The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CWE-79
CVE-2022-0641
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0643
The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0647
The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0648
The Team Circle Image Slider With Lightbox WordPress plugin before 1.0.16 does not sanitize and escape the order_pos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0649
The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed