugin before 1.6 does not sanitise and escape a parameter before outputting it back in the page, leading to…