#xss

The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks

The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users.

The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.

The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.

The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.

The Magee Shortcodes WordPress plugin through 2.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

The Testimonial Slider Shortcode WordPress plugin before 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin