The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS.

The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.

The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 has incorrect Access Control for confirming various applications.

An arbitrary file upload in the <input type="file" name="user_image"> component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands.

The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23.

The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*), leading to a Reflected Cross-Site Scripting (XSS) issue.

Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter.

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.

SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Request Forgery (CSRF) vulnerability, which allows attackers to add new users.

SimplePHPscripts News Script PHP Pro 2.3 does not properly set the HttpOnly Flag from Session Cookies.