CVE’s

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection

The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection

Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1.

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.

The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.