https://blog.dewhurstsecurity.com/2018/05/22/loginizer-wordpress-plugin-xss-vulnerability.html

https://wpvulndb.com/vulnerabilities/9087

Researcher doesnt indicate which versions are vulnerable. Assume all.

https://www.pluginvulnerabilities.com/2018/05/21/our-plugin-security-checker-found-a-reflected-xss-vulnerability-in-wordpress-plugin-with-100000-active-installs/

I can't find any information about this plugin, but a quick search showed it being installed in several sites, with most being exploited. If you're using this one, I'd definitely remove it asap.

https://cxsecurity.com/issue/WLB-2018050197

Download Open Graph for Facebook, Google+ and Twitter Card Tags

wonderm00ns-simple-facebook-open-graph-tags

Researcher has the details behind a paywall, but a quick look shows that the issue was on line 324 of /wonderm00ns-simple-facebook-open-graph-tags/admin/class-webdados-fb-open-graph-admin.php

https://www.pluginvulnerabilities.com/2018/05/21/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-open-graph-for-facebook-google-and-twitter-card-tags/

Researcher has the details behind a paywall, but in looking at the changesets from the last update https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1876432%40custom-css-js-php%2Ftrunk%2Fcore%2Fclass.plugin-overview.php&old=1755718%40custom-css-js-php%2Ftrunk%2Fcore%2Fclass.plugin-overview.php the developer attempted to fix the issue by filtering the data through sanitize_text_field(). Unfortunately, the value is later echoed inside an element (line 170 of the same file) and sanitize_text_field() doesn't encode quotes, so an attacker could still inject code.

https://www.pluginvulnerabilities.com/2018/05/21/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-custom-css-js-php/ and https://wordpress.org/plugins/custom-css-js-php/#developers