Improper input validation in the WordPress Controlled Admin Access plugin (8,000+ active installations) affecting version 1.5.5 and below could lead to privilege escalation.
The WordPress Flo Forms plugin (10,000+ installations) fixed a critical zero-day vulnerability affecting version 1.0.35 and below that could allow the attacker to take over the website and its database.
Many WordPress plugins were found to be vulnerable to cross-site request forgery (CSRF) attacks.
The WordPress Ultimate GDPR and CCPA Compliance Toolkit plugin, which has 6,000+ sales on Envato Market, was prone to a critical unauthenticated settings import and export vulnerability affecting version 2.4 and below that could allow an attacker to redirect traffic to a malicious site among other issues.
The WordPress uListing plugin (3,000+ active installations) fixed multiple critical vulnerabilities affecting version 1.6.6 and below.