CVE-2025-11817 Simple Tableau Viz <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Tableau Viz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableau' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11819 WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'roboshot' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11819 WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'roboshot' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11867

CVE-2025-11867 corresponds to Bg Book Publisher for WordPress. The WordPress plugin is vulnerable to a Stored Cross-Site Scripting (XSS) via the post meta field book_author, which is rendered through the [book_author] shortcode. Affected versions are all versions up to and including 1.25. The vul...

CVE-2025-11819

CVE-2025-11819 affects the WordPress plugin WP-Thumbnail (versions

EUVD-2025-35334

The Bg Book Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookauthor post meta, rendered through the bookauthor shortcode, in all versions up to, and including, 1.25. This is due to the plugin not properly escaping the meta value before output. This makes it...

CVE-2025-11866 Photographers galleries <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes w, h, rawcss, look, etc. in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting thes...

EUVD-2025-35342

The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes w, h, rawcss, look, etc. in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting thes...

EUVD-2025-35330

The WP Restaurant Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter of the restaurantsummary shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11866

The CVE-2025-11866 entry concerns the WordPress Photographers galleries plugin (versions

CVE-2025-11830 WP Restaurant Listings <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Restaurant Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter of the restaurantsummary shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11830

CVE-2025-11830 affects the WordPress plugin WP Restaurant Listings (all versions

CVE-2025-11813

CVE-2025-11813 — WordPress Responsive iframe GoogleMap plugin is vulnerable to stored cross-site scripting via the shortcode responsive_map in versions ≤ 1.0.2. The issue stems from insufficient input sanitization and output escaping on the width and height attributes, enabling authenticated user...

CVE-2025-11880 SM CountDown Widget <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11813 Responsive iframe GoogleMap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Responsive iframe GoogleMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'responsivemap' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on the 'width' and 'height' attributes. This makes it...

CVE-2025-11880

The CVE-2025-11880 entry applies to the WordPress plugin SM CountDown Widget (shortcode: smcountdown). Affected versions are

CVE-2025-11811 Simple Youtube Shortcode <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Youtube Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedyoutube' shortcode in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. This makes it possible for...

CVE-2025-11811 Simple Youtube Shortcode <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Youtube Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedyoutube' shortcode in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. This makes it possible for...

EUVD-2025-35343

The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11813 Responsive iframe GoogleMap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Responsive iframe GoogleMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'responsivemap' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on the 'width' and 'height' attributes. This makes it...