The "CP Contact Form with Pay Pal" plugin before 1.2.99 for Word Press has XSS in the publishing wizard via the wp-admin/admin.php?
Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/because Subscribers Table ordering is mishandled.An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for Word Press allows an attacker to inject malicious Java Script code through a publicly available subscription form using the esfpx_name wp-admin/POST parameter.("parallax" has a spelling change within the PHP filename.) Multiple stored cross-site scripting (XSS) in the My Theme Shop Launcher plugin 1.0.8 for Word Press allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, You Tube Page URL, Linkedin Page URL, Google Page URL, RSS URL).A stored cross-site scripting (XSS) vulnerability in the submit_module in the WP Support Plus Responsive Ticket System plugin 9.1.1 for Word Press allows remote attackers to inject arbitrary web script or HTML via the subject parameter in wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/ajax/submit_This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS.
The XSS results in administrative access, which allows arbitrary changes to files.An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for Word Press allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for Word Press allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure.An issue was discovered in the Viral Quiz Maker - Onion Buzz plugin before 1.2.7 for Word Press.This affects Social Warfare and Social Warfare Pro.