CVE-2026-9008

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelistunqprfxextshortcode function the pagelistext / pagelistext shortcode accepting attacker-controlled poststatus, posttype, and showmetakey attributes and...

CVE-2026-9008

CVE-2026-9008 affects the Page-list WordPress plugin (versions up to 6.2). The pagelist_unqprfx_ext_shortcode() function for the [pagelist_ext]/[pagelistext] shortcodes accepts attacker-controlled post_status, post_type, and show_meta_key attributes and passes them into get_pages() and get_post_m...

CVE-2026-9008 Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelistunqprfxextshortcode function the pagelistext / pagelistext shortcode accepting attacker-controlled poststatus, posttype, and showmetakey attributes and...

PT-2026-47124

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist unqprfx ext shortcode function the pagelist ext / pagelistext shortcode accepting attacker-controlled post status, post type, and show meta key attribut...

CVE-2025-58030 WordPress Page-list Plugin <= 5.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in webvitaly Page-list page-list allows Stored XSS.This issue affects Page-list: from n/a through = 5.8...

CVE-2025-58030

The CVE-2025-58030 entry concerns a Stored XSS in the WordPress Page-list plugin (v5.7 and earlier). Root cause: improper neutralization of input during web page generation. Affected: Page-list. Status in the provided docs: patch status Unpatched; CVSS v3.1 base score 6.5 (AV:N/AC:L/PR:L/UI:R/S:C...

WordPress plugin Page-list 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Page-list plugin <= 5.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by kslatz Patchstack Alliance in WordPress Plugin Page-list versions = 5.6...

CVE-2022-4485

The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege user...

CVE-2022-4485 Page-list < 5.3 - Contributor+ Stored XSS

The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege user...

Page-list < 5.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...