PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search box.
AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.
The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.
Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors.