The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.
The tweet-wheel plugin before 184.108.40.206 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.
The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.