WordPress Philantro plugin <= 5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via donate Shortcode vulnerability discovered by SOPROBRO in WordPress Plugin Philantro versions = 5.3...

PT-2025-2207 · WordPress · The Philantro – Donations/Donor Management

Name of the Vulnerable Software and Affected Versions: The Philantro – Donations and Donor Management plugin for WordPress versions up to, and including, 5.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's shortcodes, such as donate, due to insufficient input...

WordPress ThemeREX Addons plugin <= 2.33.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by István Márton in WordPress Plugin ThemeREX Addons versions = 2.33.0...

CVE-2024-10633

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up to, and including, 31.8.0 Agency. This is due to the software allowing users to...

CVE-2024-10633 Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up to, and including, 31.8.0 Agency. This is due to the software allowing users to...

CVE-2024-10633 Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up to, and including, 31.8.0 Agency. This is due to the software allowing users to...

CVE-2024-10633

CVE-2024-10633 affects the Quiz Maker Business, Developer, and Agency WordPress plugins. The vulnerability arises from improper validation before do_shortcode, enabling unauthenticated users to execute arbitrary shortcodes. Impact is characterized as arbitrary shortcode execution with network-acc...

WordPress plugin Quiz Maker Business, Developer, and Agency 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-13586

The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-13551

The ABC Notation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-13458

The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user...

CVE-2024-13550

The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files...

CVE-2024-13548 Power Ups for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-2181 · WordPress · Wordpress Seo Friendly Accordion Faq

Name of the Vulnerable Software and Affected Versions: WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin versions up to, and including, 2.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode due to insufficient...

PT-2025-2217 · WordPress · Abc Notation

Name of the Vulnerable Software and Affected Versions: ABC Notation plugin for WordPress versions up to, and including, 6.1.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-1956 · WordPress · Etsy Importer

Name of the Vulnerable Software and Affected Versions: Etsy Importer plugin for WordPress versions up to, and including, 1.4.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the product lin...

PT-2025-2214 · WordPress · Power Ups For Elementor

Name of the Vulnerable Software and Affected Versions: Power Ups for Elementor plugin for WordPress versions up to, and including, 1.2.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode due to insufficient input sanitization and output...

CVE-2025-24687

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lars Wallenborn Show/Hide Shortcode showhide-shortcode allows Stored XSS.This issue affects Show/Hide Shortcode: from n/a through = 1.0.0...

CVE-2025-24636

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

CVE-2025-24687 WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lars Wallenborn Show/Hide Shortcode showhide-shortcode allows Stored XSS.This issue affects Show/Hide Shortcode: from n/a through = 1.0.0...