The WordPress ND Travel Management plugin (1,000+ active installations) was prone to a critical vulnerability that could allow an attacker to take over the blog and its database
A unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution in the WordPress “Woody Ad Snippets” plugin (90,000+ active installations), allowing hackers to compromise the website and its database.
The WordPress ND Shortcodes For Visual Composer plugin (10,000+ active installations), was prone to a critical privilege escalation vulnerability.
The WordPress Pirate Forms plugin (200,000+ active installations) was prone to an HTML injection vulnerability that could be used to target the administrator.
The WordPress Coming Soon Page and Maintenance Mode (7,000+ active installations), was prone to unauthenticated stored XSS and settings reset vulnerabilities in version 1.7.8 and below.