NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion (LFI) Formidable Forms <= 1.07.11 - Authenticated Blind SQL Injection Contact Form Integrated With Google Maps 1.0-2.4 - Stored Cross-Site Scripting (XSS) Easy Contact Form Solution 1.0-1.6 - Stored Cross-Site Scripting (XSS) Gallery Bank 2.0.26-3.0.69 - Reflected Cross-Site Scripting (XSS) Gr& Flagallery <= 4.24 - Full Path Disclosure Gravity Upload Ajax <= 1.1 - Arbitrary File Upload Post highlights 2.0-2.6 - Stored Cross-Site Scripting (XSS) Profile Builder <= 2.0.2 - Reflected Cross-Site Scripting (XSS) WordPress Store Locator 2.3-3.11 - SQL Injection Form Manager <= 1.7.2 - Authenticated Remote Comm& Execution (RCE) Payment Form for PayPal Pro <= 1.0.1 - Multiple Reflected Cross-Site Scripting (XSS) Support Ticket System <= 1.2 - Unauthenticated SQL Injection Easy2Map <= 1.2.9 - Local File Inclusion Easy2Map <= 1.2.9 - Reflected Cross-Site Scripting (XSS) ResAds <= 1.0.1 - Reflected Cross-Site Scripting (XSS) WordPress Landing Pages 1.8.8-1.9.0 - Unauthenticated Remote Command Execution Job Manager <= 0.7.25 - Insecure Direct Object Reference Private Only <= 3.5.1 - CSRF & XSS Count Per Day 3.4 - SQL Injection Paid Memberships Pro 1.8.4.2 - Cross-Site Scripting (XSS) Plotly <= 1.0.2 - Authenticated Stored Cross-Site Scripting (XSS) Custom Content Type Manager <= 0.9.8.5 - Remote Code Execution Easy2Map Photos <= 1.0.9 - SQL Injection N-Media File Uploader <= 3.7 - Unauthenticated Arbitrary File Upload Nextend Twitter Connect <= 1.5.1 - Reflected Cross-Site Scripting (XSS) WP Membership <= 1.2.3 - Multiple Vulnerabilities TheCartPress <= 1.3.9 - Multiple Vulnerabilities NextGEN Gallery <= 2.0.77 - CSRF & Arbitrary File Upload WP Marketplace <= 2.4.0 - Arbitrary File Download Photo Gallery <= 1.2.11 - Cross-Site Scripting (XSS) Huge IT Slider <= 2.6.8 - SQL Injection Wordfence <= 5.1.4 - Cross-Site Scripting (XSS) Ninja Forms 2.8.6 - Reflected Cross-Site Scripting (XSS) Smart Forms 2.1.0 Cross-Site Scripting (XSS) WP Photo Album Plus 5.4.17 Reflected XSS Contact Bank Standard Edition <= 2.0.69 - Cross-Site Scripting (XSS) LiveSupporti 1.0 - Stored Cross-Site Scripting (XSS) Creative Contact Form <= 0.9.7 Shell Upload WP-DBManager 2.7.1 Authenticated Comm& Injection Advanced Access Manager 2.8.2 - Admin User File Read/Write bSuite - Multiple Cross-Site Scripting (XSS) wp-video-comm&o Plugin - Cross-Site Scripting (XSS) Flash Uploader <= 3.1.2 - Arbitrary Comm& Execution A Page Flip Book 2.3 - index.php pageflipbook_language Parameter Traversal Local File Inclusion All in One SEO Pack <= 2.0.3 - XSS Buddypress <= 1.9.1 - Crafted bp_new_group_id Cookie Arbitrary Group Manipulation Cardoza WordPress Poll <= 34.05 - Multiple External Function Remote Poll Manipulation Cart66 Lite - admin.php cart66-products Page Multiple Field Stored XSS Disable Comments 1.0.3 - disable_comments_settings.php Comment Status Manipulation CSRF EZPZ One Click Backup <= 12.03.10 - Unauthenticated Comm& Execution Gallery - "load" Remote File Inclusion HMS Testimonials 2.0.10 - XSS NextGEN Gallery 1.9.12 - Arbitrary File Upload Pinboard 1.0.6 - includes/theme-options.php tab Parameter XSS Portable phpMyAdmin - /pma/phpinfo.php Direct Request System Information Disclosure Portable phpMyAdmin 1.4.1 - Multiple Script Direct Request Authentication Bypass User Photo - Component Remote File Upload W3 Total Cache - Remote Code Execution W3 Total Cache 0.9.2.4 - Username & Hash Extract WP Super Cache 1.3 - trunk/plugins/awaitingmoderation.php URI XSS WP Super Cache 1.3 - trunk/plugins/badbehaviour.php URI XSS WP Super Cache 1.3 - trunk/plugins/domain-mapping.php URI XSS WP Super Cache 1.3 - trunk/plugins/searchengine.php URI XSS WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS WordPress Poll <= 34.05 - SQL Injection Xorbin Analog Flash Clock 1.0 - Flash-based XSS Xorbin Digital Flash Clock 1.0 - Flash-based XSS podPress 8.8.10.13 - players/1pixelout/1pixelout_player.swf playerID Parameter XSS uk-cookie - Cross-Site Request Forgery (CSRF) wp-cleanfix - Remote Comm& Execution, CSRF & XSS wp-gpx-max version 1.1.21 - Arbitrary File Upload