The Canvasflow for WordPress plugin through 1.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Incorrect Authorization vulnerability in Drupal Responsive and off-canvas menu allows Forceful Browsing.This issue affects Responsive and off-canvas menu: from 0.0.0 before 4.4.4.

Missing Authorization vulnerability in Thomas Scholl canvasio3D Light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects canvasio3D Light: from n/a through 2.5.0.

Unrestricted Upload of File with Dangerous Type vulnerability in Thomas Scholl canvasio3D Light.This issue affects canvasio3D Light: from n/a through 2.5.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) allows Stored XSS.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through 0.5.8.1.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Thomas Scholl canvasio3D Light plugin <= 2.4.6 versions.

Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

A vulnerability classified as critical has been found in pacman-canvas up to 1.0.5. Affected is the function addHighscore of the file data/db-handler.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 1.0.6 is able to address this issue. The name of the patch is 29522c90ca1cebfce6453a5af5a45281d99b0646. It is recommended to upgrade the affected component. VDB-216270 is the identifier assigned to this vulnerability.

The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection