WordPress plugin WPCS 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code injection...

WordPress WPCS – WordPress Currency Switcher Professional plugin <= 1.2.0.4 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin WPCS versions = 1.2.0.4...

CVE-2025-1481

The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the downloadbackup function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-13895

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2025-1325

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rclpreviewpost' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, wi...

CVE-2025-1324

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-1325

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rclpreviewpost' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, wi...

CVE-2025-1322

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated...

CVE-2025-1325 WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rclpreviewpost' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, wi...

CVE-2025-1325

CVE-2025-1325 affects the WordPress plugin WP-Recall – Registration, Profile, Commerce & More . The vulnerability arises from a missing capability check on the AJAX endpoint rcl_preview_post , enabling an authenticated attacker with at least Subscriber-level access to execute arbitrary shortcodes...

CVE-2025-1325 WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rclpreviewpost' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, wi...

CVE-2025-1324 WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes...

WordPress WP-Recall plugin <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Exeuction vulnerability discovered by Krzysztof Zając in WordPress Plugin WP-Recall versions = 16.26.10...

WordPress WP-Recall plugin <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin WP-Recall versions = 16.26.10...

CVE-2025-1481

The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the downloadbackup function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-13895

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2025-1481

The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the downloadbackup function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-13895

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

WordPress Shortcode Cleaner Lite plugin <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Options Export vulnerability discovered by Krzysztof Zając in WordPress Plugin Shortcode Cleaner Lite versions = 1.0.9...

CVE-2024-13895 Code Snippets CPT <= 2.1.0 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...