#wordpress

The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Pixelgrade PixTypes plugin <= 1.4.15 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Devaldi Ltd flowpaper plugin <= 1.9.9 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Twinpictures Column-Matic plugin <= 1.3.3 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kangu para WooCommerce plugin <= 2.2.9 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ImageRecycle ImageRecycle pdf & image compression plugin <= 3.1.11 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Pexle Chris Library Viewer plugin <= 2.0.6 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Vathemes Business Pro theme <= 1.10.4 versions.

The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server.

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)