The MF Gig Calendar WordPress plugin through 1.1 does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
CWE-79
CVE-2021-24512
The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.
CVE-2021-24513
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
CVE-2021-24514
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
CVE-2021-24515
The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues
CVE-2021-24516
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.
