#wordpress

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

WordPress Page Builder KingComposer plugin version 2.8.1 suffers from a cross site scripting vulnerability.

WordPress Duplicator plugin version 3.8.7 appears to leave backups in a world accessible directory under the document root.

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Neha Goel Recent Posts Slider plugin <= 1.1 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PluginForage WooCommerce Product Categories Selection Widget plugin <= 2.0 versions.

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Steven Henty Drop Shadow Boxes plugin <= 1.7.10 versions.

REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from an open redirection vulnerability.

WordPress Image Optimization plugin version 3.8.2 suffers from an open redirection vulnerability.

The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)