An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password.

GdiDrawHoriLineIAlt in Kingsoft WPS Office before 11.2.0.9403 allows remote heap corruption via a crafted PLTE chunk in PNG data within a Word document. This is related to QBrush::setMatrix in gui/painting/qbrush.cpp in Qt 4.x.

cn.wps.moffice.common.beans.print.CloudPrintWebView in Kingsoft Office 5.3.1, as used in Huawei P2 devices before V100R001C00B043, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and execute arbitrary Java code by leveraging a network position between the client and the registry to block HTTPS traffic.

Cross-site request forgery (CSRF) vulnerability in WP Spell Check 7.1.9 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.

The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash protection bypass.

The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass.

The wps-hide-login plugin before 1.5.3 for WordPress has a protection bypass via wp-login.php in the Referer field.

The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal.