The WordPress WP Quick FrontEnd Editor plugin (1,000+ active installations) is prone to a broken access control vulnerability affecting version 5.5 and below that could lead to authenticated content injection, stored XSS and settings change.
The WordPress ListingPro theme, which has 19,000+ sales on Envato Market, fixed a critical vulnerability that could allow an unauthenticated user to upload any file on the blog, among other issues.
The WordPress Ultimate Reviews plugin (2,000+ active installations) fixed an insecure deserialization vulnerability affecting version 2.1.32 and below that could lead to unauthenticated PHP object injection.
Fifteen WordPress themes were prone to critical unauthenticated function injection and privilege escalation vulnerabilities.
The WordPress Simple:Press plugin (600+ active installations) fixed a broken access control vulnerability affecting version 6.6.0 and below that could lead to unauthenticated arbitrary file upload and remote code execution.