"plugin Rss Remote File Inclusion Vulnerability" from your second post was fixed in RSS add-on a long time ago.
Regarding the first XSS bug - this affects only Memberlist add-on
and nothing else, and I wouldn't say there is something critical because such approach doesn't affect the database anyway. However I know there are some cases when it's possible to steal cookie that way and perform other impossible tasks, so I've just fixed the affected memberlist add-on with the following line:
which is put instead of
The package in downloads is fixed as well.
Thank you for mentioning.