8980 matches found
CVE-2025-6941 LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepointresources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escapin...
CVE-2025-6941 LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepointresources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escapin...
CVE-2025-6941
CVE-2025-6941 is a stored XSS in the WordPress plugin LatePoint (Calendar Booking Plugin for Appointments and Events). The issue arises from insufficient input sanitization/escaping in the id parameter of the latepoint_resources shortcode, affecting all versions up to and including 5.1.94. Exploi...
CVE-2025-10196
CVE-2025-10196 affects the Survey Anyplace WordPress plugin (versions
CVE-2025-10128
CVE-2025-10128 — Eulerpool Research Systems WordPress Plugin is affected by a stored cross-site scripting vulnerability in the plugin’s aaq shortcode. Reported across multiple sources, it affects all versions up to and including 4.0.1. The root cause is insufficient input sanitization and output ...
CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-10189
CVE-2025-10189 : WordPress BP Direct Menus plugin (versions
CVE-2025-10189 BP Direct Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The BP Direct Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bpdmlogin' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-10168 Any News Ticker <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Any News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'any-ticker' shortcode in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2025-10168 Any News Ticker <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Any News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'any-ticker' shortcode in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2025-10182
CVE-2025-10182: WordPress dbview plugin variants up to 0.5.5 exposed a Stored Cross-Site Scripting vulnerability in the dbview shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject scripts that run when use...
CVE-2025-10182 dbview <= 0.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The dbview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dbview' shortcode in all versions up to, and including, 0.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2025-10182 dbview <= 0.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The dbview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dbview' shortcode in all versions up to, and including, 0.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2025-10191
CVE-2025-10191 concerns the WordPress plugin Big Post Shipping for WooCommerce . The vulnerability is a Stored Cross-Site Scripting (XSS) in the shortcode wooboigpost_shipping_status. Affected versions are up to 2.1.1 (Wordfence listing confirms patching in 2.1.2). The issue stems from insufficie...
CVE-2025-10191 Big Post Shipping for WooCommerce <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpostshippingstatus' shortcode in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This...
CVE-2025-8623
CVE-2025-8623 : The WeedMaps Menu for WordPress plugin is vulnerable to Stored Cross-Site Scripting via the plugin’s weedmaps_menu shortcode in versions
CVE-2025-8623 WeedMaps Menu for WordPress <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via weedmaps_menu Shortcode
The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmapsmenu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9852
CVE-2025-9852 : Yoga Schedule Momoyoga WordPress plugin versions
CVE-2025-9852 Yoga Schedule Momoyoga <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...