219 matches found
CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-4126 Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'tablemanager' shortcode. The shortcode handler tablemanagerrendertableshortcode takes a user-controlled table attribute, applies only sanitizekey for...
CVE-2026-4126
Summary: The WordPress Table Manager plugin (v1.0.0 and earlier) is vulnerable to sensitive data exposure via the table shortcode. The handler uses a user-controlled table attribute, only applies sanitize_key(), and concatenates the value with $wpdb->prefix to form a full table name, then exec...
CVE-2026-4279 Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The...
PT-2026-34289
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk block...
PT-2026-34307
Name of the Vulnerable Software and Affected Versions Posts map plugin for WordPress versions prior to 0.1.4 Description Insufficient input sanitization and output escaping on user supplied attributes allow authenticated attackers with contributor-level access and above to inject arbitrary web...
CVE-2026-4011
The CVE-2026-4011 entry describes a Stored Cross-Site Scripting flaw in the Power Charts Lite WordPress plugin (versions
CVE-2026-5717
The CVE-2026-5717 entry concerns the WordPress plugin VI: Include Post By. Affected: all versions up to 0.4.200706. Issue: Stored Cross-Site Scripting via the class_container attribute of the include-post-by-cat shortcode, caused by insufficient input sanitization and output escaping on user-supp...
CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute
The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute
The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...
WordPress WP Circliful plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin WP Circliful versions = 1.2...
WordPress Power Charts plugin <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Power Charts versions = 0.1.0...
WordPress VI: Include Post By plugin <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'classcontainer' Shortcode Attribute vulnerability discovered by MAJidox in WordPress Plugin VI: Include Post By versions = 0.4.200706...
CVE-2026-4059
CVE-2026-4059 (ShopLentor WordPress plugin) is a Stored Cross-Site Scripting vulnerability affecting all versions up to 3.3.5. The issue arises from insufficient input sanitization and missing output escaping on the woolentor_quickview_button shortcode’s button_text attribute, allowing authentica...
EUVD-2026-22217
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...
CVE-2026-4059 ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...
WordPress OSM plugin <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'markername' Shortcode Attribute vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin OSM versions = 6.1.15...
WordPress pdfl.io plugin <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'text' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin pdfl.io versions = 1.0.5...
CVE-2026-4073
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The outputshortcode function directly...