The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.
PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search box.
AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.
Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors.