8967 matches found
CVE-2025-11880 SM CountDown Widget <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-11810
CVE-2025-11810 affects the WordPress plugin Print Button Shortcode (
EUVD-2025-35331
The Print Button Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'print-button' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'target' attribute. This makes it possible for...
CVE-2025-11810 Print Button Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Print Button Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'print-button' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'target' attribute. This makes it possible for...
CVE-2025-11818
The CVE-2025-11818 entry applies to the WordPress plugin WP Responsive Meet The Team, affected in versions up to 1.0.1. It describes a Stored Cross-Site Scripting (XSS) flaw via the wprm_team shortcode caused by insufficient input sanitization and output escaping. The vulnerability can be exploit...
CVE-2025-11810 Print Button Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Print Button Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'print-button' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'target' attribute. This makes it possible for...
CVE-2025-11818 WP Responsive Meet The Team <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The WP Responsive Meet The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wprmteam' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
EUVD-2025-35349
The WP Responsive Meet The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wprmteam' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-11818 WP Responsive Meet The Team <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The WP Responsive Meet The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wprmteam' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-11807
CVE-2025-11807 — The Mixlr Shortcode WordPress plugin (versions up to and including 1.0.1) is vulnerable to Stored Cross-Site Scripting via the shortcodes using the url attribute. The issue arises from insufficient input sanitization and output escaping on the url attribute, enabling authenticate...
CVE-2025-11827 Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'beforewidget' and 'afterwidget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it...
CVE-2025-11807 Mixlr Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Mixlr Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mixlr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'url' attribute. This makes it possible for authenticated attacker...
CVE-2025-11807 Mixlr Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Mixlr Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mixlr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'url' attribute. This makes it possible for authenticated attacker...
CVE-2025-10138
CVE-2025-10138 affects the WordPress plugin This-or-That (versions up to and including 1.0.4). It enables stored XSS via the plugin’s thisorthat shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Impact: authenticated attackers with contributor-level...
CVE-2025-10138 This-or-That by André Boekhorst <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
The This-or-That plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'thisorthat' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-11827
CVE-2025-11827 : The Oboxmedia Ads WordPress plugin is vulnerable to Stored Cross-Site Scripting via the oboxads-ad-widget shortcode, specifically through the before_widget and after_widget parameters in versions up to and including 1.9.8. The issue arises from insufficient input sanitization and...
CVE-2025-11827 Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'beforewidget' and 'afterwidget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it...
EUVD-2025-35346
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...
CVE-2025-11878 ST Categories Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-11809
CVE-2025-11809 refers to the WP-Force Images Download plugin for WordPress (versions up to 1.8). The issue is a Stored XSS via the wpfid shortcode caused by insufficient input sanitization/output escaping on the class attribute. Exploitation requires attacker with contributor+ privileges; the pay...