The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPress has XSS on the settings page.
CWE-79
CVE-2018-20978
The wp-all-import plugin before 3.4.7 for WordPress has XSS.
CVE-2018-20982
The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens.
CVE-2018-20983
The wp-retina-2x plugin before 5.2.3 for WordPress has XSS.
CVE-2018-20986
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.
CVE-2018-20928
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).