CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNVD•added 2025/10/21 12:0 a.m.•3 views

WordPress Shortcode Button plugin cross-site scripting vulnerability

WordPress Shortcode Button plugin is a plugin or function to quickly insert buttons through a short code, mainly used to simplify the process of adding buttons to a page or post, support for custom styles and parameter settings. WordPress Shortcode Button plugin has a cross-site scripting...

6.4CVSS6.5AI score0.00265EPSS

CNVD•added 2025/10/21 12:0 a.m.•1 views

WordPress Digiseller plugin cross-site scripting vulnerability

WordPress Digiseller plugin is a plugin that is mainly used to help users integrate digital merchandising features in their websites. A cross-site scripting vulnerability exists in the WordPress Digiseller plugin, which stems from a lack of effective filtering and escaping of the ds shortcode, an...

6.4CVSS6.1AI score0.00274EPSS

RedhatCVE•added 2025/10/19 6:43 a.m.•7 views

CVE-2025-10006

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'revslidervc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS4.9AI score0.00212EPSS

EUVD•added 2025/10/18 9:30 a.m.•5 views

EUVD-2025-34977

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qsdate shortcode in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS4.7AI score0.00285EPSS

Exploits0References5

NVD•added 2025/10/18 7:15 a.m.•3 views

CVE-2025-9562

6.4CVSS0.00285EPSS

Vulnrichment•added 2025/10/18 6:42 a.m.•2 views

CVE-2025-9562 Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode

6.4CVSS4.7AI score0.00285EPSS

CVE•added 2025/10/18 6:42 a.m.•18 views

CVE-2025-9562

The CVE-2025-9562 entry covers the WordPress plugin Redirection for Contact Form 7 (wpcf7-redirect) with a Stored Cross-Site Scripting vulnerability in the qs_date shortcode. Affected versions: all up to and including 3.2.6. Root cause: insufficient input sanitization and output escaping on user-...

6.4CVSS4.7AI score0.00285EPSS

EUVD•added 2025/10/18 6:30 a.m.•2 views

EUVD-2025-34966

The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxpfb2wpdisplayembed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'postid' parameter. This makes it...

6.4CVSS4.7AI score0.00275EPSS

NVD•added 2025/10/18 6:15 a.m.•3 views

CVE-2025-11857

6.4CVSS0.00275EPSS

Exploits0References3

CVE•added 2025/10/18 5:41 a.m.•15 views

CVE-2025-11857

The CVE-2025-11857 entry pertains to the XX2WP Integration Tools WordPress plugin. Affected versions are all up to and including 1.9.9, with a Stored Cross-Site Scripting (Stored XSS) flaw in the mxp_fb2wp_display_embed shortcode caused by improper sanitization of the post_id parameter. This allo...

6.4CVSS4.8AI score0.00275EPSS

Exploits0References3

RedhatCVE•added 2025/10/16 8:33 a.m.•4 views

CVE-2025-10140

The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5AI score0.00265EPSS

RedhatCVE•added 2025/10/16 8:33 a.m.•3 views

CVE-2025-10682

The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

6.5CVSS6.5AI score0.0028EPSS

6.4CVSS5AI score0.00214EPSS

CVE-2025-10135

The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

6.4CVSS5AI score0.00214EPSS

CVE-2025-10132

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS6.6AI score0.00252EPSS

CVE-2025-10730

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

6.4CVSS6.1AI score0.00274EPSS

CVE-2025-10141

The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

6.4CVSS5AI score0.00265EPSS

CVE-2025-10194

The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...