The Guardian News Feed plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability in versions up to 1.2. This flaw allows attackers to change plugin settings, including the API key, by exploiting the missing nonce validation.

The Font Pairing Preview For Landing Pages WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.3. This vulnerability allows attackers to modify plugin settings by tricking an authenticated administrator into clicking on a malicious link.

The True Ranker plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 2.2.9. This issue allows unauthenticated attackers to disconnect the administrator's True Ranker account by tricking them into making a crafted request.

The Show YouTube Video plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability. This issue affects all plugin versions up to and including 1.1, enabling authenticated users with contributor-level access or higher to inject malicious scripts via the 'syv' shortcode.

The Infomaniak Connect for OpenID plugin is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 1.0.2. An attacker with Contributor-level access or higher can inject malicious scripts via the 'endpoint_login' parameter in the infomaniak_connect_generic_auth_url shortcode.

The Consensus Embed plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to 1.6, allowing authenticated contributors to inject malicious scripts. This flaw arises from inadequate input sanitization and output escaping within the plugin's shortcode attributes.

The WP App Bar plugin for WordPress contains a vulnerability due to insufficient input sanitization and authorization checks, allowing stored Cross-Site Scripting (XSS) attacks. This affects all versions up to 1.5, enabling unauthenticated attackers to inject scripts that execute when an admin accesses the settings.

The Purchase Button For Affiliate Link plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0.2. The lack of nonce validation on its settings page allows unauthenticated attackers to potentially alter plugin settings with manipulated requests.

The Media Library Alt Text Editor plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping in its shortcode function. This allows authenticated users with at least contributor-level access to inject malicious scripts into pages.

The MyQtip plugin for WordPress is affected by a stored cross-site scripting (XSS) vulnerability. This issue arises from inadequate input sanitization and output escaping in the `myqtip` shortcode, allowing authenticated contributors to inject malicious scripts into web pages.

The DA Media GigList plugin for WordPress, in versions up to 1.9.0, is subject to a stored cross-site scripting vulnerability. This flaw allows authenticated users with contributor or higher roles to inject harmful scripts through the damedia_giglist shortcode, potentially affecting other users accessing compromised pages.

The Wueen plugin for WordPress is vulnerable to stored cross-site scripting (XSS) through its `wueen-blocket` shortcode. This vulnerability affects versions up to 0.2.0 and allows authenticated users with at least contributor-level access to inject harmful scripts.

The Carta Online plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack. This vulnerability affects versions up to 2.13.0 and allows authenticated attackers with administrator permissions to inject malicious scripts. Only multi-site installations and those with disabled `unfiltered_html` are affected.

The Meta Box plugin for WordPress contains a vulnerability in its 'ajax_delete_file' function that allows authenticated users to delete any file on the server. This issue, affecting versions up to 5.11.1, can lead to severe consequences, such as remote code execution, if critical files are deleted.

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to the absence of a capability check in the 'custom_fields_controller' function in versions up to 1.7.8.1. This vulnerability allows unauthenticated attackers to delete arbitrary custom event fields.

The ZIP Code Based Content Protection plugin for WordPress is susceptible to an SQL Injection vulnerability due to improper handling of the 'zipcode' parameter. This vulnerability could allow unauthorized users to manipulate database queries and access sensitive information.

The Hammas Calendar plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability. The flaw is present in versions up to 1.5.11, allowing authenticated users with Contributor-level access and above to inject malicious scripts through the 'apix' parameter.

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress allows unauthorized modifications due to inadequate access control on the winston_disconnect() function. This vulnerability enables authenticated users with Subscriber-level access or higher to reset the plugin's API connection settings.

The WP Frontend Profile plugin for WordPress, in versions up to and including 1.3.8, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows attackers to manipulate user account registration approvals by tricking administrators into executing specific actions via crafted links.

The WP eCommerce plugin through version 3.15.1 is vulnerable to cross-site request forgery (CSRF) attacks due to the absence of CSRF checks when deleting coupons. This enables potential attackers to trick an authenticated admin into inadvertently deleting coupons.

The WowOptin: Next-Gen Popup Maker plugin for WordPress contains a vulnerability that allows authenticated users, with Subscriber-level access or higher, to install and activate arbitrary plugins. This issue affects all versions up to and including 1.4.24 due to a missing capability check.