The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPress has SQL injection via the wp-admin/admin-ajax.php?action=pmfb_cc pmfb_tid parameter.

The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.

The wp-polls plugin before 2.72 for WordPress has SQL injection.

The feed-them-social plugin before 1.7.0 for WordPress has possible shortcode execution in the Facebook Feeds load more button.

The link-log plugin before 2.1 for WordPress has SQL injection.

The limit-attempts plugin before 1.1.1 for WordPress has SQL injection during IP address handling.

The email-newsletter plugin through 20.15 for WordPress has SQL injection.

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

The wp-all-import plugin before 3.2.5 for WordPress has blind SQL injection.

The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.

The visitors-online plugin before 0.4 for WordPress has SQL injection.

The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.

The newstatpress plugin before 1.0.1 for WordPress has SQL injection.

The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.

The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.

The liveforms plugin before 3.2.0 for WordPress has SQL injection.

The events-manager plugin before 5.6 for WordPress has code injection.

In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.

Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated...

MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of %0A mishandling in AUTH.TAB after a password-change request.

The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characte...

The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are ...