CVE-2015-9438

The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dwshowwidget idbase, widgetnumber, or instance parameter...

Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...