8984 matches found
CVE-2025-9874
CVE-2025-9874 : The WordPress plugin Ultimate Classified Listings (versions up to and including 1.6) is affected by a Local File Inclusion vulnerability via the shortcode uclwp_dashboard. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary PHP files o...
CVE-2025-9850 Evenium <= 1.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eveniumsingleevent' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2025-9850
The Evenium WordPress plugin (versions
CVE-2025-9861 ThemeLoom Widgets <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'losshowposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-8686 WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WPEASYFAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-8686 WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WPEASYFAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-8686
CVE-2025-8686 details from the provided documents: The WordPress plugin WP Easy FAQs (WP Easy FAQs) is vulnerable to Stored Cross-Site Scripting (Stored XSS) via the WP_EASY_FAQ shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The flaw affects all ...
CVE-2025-8721
CVE-2025-8721 affects the WordPress plugin Workable API (wrapper-for-workable-api) up to version 1.0.4. The vulnerability is a Stored Cross-Site Scripting via the workable_jobs shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes. Public sources (Wor...
CVE-2025-8721 Workable API <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via workable_jobs Shortcode
The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workablejobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-9489
The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it...
WordPress plugin Evenium 跨站脚本漏洞
The Evenium plugin is an event management tool for the WordPress platform for creating and integrating Evenium meeting management features. Evenium plugin version 1.3.11 and prior versions suffer from a stored XSS vulnerability that stems from insufficient filtering of shortcode user input...
PT-2025-37155
The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium single event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
PT-2025-37156
The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
PT-2025-37135
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WP EASY FAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-37139
The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workable jobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-37159
Name of the Vulnerable Software and Affected Versions: The Ultimate Classified Listings plugin for WordPress versions up to and including 1.6 Description: The Ultimate Classified Listings plugin for WordPress is susceptible to Local File Inclusion via the uclwp dashboard shortcode. Authenticated...
PT-2025-37126
The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-37157
The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
VulnCheck KEV: CVE-2024-11740
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...
CVE-2025-7826
The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...