Anyone can access pulse/admin/inc/gal-sort.php.

By default .swf files in Media Manager are allowed.

Regular user (created using wp-login.php?action=register) can run backup functionality.

Link to created backup file is saved in public log.

`Cart66Ajax

$_POST['text'] is not escaped.

Anyone can change plugin settings.

Datas are not escaped correctly.