CVE-2025-9489 WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it...

CVE-2025-9489 WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it...

CVE-2025-7366

The CVE-2025-7366 entry concerns the REHub - Price Comparison, Multi Vendor Marketplace WordPress Theme. According to multiple sources in the connected documents, versions up to and including 19.9.7 are affected by an unauthenticated arbitrary shortcode execution flaw triggered via re_filterpost,...

PT-2025-36347

Name of the Vulnerable Software and Affected Versions: The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme versions prior to 19.9.8 Description: The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme for WordPress is susceptible to arbitrary shortcode execution...

CVE-2025-8878

CVE-2025-8878 affects the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress for WordPress. Affected versions are all up to 4.16.4. Root cause: unauthenticated user-supplied input is not properly validated before executing do_shor...

CVE-2024-7381

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajaxshortcodecache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary...

CVE-2024-10075

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block...

CVE-2024-10075

The CVE-2024-10075 entry concerns the WordPress Jetpack plugin (pre-13.8). The vulnerability arises from insufficient access control on posts created by the Contact Form, allowing unauthenticated users to access those posts and potentially execute arbitrary shortcodes. The underlying impact is th...

CVE-2025-3472

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

PT-2025-6454 · WordPress · The Global Gallery

Name of the Vulnerable Software and Affected Versions: The Global Gallery - WordPress Responsive Gallery plugin for WordPress versions up to, and including, 9.1.5 Description: The issue arises from the software allowing users to execute an action that does not properly validate a value before...

PT-2025-2179 · Pirateforms · Contact Form & Smtp Plugin

Name of the Vulnerable Software and Affected Versions: The Contact Form & SMTP Plugin for WordPress by PirateForms versions up to, and including, 2.6.0 Description: The issue arises from the software allowing users to execute an action that does not properly validate a value before running do...

CVE-2024-13499

The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipressdoshortcode function in all versions up to, and including, 7.2.1. This is due to the software allowing users to...

PT-2025-2189 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress versions up to, and including, 7.2.1 Description: The issue arises due to the software allowing users to execute an action that does not properly...

CVE-2024-10970

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

PT-2024-16456 · WordPress · Armember

Name of the Vulnerable Software and Affected Versions: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress versions up to, and including, 4.0.51 Description: The issue is related to arbitrary shortcode execution due to the software...

PT-2024-16635 · WordPress · Pojo Forms

Name of the Vulnerable Software and Affected Versions: Pojo Forms plugin for WordPress versions 1.4.7 and earlier Description: The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via the form preview shortcode AJAX action. This is due to the software allowing users ...

CVE-2024-9578 Hide Links <= 1.4.2 - Unauthenticated Shortcode Execution

The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to doshortcode being hooked through the commenttext filter in all versions up to and including 1.4.2. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the...

CVE-2024-9846

The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running...

PT-2024-39884 · WordPress · Enable Shortcodes Inside Widgets

Name of the Vulnerable Software and Affected Versions: The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress version 1.0.0 and earlier Description: The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software not properly validating a val...

PT-2024-39832 · WordPress · Uix Shortcodes

Name of the Vulnerable Software and Affected Versions: The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress versions up to, and including, 1.9.9 Description: The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not...