The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

CVE-2016-10867: All-In-One Security (AIOS) – Security and Firewall

The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

SGSA 162019-03-19When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to seeUpdate6.x-24.3floragunnSGSA 152018-12-13Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activatedUpdate6.x-24.0floragunnSGSA 142018-12-13Values of string arrays in data are not properly anonymizedUpdate6.x-24.0floragunnSGSA 132018-03-19Possible URL injection on login page when basePath is setUpdateKibana plugin 6.x-16floragunnSGSA 122018-08-24REST API leak password hashes (not cleartext) for users endpointUpdate6.x-23.1Thorsten Lutz, SySS GmbHSGSA 112018-09-14For aggregations, clear text values of anonymised fields were leakedUpdate6.x-23.1floragunnSGSA 102018-01-18Password dependent timing side channel in AuthCredentialsUpdate6.x-21.0@madblobfishSGSA 92018-04-09A Kibana user could impersonate as kibanaserver user when providing wrong credentialsUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Guy MollerSGSA 82018-04-04Redirect and XSS vulnerability in Kibana pluginUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Vineet KumarSGSA 7n/a2017-08-10DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activatedUpdate or deactivate “do not fail on forbidden”SG v15Guy MollerSGSA 6n/a2017-02-13FLS/DLS not working for regex index patternsUpdate or avoid regex patternsSG v11 and DLS/FLS module v6Guy MollerSGSA 5n/a2017-01-13Auditlog does not log all security relevant eventsUpdateSG V10Guy MollerSGSA 4n/a2017-01-05FLS/DLS not working for index patternsUpdateSG v10 and DLS/FLS module v5Matej ZerovnikSGSA 3n/a2016-11-27Wrong permissions resolution for certain index/type combinationsUpdate6.x-23.1Lucas BremgartnerSGSA 2n/a2016-11-25DLS not picked up when getting documents by IDUpdateSG v9 and DLS/FLS module v5Fabio CornetiSGSA 1n/a2016-07-28Authentication cache lead to password hashcode vulnerabilityUpdateSG V4Vladimir Gordiychuk

CVE-2019-13418: CVE - advisory - Search Guard

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

CVE-2015-9304: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

The simple-membership plugin before 3.5.7 for WordPress has XSS.

CVE-2017-18499: Simple Membership

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

CVE-2017-18508: 3CX Free Live Chat

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

CVE-2015-9306: Import All Pages, Post types, Products, Orders, and Users as XML & CSV

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS.

CVE-2019-14799: FV Flowplayer Video Player

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

CVE-2019-14787: Newsletters

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

Tag

#perl