The WordPress Download Plugins and Themes from Dashboard plugin, which has 10,000+ active installations, was prone to an unauthenticated stored XSS vulnerability in version 1.5.0 and below.
The WordPress Motors Car Dealer & Classified Ads plugin, which has 10,000+ active installations, was prone to multiple vulnerabilities in version 1.4.0 and below.
The WordPress Search Exclude plugin, which has 30,000+ active installations, was prone to two vulnerabilities that could allow any user to change its settings.
The WordPress Login or Logout Menu Item (10,000+ active installations) was prone to an unauthenticated options change vulnerability.
A unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution in the WordPress “Woody Ad Snippets” plugin (90,000+ active installations), allowing hackers to compromise the website and its database.