The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to stored XSS due to inadequate input sanitization and output escaping on shortcode attributes. This flaw affects all versions up to 4.4 and allows contributors and higher roles to insert malicious scripts into pages.

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to improper input sanitization and output escaping in its content_block shortcode. This vulnerability affects versions up to, and including, 3.3.9, allowing authenticated users with contributor-level access or higher to inject malicious scripts.

The Youzify plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability via the 'checkin_place_id' parameter, affecting versions up to 1.3.6. This flaw allows authenticated users with Subscriber-level access or higher to inject malicious scripts that automatically execute when a page containing the script is accessed.

The Hostel plugin up to version 1.1.6 is susceptible to Reflected Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping. This flaw allows attackers to execute malicious scripts in the browser of users who interact with crafted links.

The PostX plugin for WordPress, up to version 5.0.5, is vulnerable to unauthorized modification of the 'share_count' post meta due to a missing capability check in the 'ultp_shareCount_callback()' function. This allows unauthenticated users to alter this data for any post, potentially leading to misleading statistics or exploitation of additional system weaknesses.

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting (XSS) in all versions up to and including 9.0. This issue arises from insufficient authorization checks and inadequate output escaping, allowing authenticated users with sufficient privileges to inject malicious scripts.

The Livemesh Addons for Elementor plugin up to version 9.0 is vulnerable to Local File Inclusion (LFI). This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server through insufficient sanitization of input parameters.

The WooBeWoo Product Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient nonce validation in certain functions. This allows attackers to conduct unauthorized actions such as injecting web scripts or deleting pricing tables by tricking administrators into interacting with malicious requests.

The MetForm Pro plugin for WordPress suffers from improper input validation in versions up to and including 3.9.7, enabling attackers to manipulate payments. The issue arises from the plugin's failure to validate user-submitted calculation field values against configured form prices in its payment integrations.

The WebStack theme for WordPress is susceptible to arbitrary file uploads due to insufficient file type validation. This vulnerability affects all theme versions up to 1.2024, potentially allowing unauthenticated attackers to upload malicious files to the server, which could lead to remote code execution.

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution, affecting versions up to and including 3.15.1. Authenticated users with Subscriber-level access can exploit this vulnerability to execute arbitrary WordPress action hooks, potentially leading to privilege escalation or other impacts.

The Avada Builder plugin for WordPress, up to version 3.15.1, contains a vulnerability allowing authenticated users to access protected post metadata. This issue arises from a failure to validate metadata key protection in the `fusion_get_post_custom_field()` function, posing a risk of exposing sensitive information even to users with minimal access rights.

The 3D FlipBook plugin for WordPress, up to version 1.16.17, has a vulnerability that allows unauthorized data access due to missing capability checks in the send_post_pages_json() function. This flaw enables attackers to access metadata of draft, private, and password-protected flipbooks.

The Surbma | Booking.com Shortcode plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This flaw arises from insufficient input sanitization and output escaping on attributes provided by users interacting with the `surbma-bookingcom` shortcode, affecting versions up to and including 2.1.

The Aruba HiSpeed Cache plugin for WordPress up to version 3.0.4 is affected by a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to reset plugin settings via a forged request if they deceive a site administrator into initiating an unintended action.

The Webling plugin for WordPress is affected by a stored cross-site scripting (XSS) vulnerability in versions up to 3.9.0. This flaw allows authenticated users with a Subscriber role or higher to inject malicious scripts into Webling forms and member lists, which can be executed when an administrator views these sections.

The Quick Playground plugin for WordPress is vulnerable to remote code execution in versions up to 1.3.1 due to insufficient authorization checks on its REST API endpoints. This allows attackers to execute arbitrary code on the server by retrieving a sensitive sync code and uploading malicious PHP files.

The Advanced Contact Form 7 DB plugin is susceptible to Cross-Site Request Forgery (CSRF) vulnerabilities in versions up to and including 2.0.9. This flaw allows unauthenticated attackers to potentially manipulate form entries by deceiving a site administrator into executing specific actions.

The Advanced Contact Form 7 DB plugin up to version 2.0.9 allows unauthorized data exports due to insufficient user permission checks. Authenticated attackers with Subscriber-level access can exploit this flaw to export form submissions.

The BEAR – Bulk Editor and Products Manager Professional by Pluginus.Net plugin for WooCommerce contains a Cross-Site Request Forgery (CSRF) vulnerability that affects all versions up to 1.1.5. This flaw allows attackers to potentially manipulate WooCommerce product data by tricking site administrators into executing unintended actions.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin, affecting versions up to 1.1.5. This flaw allows attackers to delete WooCommerce taxonomy terms without authentication by leveraging a site administrator's or shop manager's privileges through a crafted request.