PT-2025-7324 · WordPress · Ultraembed – Advanced Iframe Plugin For Wordpress

Name of the Vulnerable Software and Affected Versions: The UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included versions up to, and including, 1.0.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'iframe' shortcode due to insufficient...

PT-2025-7348 · WordPress · Adfo

Name of the Vulnerable Software and Affected Versions: ADFO – Custom data in admin dashboard plugin for WordPress versions up to, and including, 1.9.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'adfo list' shortcode due to insufficient input sanitization and...

PT-2025-7325 · WordPress · Umich Oidc Login

Name of the Vulnerable Software and Affected Versions: UMich OIDC Login plugin for WordPress versions up to, and including, 1.2.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'umich oidc button' shortcode due to insufficient input sanitization and output...

PT-2025-7374 · WordPress · Store Locator Widget

Name of the Vulnerable Software and Affected Versions: Store Locator Widget plugin for WordPress versions up to, and including, 20200131 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode due to insufficient input sanitization and outp...

PT-2025-7380 · WordPress · Widget Buy.Box

Name of the Vulnerable Software and Affected Versions: Widget BUY.BOX plugin for WordPress versions up to, and including, 3.1.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'buybox-widget' shortcode due to insufficient input sanitization and output escaping on...

WordPress Education Addon for Elementor plugin <= 1.3.1 - Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode vulnerability

Authenticated Contributor+ Insecure Direct Object Reference via naeduelementortemplate Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Education Addon for Elementor versions = 1.3.1...

CVE-2024-13743 Wonder Video Embed <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Wonder Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wonderpluginvideo shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-13689

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-13689 Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-13689

CVE-2024-13689 affects the Uncode Core WordPress plugin. Public details from Wordfence indicate the vulnerability is in Uncode Core

CVE-2024-13689 Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-13797

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-13797

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-13797

CVE-2024-13797 refers to thePressMart theme for WordPress (Elementor/WooCommerce) where an unauthenticated user can trigger arbitrary shortcode execution due to improper validation before do_shortcode. Affected versions: up to 1.2.16. Impact per the document: arbitrary shortcode execution, enabli...

CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...

WordPress Wonder Video Embed plugin <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Wonder Video Embed versions = 2.2...

CVE-2024-13395

The Threepress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'threepress' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-13575

The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webstoriesenhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-0805

The Mortgage Calculator / Loan Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mlcalc' shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...