CVE-2015-9438

The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter.

Source: CVE-2015-9438

CVE-2015-9436

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter.

Source: CVE-2015-9436

CVE-2015-9434

The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter.

Source: CVE-2015-9434

CVE-2015-9435

The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.

Source: CVE-2015-9435

CVE-2015-9437

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

Source: CVE-2015-9437

CVE-2015-9433

The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has CSRF with resultant XSS via configuration parameters for Tumblr, Twitter, Facebook, etc. in wp-admin/options-general.php?page=wp-social-bookmarking-light%2Fmodules%2Fadmin.php.

Source: CVE-2015-9433

CVE-2015-9432

The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter.

Source: CVE-2015-9432

CVE-2019-16738

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

Source: CVE-2019-16738

CVE-2015-9431

The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter.

Source: CVE-2015-9431

CVE-2015-9430

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.

Source: CVE-2015-9430