The WordPress Search Exclude plugin, which has 30,000+ active installations, was prone to two vulnerabilities that could allow any user to change its settings.
The WordPress Login or Logout Menu Item (10,000+ active installations) was prone to an unauthenticated options change vulnerability.
A unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution in the WordPress “Woody Ad Snippets” plugin (90,000+ active installations), allowing hackers to compromise the website and its database.
The WordPress Ocean Extra plugin, which has over 400,000 active installations, was prone to settings change and CSS injection vulnerabilities in version 1.5.8 and below.
The popular Easy WP SMTP plugin, which as 300,000+ active installations, was prone to a critical zero-day vulnerability.