The Related Posts Lite plugin for WordPress contains a vulnerability that allows stored Cross-Site Scripting (XSS) attacks. This vulnerability affects versions up to 1.12 and allows authenticated users with administrator-level permissions to inject malicious scripts via the plugin's admin settings.

The PowerBI Embed Reports plugin for WordPress has a vulnerability that allows unauthorized access to sensitive Azure Active Directory user information. This issue affects all plugin versions up to 1.2.0 and involves the 'testUser' endpoint, which lacks proper capability checks and authentication measures.

The Kognetiks Chatbot plugin for WordPress contains a vulnerability that allows unauthorized modification of data due to absent capability checks. This flaw exists in all versions up to, and including, 2.3.5, enabling unauthenticated users to upload limited safe files and delete conversations.

The PPOM – Product Addons & Custom Fields for WooCommerce plugin is affected by an SQL Injection vulnerability in all versions up to 33.0.15. This vulnerability stems from improper input handling in the `PPOM_Meta::get_fields_by_id()` function, which could allow unauthorized users to perform malicious SQL queries if a specific setting is enabled.

The LearnPress WordPress LMS Plugin is susceptible to unauthorized data modification due to inadequate capability checks on its admin REST endpoints. This vulnerability permits unauthenticated users to execute harmful database operations, such as dropping indexes and altering site data.

The PPOM - Product Addons & Custom Fields for WooCommerce plugin is vulnerable to arbitrary file uploads due to missing file type validation in its image cropper functionality in versions up to 33.0.15. This flaw allows unauthenticated attackers to potentially upload files that can lead to remote code execution on sites using the paid version of the plugin.

The Gutenberg Essential Blocks plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'titleTag' attribute, affecting versions up to 5.7.1. This vulnerability allows authenticated users with Contributor-level permissions to inject malicious scripts.

The Optimole WordPress plugin is vulnerable to an Insecure Direct Object Reference (IDOR) issue in its /wp-json/optml/v1/move_image REST API endpoint. This flaw allows authenticated users with at least Author-level permissions to manipulate media they do not own.

The FileBird WordPress plugin is vulnerable to unauthorized data modification, allowing authenticated users with author-level access and above to reset the plugin's configuration. This issue arises due to a missing capability check on a specific function, affecting all versions up to 6.4.9.

The WP Go Maps plugin for WordPress, up to version 9.0.48, is susceptible to a Cache Poisoning vulnerability. This flaw allows unauthenticated users to manipulate the cache for location search results by exploiting how the plugin handles user input.

The WPBakery Page Builder plugin up to version 8.6 is vulnerable to Stored Cross-Site Scripting through the 'rev_slider_vc' shortcode when RevSlider is also installed. This vulnerability allows attackers with contributor-level access and above to inject arbitrary scripts into a page, which will execute when the page is viewed.

The GSpeech TTS – WordPress Text To Speech Plugin is vulnerable to SQL Injection via the 'field' parameter up to version 3.17.13. This vulnerability allows attackers with Administrator-level access to manipulate SQL queries and potentially extract sensitive information from the database.

The WPC Smart Quick View for WooCommerce plugin is susceptible to an information exposure vulnerability affecting all versions up to and including 4.2.5. The vulnerability allows unauthorized users to obtain data from password-protected, private, or draft products via the 'woosq_quickview' AJAX endpoint.

The Event Tickets and Registration plugin for WordPress contains a payment bypass vulnerability in versions up to 5.26.5. This flaw allows unauthenticated users to exploit the endpoint handling free orders, thereby gaining access to paid tickets without payment.

The WPC Smart Wishlist for WooCommerce plugin suffers from unauthorized access vulnerabilities due to a missing capability check on the 'wishlist_quickview' AJAX action. This issue affects versions up to 5.0.4, allowing Subscriber-level users to access other users' wishlist data.

The XX2WP Integration Tools plugin is vulnerable to stored cross-site scripting due to improper sanitization of input in the 'mxp_fb2wp_display_embed' shortcode. This allows users with contributor-level access or above to inject malicious scripts into WordPress pages.

The Media Library Assistant plugin for WordPress contains a vulnerability that allows unauthenticated users to read the contents of certain files on the server. This issue affects all versions up to and including 3.29, making it possible to access sensitive data stored in ai, eps, pdf, and ps files.

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin is affected by a Server-Side Request Forgery (SSRF) vulnerability up to version 5.7.1. This issue allows authenticated users with at least Author-level privileges to initiate requests to arbitrary locations, potentially leading to unauthorized interactions with internal systems.

The ShortPixel Image Optimizer plugin for WordPress, up to version 6.3.4, allows unauthorized modification of data due to a missing capability check on an AJAX action. This vulnerability can be exploited by authenticated users with at least Contributor-level access.

The Binary MLM Plan plugin vulnerability arises from an insecure direct object reference, allowing authenticated users with the bmp_user role to access other users' payout details. This flaw is present in versions up to and including 3.0 and involves improper access controls in the payout detail function.

The Felan Framework plugin for WordPress up to version 1.1.4 allows unauthorized users to change the state of installed plugins due to missing capability checks in an AJAX action. This could enable unauthenticated users to activate or deactivate plugins, potentially impacting site functionality.