The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.

The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.

The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.

The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.

The Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cp_admin_int_edition.inc.php in the "custom edition area."

Multiple cross-site scripting (XSS) vulnerabilities in the (1) cp_updateMessageItem and (2) cp_deleteMessageItem functions in cp_ppp_admin_int_message_list.inc.php in the Payment Form for PayPal Pro plugin before 1.0.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the cal parameter.