CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

219 matches found

CVE•added 2026/04/08 9:25 a.m.•2 views

CVE-2026-4025

CVE-2026-4025 affects the PrivateContent Free WordPress plugin (pre-1.2.0). The flaw is a Stored XSS in the [pc-login-form] shortcode via the align attribute, caused by insufficient sanitization and lack of escaping when the attribute flows from the shortcode to pc_static::form_align() and is con...

6.4CVSS6.1AI score0.00055EPSS

Exploits0References8

Vulnrichment•added 2026/04/08 9:25 a.m.•1 views

CVE-2026-4073 pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute

The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The outputshortcode function directly...

6.4CVSS6.1AI score0.00015EPSS

Exploits0References6

EUVD•added 2026/04/08 6:31 a.m.•1 views

EUVD-2026-20041

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS6.1AI score0.00015EPSS

Exploits0References7

NVD•added 2026/04/08 5:16 a.m.•0 views

CVE-2026-3600

6.4CVSS0.00015EPSS

Exploits0References6

Vulnrichment•added 2026/04/08 2:25 a.m.•0 views

CVE-2026-4379 LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute

The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the group attribute in the gallery shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the group attribute value without proper...

6.4CVSS5.9AI score0.00013EPSS

Exploits0References4

Patchstack•added 2026/04/07 11:17 p.m.•3 views

WordPress TableOn - WordPress Posts Table Filterable plugin <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

WordPress TableOn - WordPress Posts Table Filterable plugin = 1.0.4.4 - Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin TableOn versions = 1.0.4.4...

6.4CVSS5.9AI score0.00015EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/04/07 10:58 p.m.•2 views

WordPress LearnPress plugin <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin LearnPress versions = 4.3.3...

6.4CVSS5.9AI score0.00046EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/04/07 10:55 p.m.•4 views

WordPress LightPress Lightbox plugin <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP jQuery Lightbox versions = 2.3.4...

6.4CVSS5.9AI score0.00013EPSS

Exploits0References1Affected Software1

CVE•added 2026/03/26 3:37 a.m.•3 views

CVE-2026-4278

The CVE-2026-4278 entry concerns the WordPress plugin Simple Download Counter, vulnerable to Stored Cross-Site Scripting via the sdc_menu shortcode in versions up to 2.3. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically text...

6.4CVSS6AI score0.00084EPSS

Exploits0References10

CVE•added 2026/03/26 2:25 a.m.•2 views

CVE-2026-4075

CVE-2026-4075 : The BWL Advanced FAQ Manager Lite WordPress plugin is vulnerable to a Stored Cross-Site Scripting (XSS) via the baf_sbox shortcode in all versions up to 1.1.1. The issue arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes (e.g., sb...

6.4CVSS6AI score0.00063EPSS

Exploits0References8

Patchstack•added 2026/03/23 7:53 p.m.•2 views

WordPress WPFAQBlock- FAQ & Accordion Plugin For Gutenberg plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin WPFAQBlock versions = 1.1...

6.4CVSS5.8AI score0.00045EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/03/23 6:2 p.m.•2 views

WordPress Twitter Feeds plugin <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'tweettitle' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Twitter Feeds versions = 1.0.0...

6.4CVSS5.8AI score0.00043EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/03/23 4:24 p.m.•1 views

WordPress WP Random Button plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin WP Random Button versions = 1.0...

6.4CVSS5.8AI score0.00048EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/03/21 3:26 a.m.•24 views

CVE-2026-3619 Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute

The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the sheets2table-render-table shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the...

6.4CVSS0.00048EPSS

Exploits0References5

CVE•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-1891

The CVE concerns the Simple Football Scoreboard plugin for WordPress. A stored XSS vulnerability exists in all versions up to 1.0 via the ytmr_fb_scoreboard shortcode, caused by insufficient input sanitization and output escaping for user-supplied attributes. Exploitation requires authenticated a...

6.4CVSS6AI score0.00043EPSS

Exploits0References3

CVE•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-1093

The CVE concerns the WPFAQBlock– FAQ & Accordion Plugin For Gutenberg (WordPress). It describes a Stored Cross-Site Scripting (XSS) flaw in the shortCode attribute “class” of wpfaqblock, affecting all versions up to and including 1.1. The underlying cause is insufficient input sanitization and ou...

6.4CVSS6AI score0.00045EPSS

Exploits0References4

CVE•added 2026/03/21 3:26 a.m.•4 views

CVE-2026-4077

The CVE-2026-4077 entry concerns the WordPress plugin Ecover Builder For Dummies . It reports a Stored Cross‑Site Scripting (XSS) vulnerability in the id attribute of the ecover shortcode, affecting all versions up to 1.0. The root cause is insufficient input sanitization and output escaping for ...

6.4CVSS6AI score0.00054EPSS

Exploits0References7

Cvelist•added 2026/03/21 3:26 a.m.•27 views

CVE-2026-4077 Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode...

6.4CVSS0.00054EPSS

Exploits0References7

CVE•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-1854

CVE-2026-1854 concerns the WordPress Post Flagger plugin. A stored XSS vulnerability exists via the plugin’s 'flag' shortcode attribute in all versions up to and including 1.1 due to insufficient input sanitization and output escaping. The issue can be chained by an authenticated attacker with co...

6.4CVSS6AI score0.00045EPSS

Exploits0References4

Positive Technologies•added 2026/03/21 12:0 a.m.•0 views

PT-2026-26870

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad func shortcode handl...

6.4CVSS6AI score0.00048EPSS

Exploits0References6

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by