The AffiliateX - Amazon Affiliate Plugin for WordPress contains a vulnerability in its AJAX action that allows unauthorized data modification. This issue affects versions 1.0.0 to 1.3.9.3 and permits attacker execution of arbitrary JavaScript by authenticated users with minimal privileges.

The Supreme Modules Lite plugin version 2.5.62 and below is affected by an arbitrary file upload vulnerability due to inadequate validation of file types, particularly JSON files with double extensions. This allows authenticated users with author-level access to upload potentially malicious files, risking remote code execution.

The Kalium 3 theme for WordPress is susceptible to unauthorized email sending due to insufficient access control in its contact form. This flaw allows unauthenticated users to exploit the theme as an open mail relay.

The Drag and Drop Multiple File Upload for Contact Form 7 plugin up to version 1.3.9.2 is vulnerable to an unauthorized data modification issue. This vulnerability allows unauthenticated attackers to delete uploaded files due to a missing ownership check when the 'Send attachments as links' option is enabled.

The WP-Members Membership Plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability via the Multiple Checkbox and Multiple Select user profile fields. This issue affects all plugin versions up to and including 3.5.4.3, allowing authenticated attackers to inject malicious scripts.

The Appointment Booking Calendar plugin for WordPress is vulnerable to a blind SQL Injection attack through the `order` and `append_where_sql` parameters. This vulnerability affects versions up to 1.6.9.9 and enables attackers to exploit the SQL queries due to inadequate input sanitization.

The PayHere Payment Gateway Plugin for WooCommerce versions up to 2.3.9 are susceptible to a vulnerability allowing unauthorized data modification. Unauthenticated attackers can exploit improper validation logic to alter the status of WooCommerce orders.

The Stopwords for Comments plugin up to version 1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows attackers to alter stopwords settings by tricking administrators into clicking a malicious link.

The Perfit WooCommerce plugin for WordPress, up to version 1.0.1, suffers from a Missing Authorization vulnerability. This flaw allows unauthenticated attackers to delete arbitrary plugin settings through the `action` parameter, due to a lack of authorization checks on the `logout` function.

The SocialChamp WordPress plugin is affected by a Cross-Site Request Forgery (CSRF) vulnerability in versions up to 1.3.3. This flaw allows unauthenticated users to alter plugin settings through forged requests if they trick an administrator into clicking on a malicious link.

The Float Payment Gateway plugin for WordPress, up to version 1.1.9, has a vulnerability allowing unauthorized modifications of WooCommerce orders. An unauthorized attacker can exploit improper error handling in the verifyFloatResponse function to mark any order as failed.

The Electric Studio Download Counter plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.4. This vulnerability arises due to improper sanitization and escaping of user inputs in the plugin settings, allowing authenticated Administrator-level users to inject malicious scripts.

The Aplazo Payment Gateway plugin for WordPress allows unauthenticated users to change WooCommerce order statuses to 'pending payment'. This is due to a missing capability check on the plugin's check_success_response() function.

The Short Link plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to improper input sanitization and output escaping on specific parameters. Authenticated users with administrator-level access can inject malicious scripts, which execute when the contaminated page is viewed.

The WP Allowed Hosts plugin for WordPress contains a vulnerability that allows stored Cross-Site Scripting (XSS) via the 'allowed-hosts' parameter. This flaw affects versions up to 1.0.8 and can be exploited by authenticated users with administrative privileges in certain installations.

The LinkedIn SC plugin for WordPress, up to and including version 1.1.9, is susceptible to Stored Cross-Site Scripting through parameters such as 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key'. This vulnerability allows authenticated users with administrator access or higher to inject malicious scripts that execute on user interaction with affected pages.

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection through the 'city' parameter in versions up to 2.0.0. This vulnerability allows attackers to inject malicious SQL code, potentially leading to unauthorized data retrieval.

The WMF Mobile Redirector plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping in its settings. This vulnerability affects all versions up to and including 1.2 and can be exploited by authenticated users with Administrator privileges to inject malicious scripts into pages.

The Kunze Law plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to improper handling of HTML content fetched from remote servers. It also contains a path traversal vulnerability within its shortcode functionality, which could allow an attacker to place malicious HTML files in arbitrary locations.

The News and Blog Designer Bundle plugin for WordPress is affected by a Local File Inclusion (LFI) vulnerability in all versions up to and including 1.1. Unauthenticated attackers can exploit this vulnerability to include and execute arbitrary .php files on the server.

The WP-CRM System plugin for WordPress allows unauthorized access due to inadequate capability checks on specific AJAX functions. This vulnerability affects all plugin versions up to 3.4.5, enabling low privilege users to access email addresses and alter tasks within the CRM.