PT-2025-38098

Name of the Vulnerable Software and Affected Versions: Social Media Shortcodes plugin for WordPress versions up to and including 1.3.1 Description: The Social Media Shortcodes plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s twitter shortcode. Insufficient...

WordPress plugin Catch Dark Mode 安全漏洞

WordPress Catch Dark Mode plugin is an official plugin for enabling dark mode in WordPress websites, offering a wide range of customization options and pre-built theme solutions. The WordPress Catch Dark Mode plugin suffers from a file inclusion vulnerability that stems from a local file inclusio...

PT-2025-38103

Name of the Vulnerable Software and Affected Versions: Appointmind plugin for WordPress versions up to and including 4.1.0 Description: The Appointmind plugin for WordPress is susceptible to Stored Cross-Site Scripting through the appointmind calendar shortcode. Insufficient input sanitization an...

PT-2025-38124

Name of the Vulnerable Software and Affected Versions: Blocksy Companion plugin for WordPress versions up to and including 2.1.10 Description: The Blocksy Companion plugin for WordPress is susceptible to Stored Cross-Site Scripting through the blocksy newsletter subscribe shortcode. Insufficient...

PT-2025-38097

Name of the Vulnerable Software and Affected Versions: Catch Dark Mode plugin for WordPress versions up to and including 2.0 Description: The Catch Dark Mode plugin for WordPress is susceptible to a Local File Inclusion issue via the catch dark mode shortcode. This allows authenticated attackers...

CVE-2025-9879

The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9877

The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9861

The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'losshowposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9860

The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2025-9855

The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplugauthors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9850

The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eveniumsingleevent' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2025-8721

The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workablejobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-8398

The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-9857

The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'HeateorFacebookLogin' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This make...

CVE-2025-10126

The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-9879

The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9877

The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9877

The CVE-2025-9877 entry concerns the WordPress plugin Embed Google Datastudio. It describes a Stored Cross-Site Scripting (XSS) vulnerability in the egds shortcode across all versions up to 1.0.0, caused by insufficient input sanitization and output escaping of user-supplied attributes. The impac...

CVE-2025-9877 Embed Google Datastudio <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9877 Embed Google Datastudio <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...