The Advanced Contact Form 7 DB plugin is susceptible to Cross-Site Request Forgery (CSRF) vulnerabilities in versions up to and including 2.0.9. This flaw allows unauthenticated attackers to potentially manipulate form entries by deceiving a site administrator into executing specific actions.

The Advanced Contact Form 7 DB plugin up to version 2.0.9 allows unauthorized data exports due to insufficient user permission checks. Authenticated attackers with Subscriber-level access can exploit this flaw to export form submissions.

The Ninja Forms - File Uploads plugin for WordPress is affected by a vulnerability that allows arbitrary file uploads, which can lead to remote code execution. This flaw is present due to the lack of file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function, impacting versions up to 3.3.26.

The Text to Speech for WP (AI Voices by Mementor) plugin up to version 1.9.8 contains hardcoded MySQL credentials that expose sensitive information. This vulnerability can be exploited by unauthenticated attackers to gain unauthorized write access to the vendor's telemetry database.

The WPFunnels plugin is vulnerable to Stored Cross-Site Scripting through the 'wpf_optin_form' shortcode, allowing attackers with contributor-level access to inject scripts into pages. This flaw affects versions up to 3.7.9 and is due to insufficient sanitization of the 'button_icon' parameter.

The Simple Shopping Cart plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping in its `wpsc_display_product` shortcode. This allows contributor-level and higher authenticated users to inject harmful scripts into pages.

The Shortcodes Ultimate plugin for WordPress up to version 7.4.7 is vulnerable to Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of the 'src' attribute in the 'su_lightbox' shortcode. Authenticated users with contributor level access or higher can exploit this to inject malicious scripts that execute when users visit the affected pages.

The Shortcodes Ultimate plugin for WordPress is vulnerable to stored cross-site scripting through the su_carousel shortcode. This vulnerability affects all versions up to 7.4.8 and allows an authenticated user with author-level access or higher to execute arbitrary scripts on pages.

The Royal Addons for Elementor plugin up to version 1.7.1049 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. Authenticated users with contributor-level access or higher can exploit this issue by injecting arbitrary scripts via the 'button_text' parameter.

The Webmention plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 5.6.2. This flaw allows attackers to send unauthorized requests from the web application, potentially exposing internal service data or altering configuration.

The Webmention plugin for WordPress is affected by a Server-Side Request Forgery (SSRF) vulnerability. This flaw allows authenticated users with Subscriber-level access and above to make requests to arbitrary servers from the web application, enabling potential discovery and modification of internal resources.

The Spam Protect for Contact Form 7 plugin prior to version 1.2.10 contains a vulnerability that permits logging to a PHP file. This vulnerability enables an attacker with editor-level access to potentially execute arbitrary code remotely by manipulating crafted HTTP headers.

The Auto Post Scheduler WordPress plugin up to version 1.84 is vulnerable to Cross-Site Request Forgery (CSRF) due to missing nonce validation in the 'aps_options_page' function. This vulnerability could allow attackers to change the plugin settings and inject malicious scripts if they can convince an administrator to click a manipulated link.

The Ibtana – WordPress Website Builder plugin is affected by a Stored Cross-Site Scripting (XSS) vulnerability, allowing contributors and above to inject malicious scripts through the 'ive' shortcode. This vulnerability affects versions up to 1.2.5.7 and results from inadequate sanitization of input and insufficient output escaping.

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is susceptible to unauthorized data modification. This vulnerability exists due to a missing capability check in the 'save_upe_appearance_ajax' function, allowing unauthenticated attackers to alter plugin settings in versions up to 10.5.1.

The Truebooker plugin for WordPress is affected by a vulnerability that allows unauthorized users to access sensitive information through views PHP files in versions up to 1.1.4. This vulnerability could expose critical data to attackers via direct file access.

The Ninja Forms plugin for WordPress, versions up to 3.14.1, has a vulnerability that allows authenticated users with at least Contributor-level access to expose sensitive information. The issue resides in the processing of authorization tokens via a callback function in the admin_enqueue_scripts action.

The Restaurant Cafeteria WordPress theme, up to version 0.4.6, has a security vulnerability where admin-ajax actions lack nonce and capability checks. This allows any logged-in user, including those with minimal permissions, to execute privileged operations, potentially leading to arbitrary PHP code execution via a user-supplied URL.

The Oxygen Theme for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 6.0.8. Exploitation of this flaw is possible via the 'laborator_calc_route' AJAX action, allowing unauthenticated attackers to initiate web requests to arbitrary locations from the WordPress server.

The Conditional Menus plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows attackers to alter conditional menu configurations when an administrator is tricked into executing a forged request.

The LeadConnector plugin for WordPress before version 3.0.22 lacks proper authorization on a REST API route. This allows unauthenticated users to manipulate and potentially overwrite existing data through unauthorized API calls.